Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2023, 23:25
Static task
static1
Behavioral task
behavioral1
Sample
bde92e696d3184b5f4b7a35200dcb08ae4e97db9337f51dd88219349ff86adeb.exe
Resource
win10v2004-20230703-en
General
-
Target
bde92e696d3184b5f4b7a35200dcb08ae4e97db9337f51dd88219349ff86adeb.exe
-
Size
828KB
-
MD5
8b5019f7eeb01c17088e92b98b5e953c
-
SHA1
d64e1762cec1af4d2d39155725707479077531af
-
SHA256
bde92e696d3184b5f4b7a35200dcb08ae4e97db9337f51dd88219349ff86adeb
-
SHA512
9bd607c4612f0d70b1e94484a7a9f8eb39e19d10b88d19079c1bdd5a2c1b34dfde9b959054ab80f521dbde04325857ceda7859f462d027565fc43b93493084dc
-
SSDEEP
12288:GMrwy90FCcA+hql0H9mkDvSyqiptHNm8XLNFzj4eICgMeHKWgnP6ZsBY1qBpsf:ay0CcvMGkkrSyfnIu5KeIC7HWgycq
Malware Config
Extracted
redline
rota
77.91.124.73:19071
-
auth_value
320c7daa59eb9b82e20a15162392a756
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000002308d-166.dat healer behavioral1/files/0x000700000002308d-167.dat healer behavioral1/memory/4868-168-0x00000000000D0000-0x00000000000DA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a0742905.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a0742905.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a0742905.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a0742905.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a0742905.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a0742905.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 224 v3080858.exe 1152 v5406472.exe 2312 v8345698.exe 4608 v9670626.exe 4868 a0742905.exe 3896 b4576786.exe 3848 c3632568.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a0742905.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v9670626.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bde92e696d3184b5f4b7a35200dcb08ae4e97db9337f51dd88219349ff86adeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3080858.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v5406472.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v8345698.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4868 a0742905.exe 4868 a0742905.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4868 a0742905.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2936 wrote to memory of 224 2936 bde92e696d3184b5f4b7a35200dcb08ae4e97db9337f51dd88219349ff86adeb.exe 81 PID 2936 wrote to memory of 224 2936 bde92e696d3184b5f4b7a35200dcb08ae4e97db9337f51dd88219349ff86adeb.exe 81 PID 2936 wrote to memory of 224 2936 bde92e696d3184b5f4b7a35200dcb08ae4e97db9337f51dd88219349ff86adeb.exe 81 PID 224 wrote to memory of 1152 224 v3080858.exe 82 PID 224 wrote to memory of 1152 224 v3080858.exe 82 PID 224 wrote to memory of 1152 224 v3080858.exe 82 PID 1152 wrote to memory of 2312 1152 v5406472.exe 83 PID 1152 wrote to memory of 2312 1152 v5406472.exe 83 PID 1152 wrote to memory of 2312 1152 v5406472.exe 83 PID 2312 wrote to memory of 4608 2312 v8345698.exe 84 PID 2312 wrote to memory of 4608 2312 v8345698.exe 84 PID 2312 wrote to memory of 4608 2312 v8345698.exe 84 PID 4608 wrote to memory of 4868 4608 v9670626.exe 85 PID 4608 wrote to memory of 4868 4608 v9670626.exe 85 PID 4608 wrote to memory of 3896 4608 v9670626.exe 93 PID 4608 wrote to memory of 3896 4608 v9670626.exe 93 PID 4608 wrote to memory of 3896 4608 v9670626.exe 93 PID 2312 wrote to memory of 3848 2312 v8345698.exe 96 PID 2312 wrote to memory of 3848 2312 v8345698.exe 96 PID 2312 wrote to memory of 3848 2312 v8345698.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\bde92e696d3184b5f4b7a35200dcb08ae4e97db9337f51dd88219349ff86adeb.exe"C:\Users\Admin\AppData\Local\Temp\bde92e696d3184b5f4b7a35200dcb08ae4e97db9337f51dd88219349ff86adeb.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3080858.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3080858.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5406472.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5406472.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8345698.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8345698.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9670626.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9670626.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0742905.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0742905.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4576786.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4576786.exe6⤵
- Executes dropped EXE
PID:3896
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3632568.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3632568.exe5⤵
- Executes dropped EXE
PID:3848
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
723KB
MD5ba005c81001bf693b01931b3c3bdf887
SHA1e9ea3a0d4482118dd18bdc0e4182009d07881936
SHA2560b8361eb62faa23d77e6ada373a785cd440207be1e7db33a498bca235a56e152
SHA51243007ebfc2f1fb95a8c75fea785073c06d78c03b081568df8f51232821ac78ee0199bee9cf42764268d971332e75365c43570dcea05ec70db18a96486a97c701
-
Filesize
723KB
MD5ba005c81001bf693b01931b3c3bdf887
SHA1e9ea3a0d4482118dd18bdc0e4182009d07881936
SHA2560b8361eb62faa23d77e6ada373a785cd440207be1e7db33a498bca235a56e152
SHA51243007ebfc2f1fb95a8c75fea785073c06d78c03b081568df8f51232821ac78ee0199bee9cf42764268d971332e75365c43570dcea05ec70db18a96486a97c701
-
Filesize
497KB
MD50fbdb59a87a9d8a7a0e353f983854a0e
SHA1b271f84696fb0191c90412b088f254346a0ec5ed
SHA2563959669fd2a88b07b1421ac46badaba111fe6473d7f96e2100cd732f2c75be02
SHA512d5468d9463a476e074087eff7a526785500452226da06d9a2a3473b4772588b3c0ccad2a953a7cc85d7893df1ba4a532ad89e2f0e74dfcd6ce008188ada74d94
-
Filesize
497KB
MD50fbdb59a87a9d8a7a0e353f983854a0e
SHA1b271f84696fb0191c90412b088f254346a0ec5ed
SHA2563959669fd2a88b07b1421ac46badaba111fe6473d7f96e2100cd732f2c75be02
SHA512d5468d9463a476e074087eff7a526785500452226da06d9a2a3473b4772588b3c0ccad2a953a7cc85d7893df1ba4a532ad89e2f0e74dfcd6ce008188ada74d94
-
Filesize
373KB
MD5d3d3ffe7d568ee2b503b7385fa9b333f
SHA1dd63215b85f29ed94e0f9c7f2aa0629018e38c4b
SHA256e80bb85dc13bea244a39c5a11da80a92ec2ce09d70af6535eda42ec8d48ec48f
SHA51276379af2b5da304b5bca82de5674c248596171c9a531070aeb944774891da2d2db59aabf335ae18a79c71c042f99c4c135262624d80f67162940c031f429b651
-
Filesize
373KB
MD5d3d3ffe7d568ee2b503b7385fa9b333f
SHA1dd63215b85f29ed94e0f9c7f2aa0629018e38c4b
SHA256e80bb85dc13bea244a39c5a11da80a92ec2ce09d70af6535eda42ec8d48ec48f
SHA51276379af2b5da304b5bca82de5674c248596171c9a531070aeb944774891da2d2db59aabf335ae18a79c71c042f99c4c135262624d80f67162940c031f429b651
-
Filesize
174KB
MD52aceaafadce879304008c4f748bf75c0
SHA18dc206154ccd960fabb096ae14bd4a52b8d76f4d
SHA256312a45b0833ee8e4a7ce1aa3715e423b171c8bce04f028c420dab7dd98f1a075
SHA51237cf0c88b52c3cf809d90383719400832ea033549e6718db3084bcacfb3c5bd80dc91a5305dc854849e5aa3451868b9ceca5a057734b33c2a46f014e2c4f76f5
-
Filesize
174KB
MD52aceaafadce879304008c4f748bf75c0
SHA18dc206154ccd960fabb096ae14bd4a52b8d76f4d
SHA256312a45b0833ee8e4a7ce1aa3715e423b171c8bce04f028c420dab7dd98f1a075
SHA51237cf0c88b52c3cf809d90383719400832ea033549e6718db3084bcacfb3c5bd80dc91a5305dc854849e5aa3451868b9ceca5a057734b33c2a46f014e2c4f76f5
-
Filesize
217KB
MD568aa7edc326eb9cd786eb8e42bfc8187
SHA197bbbab1885136b35fddcc07e4bc8a1e436c52ed
SHA256aa17fe7e454a84eb97e15b5c25118cc8e961dab50e3428c5018158a3cd19eab5
SHA51281adfaae144a820ee173761403a692eaeece487e0f69b2316aba189eb22a6f1e6ef16f3ab8848df0b11470612f0334ea742c98c427626e376a538c3783172ad5
-
Filesize
217KB
MD568aa7edc326eb9cd786eb8e42bfc8187
SHA197bbbab1885136b35fddcc07e4bc8a1e436c52ed
SHA256aa17fe7e454a84eb97e15b5c25118cc8e961dab50e3428c5018158a3cd19eab5
SHA51281adfaae144a820ee173761403a692eaeece487e0f69b2316aba189eb22a6f1e6ef16f3ab8848df0b11470612f0334ea742c98c427626e376a538c3783172ad5
-
Filesize
12KB
MD5e21655984ac4965a66fb6ebce909fa6a
SHA14403e518d735bcec50091198f58da02216a12539
SHA25654582dc9c5f438f7704448d228253518ac1e51591b193a4d97d07523b22f39ba
SHA512ddd9d29aa2dda98f51399af4991c7aaba636f87d142dd93f6145ac7f562f2561c440a93d2b70df4401bfde09cec565fc547b11b9eda1a72f899eedbaa7ed9137
-
Filesize
12KB
MD5e21655984ac4965a66fb6ebce909fa6a
SHA14403e518d735bcec50091198f58da02216a12539
SHA25654582dc9c5f438f7704448d228253518ac1e51591b193a4d97d07523b22f39ba
SHA512ddd9d29aa2dda98f51399af4991c7aaba636f87d142dd93f6145ac7f562f2561c440a93d2b70df4401bfde09cec565fc547b11b9eda1a72f899eedbaa7ed9137
-
Filesize
140KB
MD5402480df7ed54a94ebffb96cb38023fe
SHA14f25922b073878390dabb41de7cef2f3e3bce9c5
SHA2561db5c527c3330ef430c4def8f282df895396a11a61a734ade82db313415b79c0
SHA5122daa3b6782e3d977413cbbedc4020cff6091f83a8f558d2ff18b2aae6d464584bb30a69876fa16e0210eec9396ef66eaca91ed18e34c44f72c533f3d5ecc40cf
-
Filesize
140KB
MD5402480df7ed54a94ebffb96cb38023fe
SHA14f25922b073878390dabb41de7cef2f3e3bce9c5
SHA2561db5c527c3330ef430c4def8f282df895396a11a61a734ade82db313415b79c0
SHA5122daa3b6782e3d977413cbbedc4020cff6091f83a8f558d2ff18b2aae6d464584bb30a69876fa16e0210eec9396ef66eaca91ed18e34c44f72c533f3d5ecc40cf