Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
157s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
20/08/2023, 16:21
Static task
static1
Behavioral task
behavioral1
Sample
98f029837e9c2306a1724504af641029af6968ab8c1e37017dae818fcbc00499.exe
Resource
win10-20230703-en
General
-
Target
98f029837e9c2306a1724504af641029af6968ab8c1e37017dae818fcbc00499.exe
-
Size
741KB
-
MD5
ddf122221d42677c05ef04a08567fb76
-
SHA1
53ba05ba4158a12f5caf0c287a1b289068e6b249
-
SHA256
98f029837e9c2306a1724504af641029af6968ab8c1e37017dae818fcbc00499
-
SHA512
a0d09e6b6a3409b6341ac2d8f3ac7c226f9a066302e2c01f92da9e9a7202088d7cbc59738578cbab8893ff996f03b8911a9a8b3ad761c9c738d3c7e6fa0486d5
-
SSDEEP
12288:mMrKy9031bLUakQlqez64MuveulPzs9iuPRXehLHhPiX6o0gyoB:oyq7lqez6ulXoehDhq60
Malware Config
Extracted
redline
chang
77.91.124.73:19071
-
auth_value
92b880db64e691d6bb290d1536ce7688
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral1/memory/3992-151-0x00000000001E0000-0x00000000001EA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" r0042912.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" r0042912.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" r0042912.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" r0042912.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" r0042912.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
pid Process 600 z4990998.exe 4928 z4826169.exe 4704 z2848690.exe 3992 r0042912.exe 3308 s1002460.exe 2396 t8876970.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features r0042912.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" r0042912.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 98f029837e9c2306a1724504af641029af6968ab8c1e37017dae818fcbc00499.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z4990998.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z4826169.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z2848690.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3992 r0042912.exe 3992 r0042912.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3992 r0042912.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3176 wrote to memory of 600 3176 98f029837e9c2306a1724504af641029af6968ab8c1e37017dae818fcbc00499.exe 70 PID 3176 wrote to memory of 600 3176 98f029837e9c2306a1724504af641029af6968ab8c1e37017dae818fcbc00499.exe 70 PID 3176 wrote to memory of 600 3176 98f029837e9c2306a1724504af641029af6968ab8c1e37017dae818fcbc00499.exe 70 PID 600 wrote to memory of 4928 600 z4990998.exe 71 PID 600 wrote to memory of 4928 600 z4990998.exe 71 PID 600 wrote to memory of 4928 600 z4990998.exe 71 PID 4928 wrote to memory of 4704 4928 z4826169.exe 72 PID 4928 wrote to memory of 4704 4928 z4826169.exe 72 PID 4928 wrote to memory of 4704 4928 z4826169.exe 72 PID 4704 wrote to memory of 3992 4704 z2848690.exe 73 PID 4704 wrote to memory of 3992 4704 z2848690.exe 73 PID 4704 wrote to memory of 3992 4704 z2848690.exe 73 PID 4704 wrote to memory of 3308 4704 z2848690.exe 75 PID 4704 wrote to memory of 3308 4704 z2848690.exe 75 PID 4704 wrote to memory of 3308 4704 z2848690.exe 75 PID 4928 wrote to memory of 2396 4928 z4826169.exe 76 PID 4928 wrote to memory of 2396 4928 z4826169.exe 76 PID 4928 wrote to memory of 2396 4928 z4826169.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\98f029837e9c2306a1724504af641029af6968ab8c1e37017dae818fcbc00499.exe"C:\Users\Admin\AppData\Local\Temp\98f029837e9c2306a1724504af641029af6968ab8c1e37017dae818fcbc00499.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4990998.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4990998.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4826169.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4826169.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2848690.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2848690.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0042912.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0042912.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1002460.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1002460.exe5⤵
- Executes dropped EXE
PID:3308
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t8876970.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t8876970.exe4⤵
- Executes dropped EXE
PID:2396
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
625KB
MD54030cfbdf6a0628ea263889d67625334
SHA13e942b2c2bbcef6475ca716673977fbe1d9a900d
SHA256bd925cf9242886c1466761bab3ca441e2351c2514d5b96b2c43b6a3e8e8568b2
SHA512e54d952b559657b11bcf080c532d5d7c93ceda04f83ae477724681215dffd6dedb704db39f65826620361f85e122cb6b97b6b0131b123e09fd5f65e8014c00b3
-
Filesize
625KB
MD54030cfbdf6a0628ea263889d67625334
SHA13e942b2c2bbcef6475ca716673977fbe1d9a900d
SHA256bd925cf9242886c1466761bab3ca441e2351c2514d5b96b2c43b6a3e8e8568b2
SHA512e54d952b559657b11bcf080c532d5d7c93ceda04f83ae477724681215dffd6dedb704db39f65826620361f85e122cb6b97b6b0131b123e09fd5f65e8014c00b3
-
Filesize
399KB
MD52a165dd81455230ffbd5e1c788d81cd0
SHA13787d63b943567dc75af0d9444c90ac2df1dd390
SHA256c5773693807826c2fec8a76f81125435590a76ef7fef002b0b295d91184b3158
SHA5124f154ae3a23d87bb78fcdb5af6a08919b39b29c66017f6f30454d6a0c8c17a448599fd7204fd62e44903823132216993157aa0a2b58c186edebc04bc17b93324
-
Filesize
399KB
MD52a165dd81455230ffbd5e1c788d81cd0
SHA13787d63b943567dc75af0d9444c90ac2df1dd390
SHA256c5773693807826c2fec8a76f81125435590a76ef7fef002b0b295d91184b3158
SHA5124f154ae3a23d87bb78fcdb5af6a08919b39b29c66017f6f30454d6a0c8c17a448599fd7204fd62e44903823132216993157aa0a2b58c186edebc04bc17b93324
-
Filesize
174KB
MD5ba7ccc72aa67637e5edb5af9bbe211ac
SHA1929978860f7dd30263c428a305f532e3c3a5f2c6
SHA256ea177be5cced9b3bf25d2680785cf51cfa6c53262082011af489d95128380638
SHA51208bc55fb78a0e291a3af4d1dda50841e8c64869816a86c5c7db277d3057e5d3bf75aff829e4f6065ba3b10beab40d225a3950fcda531f2869ffde41559bac9e6
-
Filesize
174KB
MD5ba7ccc72aa67637e5edb5af9bbe211ac
SHA1929978860f7dd30263c428a305f532e3c3a5f2c6
SHA256ea177be5cced9b3bf25d2680785cf51cfa6c53262082011af489d95128380638
SHA51208bc55fb78a0e291a3af4d1dda50841e8c64869816a86c5c7db277d3057e5d3bf75aff829e4f6065ba3b10beab40d225a3950fcda531f2869ffde41559bac9e6
-
Filesize
243KB
MD582bc02353c1deee3ed7e267549a13612
SHA156f4769e51f7085d36aa894db66e292c9a8c1643
SHA256c08fec2215243d6526a0e7ac6536c7addabe31ee1d468c0659a06a05f86ff3e2
SHA512497fd7802aff142fabfb9fd24dd12abfaf3cc043b28f52096dd2726169ba3ab55dcf4f8c45d5772259ea0a8b557906c47c1afbd4a6ee704cbd5e7eb3332f5028
-
Filesize
243KB
MD582bc02353c1deee3ed7e267549a13612
SHA156f4769e51f7085d36aa894db66e292c9a8c1643
SHA256c08fec2215243d6526a0e7ac6536c7addabe31ee1d468c0659a06a05f86ff3e2
SHA512497fd7802aff142fabfb9fd24dd12abfaf3cc043b28f52096dd2726169ba3ab55dcf4f8c45d5772259ea0a8b557906c47c1afbd4a6ee704cbd5e7eb3332f5028
-
Filesize
69KB
MD583336680e8dafd97fcaf1203ef680e77
SHA1e7b0d9cb13812a6055e163756c171a4b384fbfea
SHA25655008cc30e074251484e09de0fdd6494de27b6cb2734c6b4c15d7257af82c8c6
SHA512f06215c3569deaafee6fef7d5df836949cbf8f66c966c8313f1f4bd5ec7a5ae715f05b8b1101310358cfe86f400a7c2cbffaf0f12e142fadf1a1c0863429475f
-
Filesize
69KB
MD583336680e8dafd97fcaf1203ef680e77
SHA1e7b0d9cb13812a6055e163756c171a4b384fbfea
SHA25655008cc30e074251484e09de0fdd6494de27b6cb2734c6b4c15d7257af82c8c6
SHA512f06215c3569deaafee6fef7d5df836949cbf8f66c966c8313f1f4bd5ec7a5ae715f05b8b1101310358cfe86f400a7c2cbffaf0f12e142fadf1a1c0863429475f
-
Filesize
140KB
MD504e54b20f2288875f129b2aa2852d11a
SHA155bab3e9fb5c2915e2800bdc677ea3faf4a2995d
SHA256634cf5cf315542200f5fcd6b81a90eb67904fd7c45d8398efc5041ee60537270
SHA512dadb03f8142d0d32f44254d74d772efa189b721c19e85792bc07bc64fc505cd54135805b8a90ec9caab63954bae6bc517d2b069e826a460d1ff71017d8f6b66e
-
Filesize
140KB
MD504e54b20f2288875f129b2aa2852d11a
SHA155bab3e9fb5c2915e2800bdc677ea3faf4a2995d
SHA256634cf5cf315542200f5fcd6b81a90eb67904fd7c45d8398efc5041ee60537270
SHA512dadb03f8142d0d32f44254d74d772efa189b721c19e85792bc07bc64fc505cd54135805b8a90ec9caab63954bae6bc517d2b069e826a460d1ff71017d8f6b66e