Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
22/08/2023, 09:13
Static task
static1
Behavioral task
behavioral1
Sample
f80213c08d7fa8b854d50c03c25930ace80317c5b2d86e64bfba86f05bb65c5d.exe
Resource
win10-20230703-en
General
-
Target
f80213c08d7fa8b854d50c03c25930ace80317c5b2d86e64bfba86f05bb65c5d.exe
-
Size
838KB
-
MD5
7ca0b75c7b8687e9239349629d25ae29
-
SHA1
457bef3412101c45275f28ae79dc2271d810a601
-
SHA256
f80213c08d7fa8b854d50c03c25930ace80317c5b2d86e64bfba86f05bb65c5d
-
SHA512
1e2e4c4da9e92a5504eb52ffcfcf6b2a8d0408dee97b9b1c878482a70e89cf3caddbcc2eff26ade3f7bc95e0e9c5adf59e13b2ff55610e66185e2e1a253fdc82
-
SSDEEP
24576:RyT9ClFjD/Gw5m26ISFHWcY4zcfdw9uDxw:E5ClF//Ld6v2Z5wm
Malware Config
Extracted
redline
piter
77.91.124.73:19071
-
auth_value
7f92ff466423bb35edbfbc22f78b0bb9
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000001afe9-150.dat healer behavioral1/files/0x000700000001afe9-151.dat healer behavioral1/memory/3676-152-0x00000000002C0000-0x00000000002CA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a8109277.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a8109277.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a8109277.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a8109277.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a8109277.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 3420 v6338451.exe 4884 v3499594.exe 4940 v5729729.exe 2324 v5710865.exe 3676 a8109277.exe 3012 b9033014.exe 4204 c4927028.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a8109277.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v5729729.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v5710865.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f80213c08d7fa8b854d50c03c25930ace80317c5b2d86e64bfba86f05bb65c5d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v6338451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v3499594.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3676 a8109277.exe 3676 a8109277.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3676 a8109277.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4516 wrote to memory of 3420 4516 f80213c08d7fa8b854d50c03c25930ace80317c5b2d86e64bfba86f05bb65c5d.exe 70 PID 4516 wrote to memory of 3420 4516 f80213c08d7fa8b854d50c03c25930ace80317c5b2d86e64bfba86f05bb65c5d.exe 70 PID 4516 wrote to memory of 3420 4516 f80213c08d7fa8b854d50c03c25930ace80317c5b2d86e64bfba86f05bb65c5d.exe 70 PID 3420 wrote to memory of 4884 3420 v6338451.exe 71 PID 3420 wrote to memory of 4884 3420 v6338451.exe 71 PID 3420 wrote to memory of 4884 3420 v6338451.exe 71 PID 4884 wrote to memory of 4940 4884 v3499594.exe 72 PID 4884 wrote to memory of 4940 4884 v3499594.exe 72 PID 4884 wrote to memory of 4940 4884 v3499594.exe 72 PID 4940 wrote to memory of 2324 4940 v5729729.exe 73 PID 4940 wrote to memory of 2324 4940 v5729729.exe 73 PID 4940 wrote to memory of 2324 4940 v5729729.exe 73 PID 2324 wrote to memory of 3676 2324 v5710865.exe 74 PID 2324 wrote to memory of 3676 2324 v5710865.exe 74 PID 2324 wrote to memory of 3012 2324 v5710865.exe 75 PID 2324 wrote to memory of 3012 2324 v5710865.exe 75 PID 2324 wrote to memory of 3012 2324 v5710865.exe 75 PID 4940 wrote to memory of 4204 4940 v5729729.exe 76 PID 4940 wrote to memory of 4204 4940 v5729729.exe 76 PID 4940 wrote to memory of 4204 4940 v5729729.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\f80213c08d7fa8b854d50c03c25930ace80317c5b2d86e64bfba86f05bb65c5d.exe"C:\Users\Admin\AppData\Local\Temp\f80213c08d7fa8b854d50c03c25930ace80317c5b2d86e64bfba86f05bb65c5d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6338451.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6338451.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3499594.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3499594.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5729729.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5729729.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5710865.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5710865.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8109277.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8109277.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9033014.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9033014.exe6⤵
- Executes dropped EXE
PID:3012
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4927028.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4927028.exe5⤵
- Executes dropped EXE
PID:4204
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
723KB
MD59950fd8be40c2ff2cd7430ee852b209c
SHA150d67b2a8703ff1e6bbd2bd23eab8b6b0304eb04
SHA256a6a51003b04a2bc45f466b533d4502950e78821c1241da82110d2e6be7302487
SHA51272041bd4869d25766fcbccffb0486c8420dcea9bfbe44d7da165f45ed46b89c53017ef7577ab9ee3ce912676e4bcaae5f5fcdb1d00911b0b31394581a2bb20d8
-
Filesize
723KB
MD59950fd8be40c2ff2cd7430ee852b209c
SHA150d67b2a8703ff1e6bbd2bd23eab8b6b0304eb04
SHA256a6a51003b04a2bc45f466b533d4502950e78821c1241da82110d2e6be7302487
SHA51272041bd4869d25766fcbccffb0486c8420dcea9bfbe44d7da165f45ed46b89c53017ef7577ab9ee3ce912676e4bcaae5f5fcdb1d00911b0b31394581a2bb20d8
-
Filesize
496KB
MD51768819ac4e74ff899b07e867de4de6f
SHA1adf94e09949fba7f48f742fe2b0f00577daa7990
SHA256d94e8315c8a123692396bf5fda0e261aa5b0d4425d2b706c4338504fdf660ac4
SHA5125af92e810c6da415d72f5e017c45dcc707fff1115d1f7e77ca8d573696f9d9d8ce4c9dab24e7ebf1f08ca8df60e26befc39260e5f28ce01ab761a990acc4e8e9
-
Filesize
496KB
MD51768819ac4e74ff899b07e867de4de6f
SHA1adf94e09949fba7f48f742fe2b0f00577daa7990
SHA256d94e8315c8a123692396bf5fda0e261aa5b0d4425d2b706c4338504fdf660ac4
SHA5125af92e810c6da415d72f5e017c45dcc707fff1115d1f7e77ca8d573696f9d9d8ce4c9dab24e7ebf1f08ca8df60e26befc39260e5f28ce01ab761a990acc4e8e9
-
Filesize
372KB
MD58b3b07a385117da3eb66ade18a06c3f2
SHA1aada874876b0907219d2bd3eb6e46d5b62ff8fd9
SHA256bc631a87c6f991a2d39531ddea4979fee4fe62523e0c78c531e1a5baec9117c8
SHA512bb0b7f0446390c75497cb9034dec16d821ca8993ec921ad86f7b5e69767f70ab1c3d0d04c81ed62c1a97e00c9cc313ec18f35a71b01741c2cf16bb3e572fb24d
-
Filesize
372KB
MD58b3b07a385117da3eb66ade18a06c3f2
SHA1aada874876b0907219d2bd3eb6e46d5b62ff8fd9
SHA256bc631a87c6f991a2d39531ddea4979fee4fe62523e0c78c531e1a5baec9117c8
SHA512bb0b7f0446390c75497cb9034dec16d821ca8993ec921ad86f7b5e69767f70ab1c3d0d04c81ed62c1a97e00c9cc313ec18f35a71b01741c2cf16bb3e572fb24d
-
Filesize
174KB
MD54d2f6da85fcff6f3c3055e2280cd0d9f
SHA1d2c5e04a7171f51aa773a5a67da02558062bd6dc
SHA2566605d827d8502a87b4c1739826ecf5ee8176946fa78dda0743b38c223f2bab89
SHA512f7a97960cd5c7fd19d638b4dac62664a513c7f803c92e71620326c3d255b10df86a5d44f7170414a2aaa34e848e2a862f4eae2945439ba2370d1a337c62903ca
-
Filesize
174KB
MD54d2f6da85fcff6f3c3055e2280cd0d9f
SHA1d2c5e04a7171f51aa773a5a67da02558062bd6dc
SHA2566605d827d8502a87b4c1739826ecf5ee8176946fa78dda0743b38c223f2bab89
SHA512f7a97960cd5c7fd19d638b4dac62664a513c7f803c92e71620326c3d255b10df86a5d44f7170414a2aaa34e848e2a862f4eae2945439ba2370d1a337c62903ca
-
Filesize
216KB
MD55403918dbe566b906365d9d5f3b6a4ba
SHA1e31fb1a53c42b40101abdbd0f284cfae6e792cc6
SHA256893c86cbf079c2b64ddb0052a9e6d5f8025717ca399a0edef9af59e582165d07
SHA512bbdfb5479432cc8b7c03f6a0de17c961bf19a527b6590ccebe60f79793310e91544056801ce0c4e65732203618741a3977ca9dc578807fea2dc48c6871f43b82
-
Filesize
216KB
MD55403918dbe566b906365d9d5f3b6a4ba
SHA1e31fb1a53c42b40101abdbd0f284cfae6e792cc6
SHA256893c86cbf079c2b64ddb0052a9e6d5f8025717ca399a0edef9af59e582165d07
SHA512bbdfb5479432cc8b7c03f6a0de17c961bf19a527b6590ccebe60f79793310e91544056801ce0c4e65732203618741a3977ca9dc578807fea2dc48c6871f43b82
-
Filesize
11KB
MD55218a7dbc8aab1821e52e9c0549a2e87
SHA1b31566a5eaf34466580a7ebc984177b1625bc00b
SHA25687613146f627ac2d1a733f5963943c65efa33c2c8a81167d9905413d32c882a9
SHA5125c79e3ab7eca8cdb01e4a9c5666eaab3f45505b44aaac7ebd37b558c530b423a488e77d6b1bf3293bac01250f08e0cb73c1226ab9d8af513f5c7b4d7742bcee0
-
Filesize
11KB
MD55218a7dbc8aab1821e52e9c0549a2e87
SHA1b31566a5eaf34466580a7ebc984177b1625bc00b
SHA25687613146f627ac2d1a733f5963943c65efa33c2c8a81167d9905413d32c882a9
SHA5125c79e3ab7eca8cdb01e4a9c5666eaab3f45505b44aaac7ebd37b558c530b423a488e77d6b1bf3293bac01250f08e0cb73c1226ab9d8af513f5c7b4d7742bcee0
-
Filesize
140KB
MD5705edcb21068a26c07941e1e1a7b36fe
SHA16a392b0457b715b2e87a450bc745de1cd9c5963c
SHA2561e44a48d8d72228bee8e65e137721d4a6c95d74eda649efb4275c3935ea1e3f0
SHA512614d454cbe410c49e6cfd2eaf48bebf7bf080b9f0b8090203bc5bf480724356fec51d18570ac13f7c7f14ac12023e83a7267bd603ef3d815b7ea9553e9c9c67c
-
Filesize
140KB
MD5705edcb21068a26c07941e1e1a7b36fe
SHA16a392b0457b715b2e87a450bc745de1cd9c5963c
SHA2561e44a48d8d72228bee8e65e137721d4a6c95d74eda649efb4275c3935ea1e3f0
SHA512614d454cbe410c49e6cfd2eaf48bebf7bf080b9f0b8090203bc5bf480724356fec51d18570ac13f7c7f14ac12023e83a7267bd603ef3d815b7ea9553e9c9c67c