Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2023, 20:08
Static task
static1
Behavioral task
behavioral1
Sample
ed21b58153556f6615131adb99259c8a572b90000bbf016288cc7600a238b9a5.exe
Resource
win10v2004-20230703-en
General
-
Target
ed21b58153556f6615131adb99259c8a572b90000bbf016288cc7600a238b9a5.exe
-
Size
505KB
-
MD5
48afb85a07c02347c97a29ea9edf4b44
-
SHA1
f51b36e8fdfe14f001f7f5cd003291ddae59556f
-
SHA256
ed21b58153556f6615131adb99259c8a572b90000bbf016288cc7600a238b9a5
-
SHA512
3fcd81fc5f91b3ce5b7fecff60ac70fe16c3008272e5f1add64f20edbf7f83c234c915c234a1c93812959eb70cfc8e3e0558c487278e84cda443ba9b59ae6994
-
SSDEEP
12288:IMrVy90v7/1yLRRymj0s7RsL6Rb9Hr7zjKeKIQ+AMeBw8:9yC7/1gDHj0sL5r7fKe/V7e+8
Malware Config
Extracted
redline
meson
77.91.124.54:19071
-
auth_value
47ca57ebe5c142c9ad4650f71bf57877
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x00060000000231b6-155.dat healer behavioral1/files/0x00060000000231b6-156.dat healer behavioral1/memory/1504-157-0x0000000000500000-0x000000000050A000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection h3020925.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" h3020925.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" h3020925.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" h3020925.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" h3020925.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" h3020925.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 4912 x1552228.exe 2296 x7969161.exe 5084 g6059879.exe 1504 h3020925.exe 1716 i4616181.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" h3020925.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ed21b58153556f6615131adb99259c8a572b90000bbf016288cc7600a238b9a5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1552228.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x7969161.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1504 h3020925.exe 1504 h3020925.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1504 h3020925.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 860 wrote to memory of 4912 860 ed21b58153556f6615131adb99259c8a572b90000bbf016288cc7600a238b9a5.exe 82 PID 860 wrote to memory of 4912 860 ed21b58153556f6615131adb99259c8a572b90000bbf016288cc7600a238b9a5.exe 82 PID 860 wrote to memory of 4912 860 ed21b58153556f6615131adb99259c8a572b90000bbf016288cc7600a238b9a5.exe 82 PID 4912 wrote to memory of 2296 4912 x1552228.exe 83 PID 4912 wrote to memory of 2296 4912 x1552228.exe 83 PID 4912 wrote to memory of 2296 4912 x1552228.exe 83 PID 2296 wrote to memory of 5084 2296 x7969161.exe 84 PID 2296 wrote to memory of 5084 2296 x7969161.exe 84 PID 2296 wrote to memory of 5084 2296 x7969161.exe 84 PID 2296 wrote to memory of 1504 2296 x7969161.exe 85 PID 2296 wrote to memory of 1504 2296 x7969161.exe 85 PID 4912 wrote to memory of 1716 4912 x1552228.exe 93 PID 4912 wrote to memory of 1716 4912 x1552228.exe 93 PID 4912 wrote to memory of 1716 4912 x1552228.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed21b58153556f6615131adb99259c8a572b90000bbf016288cc7600a238b9a5.exe"C:\Users\Admin\AppData\Local\Temp\ed21b58153556f6615131adb99259c8a572b90000bbf016288cc7600a238b9a5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1552228.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1552228.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7969161.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7969161.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6059879.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6059879.exe4⤵
- Executes dropped EXE
PID:5084
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h3020925.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h3020925.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i4616181.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i4616181.exe3⤵
- Executes dropped EXE
PID:1716
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
373KB
MD56f4139d2eab17af58c054d19c1e38beb
SHA12c496a8192afe2da624ca433cb83d19bc155ccf7
SHA256bdaac42611a1a3951d0bd0460a6fc6a89770b860c741862750b9f298630a3ee4
SHA512157c10af4d204258e78f003e051a760b81074ed13fe816c375f27c97c06b1fc5ec71a51856fddf477afb2c62d196e6e9275555ca787c6920adbf902b5a473c07
-
Filesize
373KB
MD56f4139d2eab17af58c054d19c1e38beb
SHA12c496a8192afe2da624ca433cb83d19bc155ccf7
SHA256bdaac42611a1a3951d0bd0460a6fc6a89770b860c741862750b9f298630a3ee4
SHA512157c10af4d204258e78f003e051a760b81074ed13fe816c375f27c97c06b1fc5ec71a51856fddf477afb2c62d196e6e9275555ca787c6920adbf902b5a473c07
-
Filesize
175KB
MD5d773caa73c07276cad9612d6a64034ba
SHA113bb7253455c4308414b2ef5b7a85458bf6cb495
SHA256c9e80a7c1661a71c14219183fef2c1ba482f5fd80070d6a6580ebd9b85a6570e
SHA512275e388197db32ba6d22e8683e49174e0e14a4fde9048be2c4469b287b7cfb70d8d57cd66bd4ce35d230d0d7c7c54498675d6a607067bf46b9f332b356a33dd7
-
Filesize
175KB
MD5d773caa73c07276cad9612d6a64034ba
SHA113bb7253455c4308414b2ef5b7a85458bf6cb495
SHA256c9e80a7c1661a71c14219183fef2c1ba482f5fd80070d6a6580ebd9b85a6570e
SHA512275e388197db32ba6d22e8683e49174e0e14a4fde9048be2c4469b287b7cfb70d8d57cd66bd4ce35d230d0d7c7c54498675d6a607067bf46b9f332b356a33dd7
-
Filesize
217KB
MD54be78428622f5ef401efe0079efd4cfb
SHA1b0475f14bbe4b55e079d4104f6c23b5b1224afe9
SHA256c961bf7ec7237ce6c7dbaf923f56399e936bfd5720e42fd184a6bbf85fafc478
SHA512061fd8a05f36cdb080ef45a79261409137bf88f45307a53872e94836cbb668b51fe1133f581ff37b90939e789759be0c42f217a4e508138d30ebe4d477bc1a41
-
Filesize
217KB
MD54be78428622f5ef401efe0079efd4cfb
SHA1b0475f14bbe4b55e079d4104f6c23b5b1224afe9
SHA256c961bf7ec7237ce6c7dbaf923f56399e936bfd5720e42fd184a6bbf85fafc478
SHA512061fd8a05f36cdb080ef45a79261409137bf88f45307a53872e94836cbb668b51fe1133f581ff37b90939e789759be0c42f217a4e508138d30ebe4d477bc1a41
-
Filesize
140KB
MD58f6cbd407dffba25f4bc8645d72d271c
SHA143bccbe1978f4026307dc0ef693ebd5c540d3de4
SHA25645aacafc3272cbf8f495c5531d6a6001c0f998b1f37ae6127e298d2e870a8d2a
SHA5128e7adf6e290613debe49367b7fec810d575ef0a6ea79cb0cc2f888e9012ae80e8fb4a84aa2de783d3ef5b73cced2a177af7dfea8d89f7f2734f4a53142d7cfa6
-
Filesize
140KB
MD58f6cbd407dffba25f4bc8645d72d271c
SHA143bccbe1978f4026307dc0ef693ebd5c540d3de4
SHA25645aacafc3272cbf8f495c5531d6a6001c0f998b1f37ae6127e298d2e870a8d2a
SHA5128e7adf6e290613debe49367b7fec810d575ef0a6ea79cb0cc2f888e9012ae80e8fb4a84aa2de783d3ef5b73cced2a177af7dfea8d89f7f2734f4a53142d7cfa6
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91