Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
156s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
22/08/2023, 21:13
Static task
static1
Behavioral task
behavioral1
Sample
3e0b7cd292d5a715f078301281db4e0af93c845bcd016c8b89604997424a4ca6.exe
Resource
win10-20230703-en
General
-
Target
3e0b7cd292d5a715f078301281db4e0af93c845bcd016c8b89604997424a4ca6.exe
-
Size
828KB
-
MD5
dc2aefdbe2b21a6d7865b8f438871f33
-
SHA1
8e005f2c7a8a855f83cf6c1c35bace96e36292d0
-
SHA256
3e0b7cd292d5a715f078301281db4e0af93c845bcd016c8b89604997424a4ca6
-
SHA512
a78f22eebb96bd3ebaf53c9d3dc2a16bf7ea0875ed9f1d8ce8bf899404fd80540094917e31887af544cd4e61084b6373b86984c7cb20a4c23f944498a324116d
-
SSDEEP
24576:2ypwS3F9IJIdrc+B5mzm31HrfKDwbjUn:Fh3XImcum6lZbj
Malware Config
Extracted
redline
rota
77.91.124.73:19071
-
auth_value
320c7daa59eb9b82e20a15162392a756
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000001af65-153.dat healer behavioral1/files/0x000700000001af65-154.dat healer behavioral1/memory/3776-155-0x00000000008A0000-0x00000000008AA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a6451350.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a6451350.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a6451350.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a6451350.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a6451350.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 3684 v3203667.exe 4904 v5968010.exe 516 v3545529.exe 3780 v4580221.exe 3776 a6451350.exe 2736 b7690303.exe 4316 c6237853.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a6451350.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3203667.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v5968010.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v3545529.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v4580221.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3e0b7cd292d5a715f078301281db4e0af93c845bcd016c8b89604997424a4ca6.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3776 a6451350.exe 3776 a6451350.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3776 a6451350.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4368 wrote to memory of 3684 4368 3e0b7cd292d5a715f078301281db4e0af93c845bcd016c8b89604997424a4ca6.exe 69 PID 4368 wrote to memory of 3684 4368 3e0b7cd292d5a715f078301281db4e0af93c845bcd016c8b89604997424a4ca6.exe 69 PID 4368 wrote to memory of 3684 4368 3e0b7cd292d5a715f078301281db4e0af93c845bcd016c8b89604997424a4ca6.exe 69 PID 3684 wrote to memory of 4904 3684 v3203667.exe 70 PID 3684 wrote to memory of 4904 3684 v3203667.exe 70 PID 3684 wrote to memory of 4904 3684 v3203667.exe 70 PID 4904 wrote to memory of 516 4904 v5968010.exe 71 PID 4904 wrote to memory of 516 4904 v5968010.exe 71 PID 4904 wrote to memory of 516 4904 v5968010.exe 71 PID 516 wrote to memory of 3780 516 v3545529.exe 72 PID 516 wrote to memory of 3780 516 v3545529.exe 72 PID 516 wrote to memory of 3780 516 v3545529.exe 72 PID 3780 wrote to memory of 3776 3780 v4580221.exe 73 PID 3780 wrote to memory of 3776 3780 v4580221.exe 73 PID 3780 wrote to memory of 2736 3780 v4580221.exe 74 PID 3780 wrote to memory of 2736 3780 v4580221.exe 74 PID 3780 wrote to memory of 2736 3780 v4580221.exe 74 PID 516 wrote to memory of 4316 516 v3545529.exe 75 PID 516 wrote to memory of 4316 516 v3545529.exe 75 PID 516 wrote to memory of 4316 516 v3545529.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e0b7cd292d5a715f078301281db4e0af93c845bcd016c8b89604997424a4ca6.exe"C:\Users\Admin\AppData\Local\Temp\3e0b7cd292d5a715f078301281db4e0af93c845bcd016c8b89604997424a4ca6.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3203667.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3203667.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5968010.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5968010.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3545529.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3545529.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4580221.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4580221.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6451350.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6451350.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3776
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7690303.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7690303.exe6⤵
- Executes dropped EXE
PID:2736
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6237853.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6237853.exe5⤵
- Executes dropped EXE
PID:4316
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
722KB
MD54b352ddd3cfc630029d52956954ad7bb
SHA1dc04bb1d8e647dd34ef917fa448164bfb6f4fd2e
SHA25693d5a617c17cc2ea72707073c5c8c9cda065f54ba2c1f72a3c20be584b114d67
SHA5128b4b824ccd520e497c8f7af5d7736cdf085db42e8e84e4a6c6b9391fca8763e4975a8a6dae078f933dafae91ac31ce24701d88c0c17eb4b97d0dd27add31336a
-
Filesize
722KB
MD54b352ddd3cfc630029d52956954ad7bb
SHA1dc04bb1d8e647dd34ef917fa448164bfb6f4fd2e
SHA25693d5a617c17cc2ea72707073c5c8c9cda065f54ba2c1f72a3c20be584b114d67
SHA5128b4b824ccd520e497c8f7af5d7736cdf085db42e8e84e4a6c6b9391fca8763e4975a8a6dae078f933dafae91ac31ce24701d88c0c17eb4b97d0dd27add31336a
-
Filesize
496KB
MD5ccbe078ae292c78ab38241d311c522ba
SHA12017bfd168ee8a22c409e330265bb4b8cb3d0b51
SHA256b4aa14d3c19406c5db1599b1b921fe1eec693d159bc69981ee48f5b729fdb2d0
SHA512488fe7024b99d6f15e5b703a8d0d103ff3543f1abcb8bdc425a0872dcc56762cf05671c1c2a03904651ff573aff1c7d73b0486e0ce534508ece5da539f53f369
-
Filesize
496KB
MD5ccbe078ae292c78ab38241d311c522ba
SHA12017bfd168ee8a22c409e330265bb4b8cb3d0b51
SHA256b4aa14d3c19406c5db1599b1b921fe1eec693d159bc69981ee48f5b729fdb2d0
SHA512488fe7024b99d6f15e5b703a8d0d103ff3543f1abcb8bdc425a0872dcc56762cf05671c1c2a03904651ff573aff1c7d73b0486e0ce534508ece5da539f53f369
-
Filesize
372KB
MD59c37ea924bb3980f94e4523d22d06da1
SHA1c3276b7117542f5d3bf1411a5b20979b5a85f9ba
SHA2566e73c4c80e6ac81bdc4e74492a7a4985f6b716f158327f0bb1f7ae3b9e029768
SHA51204f498aff6c09d471a4ea6911a92bea6b3d647925d483cf3f1cae624ad2a38aae12fa85ab149e989c4aa50be9f4d9ea4833f26550fa93b953d794dc9a7c847de
-
Filesize
372KB
MD59c37ea924bb3980f94e4523d22d06da1
SHA1c3276b7117542f5d3bf1411a5b20979b5a85f9ba
SHA2566e73c4c80e6ac81bdc4e74492a7a4985f6b716f158327f0bb1f7ae3b9e029768
SHA51204f498aff6c09d471a4ea6911a92bea6b3d647925d483cf3f1cae624ad2a38aae12fa85ab149e989c4aa50be9f4d9ea4833f26550fa93b953d794dc9a7c847de
-
Filesize
174KB
MD5cd629b653f39093f7c2bed971c291e2c
SHA19c326b5cecd52176d66face605b935332ade3065
SHA256489529f24c7cd84ed4688d7f63811e0c027597d71ecf1697cd9ced51bc22abca
SHA5125b1779aca51efce9853d2738b2c3965bea6c1cbaf8650745ac13fbdafdc41a0af186e6d02129ce4d3cdacdbf7395512cd3e7dfc6ff191150f7fa2618b736f59e
-
Filesize
174KB
MD5cd629b653f39093f7c2bed971c291e2c
SHA19c326b5cecd52176d66face605b935332ade3065
SHA256489529f24c7cd84ed4688d7f63811e0c027597d71ecf1697cd9ced51bc22abca
SHA5125b1779aca51efce9853d2738b2c3965bea6c1cbaf8650745ac13fbdafdc41a0af186e6d02129ce4d3cdacdbf7395512cd3e7dfc6ff191150f7fa2618b736f59e
-
Filesize
216KB
MD5cdff6fc9721e00fc4afdfe1077850518
SHA16af317fdae3eb7dc466527c0182e86174a6a6dac
SHA256329f989a8568209716c8d0fa690850744ae67835b813a7a396e1b031f3806e65
SHA512d9e02eedc11372f8b91644a7c5e53f28d926ee9c400f8521fe1759e53718cbe3f23dee093aab2edb0b12e8105b681414bf92b7d5edd8da59af96494ed71520fe
-
Filesize
216KB
MD5cdff6fc9721e00fc4afdfe1077850518
SHA16af317fdae3eb7dc466527c0182e86174a6a6dac
SHA256329f989a8568209716c8d0fa690850744ae67835b813a7a396e1b031f3806e65
SHA512d9e02eedc11372f8b91644a7c5e53f28d926ee9c400f8521fe1759e53718cbe3f23dee093aab2edb0b12e8105b681414bf92b7d5edd8da59af96494ed71520fe
-
Filesize
12KB
MD56b891ea43a97cd5a36f75e6858f68561
SHA17812ef9c3fcd666236a6c61c5ce4fc629afa3837
SHA2565cb3320fd689b5bdc905614c6672124ad1986f0c9d6c3c40c5c80f126d0b92fa
SHA512095cf08967416175fa62dd3e4c1dc465166ec170e073d9be12a84509b2ef04b6d7083c464bae81d3725e7ffefcc7be6f012a78c9ef63e73189fa3dd9625760c9
-
Filesize
12KB
MD56b891ea43a97cd5a36f75e6858f68561
SHA17812ef9c3fcd666236a6c61c5ce4fc629afa3837
SHA2565cb3320fd689b5bdc905614c6672124ad1986f0c9d6c3c40c5c80f126d0b92fa
SHA512095cf08967416175fa62dd3e4c1dc465166ec170e073d9be12a84509b2ef04b6d7083c464bae81d3725e7ffefcc7be6f012a78c9ef63e73189fa3dd9625760c9
-
Filesize
140KB
MD5c325cddef9e62d653aa704678b44c9c6
SHA1ce36cfdd7a8757bb19a4d30bae2b30cb90ba5fd6
SHA2563bf4b02e7c649562af535e9978f4560cf3b4d1fb88ab4eda78dbe733bf9abacd
SHA512e3b1c1c54497df14223883514457aa48ece921155bd968cf8dedc4b23aa13e0eb3ed3c0155276e9daa044aaf0f8cab5fc1ce44f9f85641793e79ccec8d516d23
-
Filesize
140KB
MD5c325cddef9e62d653aa704678b44c9c6
SHA1ce36cfdd7a8757bb19a4d30bae2b30cb90ba5fd6
SHA2563bf4b02e7c649562af535e9978f4560cf3b4d1fb88ab4eda78dbe733bf9abacd
SHA512e3b1c1c54497df14223883514457aa48ece921155bd968cf8dedc4b23aa13e0eb3ed3c0155276e9daa044aaf0f8cab5fc1ce44f9f85641793e79ccec8d516d23