Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
157s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
22/08/2023, 19:33
Static task
static1
Behavioral task
behavioral1
Sample
f1742e820c9db758498c2611f4e0c89e9fedbde946a51d1bd1aff4c832b9162c.exe
Resource
win10-20230703-en
General
-
Target
f1742e820c9db758498c2611f4e0c89e9fedbde946a51d1bd1aff4c832b9162c.exe
-
Size
929KB
-
MD5
db487af037096a79fb9522633939d8c9
-
SHA1
a65e9bb7d7faec68f63c5a11b6c59f54d35631f0
-
SHA256
f1742e820c9db758498c2611f4e0c89e9fedbde946a51d1bd1aff4c832b9162c
-
SHA512
a3e057d1b3c46c511c191fa76e3a9eabac043ebefbcd11d2ff6f5c3bd69bf01aaf1f0adeb2ff57c249c4b16cd8a5b7236f70cee0a1aaf0fc2fd46968dffe2dcf
-
SSDEEP
12288:9Mr6y90KNr3Mrw9dzk3h3OJH1h0V69PRZ+AxU1EUFXWIU6TZwI0FiCrtF/+3anff:Tyl9dzmh3ihi4+AOKUFU+xIx+3an
Malware Config
Extracted
redline
rota
77.91.124.73:19071
-
auth_value
320c7daa59eb9b82e20a15162392a756
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000001afc4-153.dat healer behavioral1/files/0x000700000001afc4-154.dat healer behavioral1/memory/4148-155-0x0000000000710000-0x000000000071A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" q2577469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" q2577469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" q2577469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" q2577469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" q2577469.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 820 z5822812.exe 1804 z4860573.exe 3020 z6511964.exe 2764 z0174663.exe 4148 q2577469.exe 4212 r9877009.exe 2600 s0411629.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q2577469.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z0174663.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f1742e820c9db758498c2611f4e0c89e9fedbde946a51d1bd1aff4c832b9162c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z5822812.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z4860573.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z6511964.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4148 q2577469.exe 4148 q2577469.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4148 q2577469.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4976 wrote to memory of 820 4976 f1742e820c9db758498c2611f4e0c89e9fedbde946a51d1bd1aff4c832b9162c.exe 70 PID 4976 wrote to memory of 820 4976 f1742e820c9db758498c2611f4e0c89e9fedbde946a51d1bd1aff4c832b9162c.exe 70 PID 4976 wrote to memory of 820 4976 f1742e820c9db758498c2611f4e0c89e9fedbde946a51d1bd1aff4c832b9162c.exe 70 PID 820 wrote to memory of 1804 820 z5822812.exe 71 PID 820 wrote to memory of 1804 820 z5822812.exe 71 PID 820 wrote to memory of 1804 820 z5822812.exe 71 PID 1804 wrote to memory of 3020 1804 z4860573.exe 72 PID 1804 wrote to memory of 3020 1804 z4860573.exe 72 PID 1804 wrote to memory of 3020 1804 z4860573.exe 72 PID 3020 wrote to memory of 2764 3020 z6511964.exe 73 PID 3020 wrote to memory of 2764 3020 z6511964.exe 73 PID 3020 wrote to memory of 2764 3020 z6511964.exe 73 PID 2764 wrote to memory of 4148 2764 z0174663.exe 74 PID 2764 wrote to memory of 4148 2764 z0174663.exe 74 PID 2764 wrote to memory of 4212 2764 z0174663.exe 75 PID 2764 wrote to memory of 4212 2764 z0174663.exe 75 PID 2764 wrote to memory of 4212 2764 z0174663.exe 75 PID 3020 wrote to memory of 2600 3020 z6511964.exe 76 PID 3020 wrote to memory of 2600 3020 z6511964.exe 76 PID 3020 wrote to memory of 2600 3020 z6511964.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1742e820c9db758498c2611f4e0c89e9fedbde946a51d1bd1aff4c832b9162c.exe"C:\Users\Admin\AppData\Local\Temp\f1742e820c9db758498c2611f4e0c89e9fedbde946a51d1bd1aff4c832b9162c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5822812.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5822812.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4860573.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4860573.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6511964.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6511964.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0174663.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0174663.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2577469.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2577469.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9877009.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9877009.exe6⤵
- Executes dropped EXE
PID:4212
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0411629.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0411629.exe5⤵
- Executes dropped EXE
PID:2600
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
823KB
MD5feee9f2381e2084f1f9caa4f3cc156b2
SHA16f92da056e833b9a938cb2a89b3b912d9355ffb6
SHA256d0d3ab21c6c306f10215472bb11a65ef0510d96ad38275937ce433db2be027c4
SHA51242e340a6aade809a98feda94e753e9cce4f818c2de6de5cbda64f1b2f04c4dfe53a080505e9595e0751963281a3a677ba949512467eae752bdde30aac12c2e47
-
Filesize
823KB
MD5feee9f2381e2084f1f9caa4f3cc156b2
SHA16f92da056e833b9a938cb2a89b3b912d9355ffb6
SHA256d0d3ab21c6c306f10215472bb11a65ef0510d96ad38275937ce433db2be027c4
SHA51242e340a6aade809a98feda94e753e9cce4f818c2de6de5cbda64f1b2f04c4dfe53a080505e9595e0751963281a3a677ba949512467eae752bdde30aac12c2e47
-
Filesize
597KB
MD5d0fccbe15a12cddf47a13eaad6c32206
SHA1489b0d4ab2427585a3c1da1590df57fd6693740b
SHA25647b9555d8be7da5b15bd83f752433a4182be8134777be6e361c904dd1fe037d2
SHA5123e0bc2e4ee5fd45dd4c1009ca0de806aa7ce375291747be727e25d49600e3f045bc2bff67c03ef5658bbf399fa2b61c4cfba5b1b6071654be569b24460496b55
-
Filesize
597KB
MD5d0fccbe15a12cddf47a13eaad6c32206
SHA1489b0d4ab2427585a3c1da1590df57fd6693740b
SHA25647b9555d8be7da5b15bd83f752433a4182be8134777be6e361c904dd1fe037d2
SHA5123e0bc2e4ee5fd45dd4c1009ca0de806aa7ce375291747be727e25d49600e3f045bc2bff67c03ef5658bbf399fa2b61c4cfba5b1b6071654be569b24460496b55
-
Filesize
372KB
MD519421a856c031bbd401a27ff8ea32723
SHA1284b5e37e87bd37664a3b9a40086056108050d54
SHA256a13a0575f2e41598227321875ecf58d4b6a02139ccac883f4e78f09b38217ada
SHA512915b76f583e81eba546c1478796fa3c973727a194c84ecc547e6472ad82d6aa87fad008ac688e43f64070bbc344034f4d0f207f9bd508ebf9e7947650bf522c0
-
Filesize
372KB
MD519421a856c031bbd401a27ff8ea32723
SHA1284b5e37e87bd37664a3b9a40086056108050d54
SHA256a13a0575f2e41598227321875ecf58d4b6a02139ccac883f4e78f09b38217ada
SHA512915b76f583e81eba546c1478796fa3c973727a194c84ecc547e6472ad82d6aa87fad008ac688e43f64070bbc344034f4d0f207f9bd508ebf9e7947650bf522c0
-
Filesize
174KB
MD52cb20c2cdda2d45480c87abc646650c8
SHA1465d8675921d33727b12193b541b795246db23c7
SHA2566393561930f2ba1f2fd2338e054c13d9c3c805a6f1476fe9a0ac805c8509aca3
SHA5123305abcf2088b86caf38f4b13dcac6cf23d23689a6e5b9f90e692c6384980648ab8663de0de5d9b79601347b8172b0c0e61cb3c59ce6edfa537064d8b2d87ebe
-
Filesize
174KB
MD52cb20c2cdda2d45480c87abc646650c8
SHA1465d8675921d33727b12193b541b795246db23c7
SHA2566393561930f2ba1f2fd2338e054c13d9c3c805a6f1476fe9a0ac805c8509aca3
SHA5123305abcf2088b86caf38f4b13dcac6cf23d23689a6e5b9f90e692c6384980648ab8663de0de5d9b79601347b8172b0c0e61cb3c59ce6edfa537064d8b2d87ebe
-
Filesize
216KB
MD50a557843bc6e1cfc89339194cb774aba
SHA17059b3b0d11b979abc6e07a71334eebbdd45cff4
SHA256cd92c3c0014c9f7f47152fe84c0e0a33210e9eee8f9d97da43e558eac235ba57
SHA5122d383f9699e73e1eade189b823764cfe76ec3db56ef07160f1310b55ba9d867712bb5c271c93031b9e53c3376860f22787841d99d04014dfd85c07fe5a6ac7b9
-
Filesize
216KB
MD50a557843bc6e1cfc89339194cb774aba
SHA17059b3b0d11b979abc6e07a71334eebbdd45cff4
SHA256cd92c3c0014c9f7f47152fe84c0e0a33210e9eee8f9d97da43e558eac235ba57
SHA5122d383f9699e73e1eade189b823764cfe76ec3db56ef07160f1310b55ba9d867712bb5c271c93031b9e53c3376860f22787841d99d04014dfd85c07fe5a6ac7b9
-
Filesize
12KB
MD58a9361a09fd374eff29367c39e370fd7
SHA1dd112ee5baba20e5cccc1effd86075642f00b2ef
SHA256d5db2e6c48054ed72258e305607cb41d45d548e3f0b2f67a114d23064b4587a9
SHA512a5496e33bb425382f82bc8cda56c6641b1079ed4efb52d77057447f9452c5eacbc5344dd31696c96582d757d92c4c777c23cdcc5d1e0d6619a9a91316c0b6d51
-
Filesize
12KB
MD58a9361a09fd374eff29367c39e370fd7
SHA1dd112ee5baba20e5cccc1effd86075642f00b2ef
SHA256d5db2e6c48054ed72258e305607cb41d45d548e3f0b2f67a114d23064b4587a9
SHA512a5496e33bb425382f82bc8cda56c6641b1079ed4efb52d77057447f9452c5eacbc5344dd31696c96582d757d92c4c777c23cdcc5d1e0d6619a9a91316c0b6d51
-
Filesize
140KB
MD565e865556d1597efb5f1ba6937f47bdd
SHA13cb28eb801033d519b2f90bfcbd11b47d353e136
SHA2563e4c6f4bc452651365c393a4bec64e5e54fb607d5ca327ce23a170beebe64a55
SHA512cab4d8e3e7cae5611fb275dfcbdb87708b0c1a4788754636ba81404d34e269eb66568d97d841be3f9b6fb0c81d7223429eda80bb3cd538e155656ac0621adfec
-
Filesize
140KB
MD565e865556d1597efb5f1ba6937f47bdd
SHA13cb28eb801033d519b2f90bfcbd11b47d353e136
SHA2563e4c6f4bc452651365c393a4bec64e5e54fb607d5ca327ce23a170beebe64a55
SHA512cab4d8e3e7cae5611fb275dfcbdb87708b0c1a4788754636ba81404d34e269eb66568d97d841be3f9b6fb0c81d7223429eda80bb3cd538e155656ac0621adfec