Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2023, 12:05
Static task
static1
Behavioral task
behavioral1
Sample
b2d24b231d7f3eed7b517f38077ecb890957c334dda06da0a016caa5a15c6cc9.exe
Resource
win10v2004-20230703-en
General
-
Target
b2d24b231d7f3eed7b517f38077ecb890957c334dda06da0a016caa5a15c6cc9.exe
-
Size
839KB
-
MD5
2f0f3501e75807204f2a215c99eff42b
-
SHA1
d5b2da2d56009801643eace5069ff77b8419cee6
-
SHA256
b2d24b231d7f3eed7b517f38077ecb890957c334dda06da0a016caa5a15c6cc9
-
SHA512
01fc9ff907ece489d7f307197a2b2d1dd53ff15a3d6b33fbf8a349bea4ce88d4cce9fc582932eb5d1f45219d0011285a6c5bc72798f08e551a9c69a346901f9a
-
SSDEEP
24576:1ymZ+HfQSeDGLM0r++UkHLgemkHlSN0AxxUd:QmZORJL3ZH8etlSN1xx
Malware Config
Extracted
redline
lang
77.91.124.73:19071
-
auth_value
92c0fc2b7a8b3fc5a01baa1abf31c42a
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x00070000000230a9-166.dat healer behavioral1/files/0x00070000000230a9-167.dat healer behavioral1/memory/2188-168-0x0000000000FC0000-0x0000000000FCA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a6667273.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a6667273.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a6667273.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a6667273.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a6667273.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a6667273.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 3152 v5667548.exe 4136 v3662853.exe 3872 v9856061.exe 368 v6173771.exe 2188 a6667273.exe 3464 b3197717.exe 2096 c2293038.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a6667273.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v5667548.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v3662853.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v9856061.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v6173771.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b2d24b231d7f3eed7b517f38077ecb890957c334dda06da0a016caa5a15c6cc9.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2188 a6667273.exe 2188 a6667273.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2188 a6667273.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4348 wrote to memory of 3152 4348 b2d24b231d7f3eed7b517f38077ecb890957c334dda06da0a016caa5a15c6cc9.exe 81 PID 4348 wrote to memory of 3152 4348 b2d24b231d7f3eed7b517f38077ecb890957c334dda06da0a016caa5a15c6cc9.exe 81 PID 4348 wrote to memory of 3152 4348 b2d24b231d7f3eed7b517f38077ecb890957c334dda06da0a016caa5a15c6cc9.exe 81 PID 3152 wrote to memory of 4136 3152 v5667548.exe 82 PID 3152 wrote to memory of 4136 3152 v5667548.exe 82 PID 3152 wrote to memory of 4136 3152 v5667548.exe 82 PID 4136 wrote to memory of 3872 4136 v3662853.exe 83 PID 4136 wrote to memory of 3872 4136 v3662853.exe 83 PID 4136 wrote to memory of 3872 4136 v3662853.exe 83 PID 3872 wrote to memory of 368 3872 v9856061.exe 84 PID 3872 wrote to memory of 368 3872 v9856061.exe 84 PID 3872 wrote to memory of 368 3872 v9856061.exe 84 PID 368 wrote to memory of 2188 368 v6173771.exe 85 PID 368 wrote to memory of 2188 368 v6173771.exe 85 PID 368 wrote to memory of 3464 368 v6173771.exe 94 PID 368 wrote to memory of 3464 368 v6173771.exe 94 PID 368 wrote to memory of 3464 368 v6173771.exe 94 PID 3872 wrote to memory of 2096 3872 v9856061.exe 95 PID 3872 wrote to memory of 2096 3872 v9856061.exe 95 PID 3872 wrote to memory of 2096 3872 v9856061.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2d24b231d7f3eed7b517f38077ecb890957c334dda06da0a016caa5a15c6cc9.exe"C:\Users\Admin\AppData\Local\Temp\b2d24b231d7f3eed7b517f38077ecb890957c334dda06da0a016caa5a15c6cc9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5667548.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5667548.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3662853.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3662853.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9856061.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9856061.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6173771.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6173771.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6667273.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6667273.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3197717.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3197717.exe6⤵
- Executes dropped EXE
PID:3464
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2293038.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2293038.exe5⤵
- Executes dropped EXE
PID:2096
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
723KB
MD5f8bc0162c0724e294a91642269655e01
SHA16a5df91b26daa87430edb4373ceb2829688254a9
SHA256a59c8a8f35de21e25d6a6e0f84bb3ca43f5aba70aefe464212b3c18d3bd24b94
SHA512c23833a41850c79af8f797d93578da6e62f9e1f428b601b051aa4558db7f81cc6acfed8103db66337a4832a47b5873f8ef90e2cb4a01c63c19e099a7532d2c1f
-
Filesize
723KB
MD5f8bc0162c0724e294a91642269655e01
SHA16a5df91b26daa87430edb4373ceb2829688254a9
SHA256a59c8a8f35de21e25d6a6e0f84bb3ca43f5aba70aefe464212b3c18d3bd24b94
SHA512c23833a41850c79af8f797d93578da6e62f9e1f428b601b051aa4558db7f81cc6acfed8103db66337a4832a47b5873f8ef90e2cb4a01c63c19e099a7532d2c1f
-
Filesize
497KB
MD521ed9cbf0b0324514ecd89ae7c54b3ba
SHA18a78a165958951d56a7a0300f0ecc6d93e2813e9
SHA256f962da10754ea48555cad98f74f771d3c68dae832fb2c5a8c3cce181b1dc0df3
SHA512304683e59eec078bc490901e3db250243e24e8b2292f5ce1095241aae0e3760a26414ff582fad2b169d4e4522db25a846f0dd3db9bc0ca111d2236ad55d53563
-
Filesize
497KB
MD521ed9cbf0b0324514ecd89ae7c54b3ba
SHA18a78a165958951d56a7a0300f0ecc6d93e2813e9
SHA256f962da10754ea48555cad98f74f771d3c68dae832fb2c5a8c3cce181b1dc0df3
SHA512304683e59eec078bc490901e3db250243e24e8b2292f5ce1095241aae0e3760a26414ff582fad2b169d4e4522db25a846f0dd3db9bc0ca111d2236ad55d53563
-
Filesize
373KB
MD56a05ebbb35c3bb4da7b7eff9da307634
SHA19751302e3d4198f058ddbdd08d25bbec5cbeb5fe
SHA25690031ba416e6e7b8e98193b280e57c0691ba32a7b92fb9bc18ce1fa98f7bed68
SHA5128253beda674fcf4dcc8d1f818d4b0d15586fac3076e155e11a6e9656efcfeb298cb83ffdbaee031ec7f189f6499bc6571a684acde7ab1178590ce4a4dfceecf2
-
Filesize
373KB
MD56a05ebbb35c3bb4da7b7eff9da307634
SHA19751302e3d4198f058ddbdd08d25bbec5cbeb5fe
SHA25690031ba416e6e7b8e98193b280e57c0691ba32a7b92fb9bc18ce1fa98f7bed68
SHA5128253beda674fcf4dcc8d1f818d4b0d15586fac3076e155e11a6e9656efcfeb298cb83ffdbaee031ec7f189f6499bc6571a684acde7ab1178590ce4a4dfceecf2
-
Filesize
174KB
MD5e892a81068f3297be0614557df31f6f0
SHA1b94d76ab1ed5428b6da4305d504b5090834d13c3
SHA2562ea8e50c90aa064c9cccc5a501ebebb52d19c30404132a813a1d463815360153
SHA51293e4d58a0219c8174a0abc94ec3b1370de1b6ed401cb3d044d11a29cce4743629cffb88407d62e99876255bc1dd6468d7d3c9970ca9e35692bdcb4e4448def6f
-
Filesize
174KB
MD5e892a81068f3297be0614557df31f6f0
SHA1b94d76ab1ed5428b6da4305d504b5090834d13c3
SHA2562ea8e50c90aa064c9cccc5a501ebebb52d19c30404132a813a1d463815360153
SHA51293e4d58a0219c8174a0abc94ec3b1370de1b6ed401cb3d044d11a29cce4743629cffb88407d62e99876255bc1dd6468d7d3c9970ca9e35692bdcb4e4448def6f
-
Filesize
216KB
MD529c8f36969dd2abb81da78c20dbac0d4
SHA1c6b1691b9b87e5b6cb15a04a6535698fa85ba373
SHA25675aab9cf127ed4fbb7447a63cd519afd95aaf2b0019ef27c2ae6a200ea88de95
SHA512e2c013464cd8742d033ffc0ef8d174bd99a51abb9b0b535f644882db1fd1fb05ff9af4ff5c7461c14d9b7f63e74638ffbdabdcbc4f0b8531480ea2728d0dfb40
-
Filesize
216KB
MD529c8f36969dd2abb81da78c20dbac0d4
SHA1c6b1691b9b87e5b6cb15a04a6535698fa85ba373
SHA25675aab9cf127ed4fbb7447a63cd519afd95aaf2b0019ef27c2ae6a200ea88de95
SHA512e2c013464cd8742d033ffc0ef8d174bd99a51abb9b0b535f644882db1fd1fb05ff9af4ff5c7461c14d9b7f63e74638ffbdabdcbc4f0b8531480ea2728d0dfb40
-
Filesize
11KB
MD511a8335b9a735da66bfdc28e0b864cb3
SHA1689d6617916bd4581abde04bc79932efa3613d86
SHA256d7d8bddc6c6e500d5a6562d7ea5d79849939251bcb26f1adc47475c62dbbf86a
SHA5127983a27d1204aebb8800a7002a42a4137d4944977b40608710a564889fb5fd6b0acffe91ac7096e5beb75dc910d129d6a5377e3ec52231980c2e55acbcaa4e15
-
Filesize
11KB
MD511a8335b9a735da66bfdc28e0b864cb3
SHA1689d6617916bd4581abde04bc79932efa3613d86
SHA256d7d8bddc6c6e500d5a6562d7ea5d79849939251bcb26f1adc47475c62dbbf86a
SHA5127983a27d1204aebb8800a7002a42a4137d4944977b40608710a564889fb5fd6b0acffe91ac7096e5beb75dc910d129d6a5377e3ec52231980c2e55acbcaa4e15
-
Filesize
140KB
MD5a4c518916bff0e4a5cb6bebd979767c8
SHA13fd6ff3b5a1a51f6e7729a318b01ef39cc333225
SHA256fabd8473be8fda75544976d788d590747c924f97613c3140f0ff4480adedb8b6
SHA5121065469cfb13cfbb1cb4a879bd6cfd0dc8b6eecd1847099e2ea02dd66619a5a3d2615e6543b0e079b9ed41d8a68f9e93a286252ca99217f56a2dc816dc2e6882
-
Filesize
140KB
MD5a4c518916bff0e4a5cb6bebd979767c8
SHA13fd6ff3b5a1a51f6e7729a318b01ef39cc333225
SHA256fabd8473be8fda75544976d788d590747c924f97613c3140f0ff4480adedb8b6
SHA5121065469cfb13cfbb1cb4a879bd6cfd0dc8b6eecd1847099e2ea02dd66619a5a3d2615e6543b0e079b9ed41d8a68f9e93a286252ca99217f56a2dc816dc2e6882