Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2023, 11:15
Static task
static1
Behavioral task
behavioral1
Sample
237c684649d711320a39fd7d082e72a2931ecb325c498e6c62c0e77b82dc902b.exe
Resource
win10v2004-20230703-en
General
-
Target
237c684649d711320a39fd7d082e72a2931ecb325c498e6c62c0e77b82dc902b.exe
-
Size
829KB
-
MD5
de7e162e101efce9b2c2005f2574fc0e
-
SHA1
9448f5251cb4b4df414417655d6fb7859d04d4be
-
SHA256
237c684649d711320a39fd7d082e72a2931ecb325c498e6c62c0e77b82dc902b
-
SHA512
cd95e14d31c6f4c5b592b80d27689db644412fce386bb81e6ff1434655c252c3d3cceeff60041e205b426ab91114b8ccef927ea0f74c04454641487c5bed6fcc
-
SSDEEP
24576:OyKl52iJun73tw12Lwpte59gZhnDo7IhK+3Jq:dKl52hhw12cbkWDo/SJ
Malware Config
Extracted
redline
rota
77.91.124.73:19071
-
auth_value
320c7daa59eb9b82e20a15162392a756
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x0007000000023213-33.dat healer behavioral1/files/0x0007000000023213-34.dat healer behavioral1/memory/2260-35-0x0000000000E70000-0x0000000000E7A000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a9762231.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a9762231.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a9762231.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a9762231.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a9762231.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a9762231.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 1900 v6486195.exe 4896 v8882386.exe 4812 v6198440.exe 5064 v3612864.exe 2260 a9762231.exe 4448 b0840550.exe 1764 c5735330.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a9762231.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v8882386.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v6198440.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v3612864.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 237c684649d711320a39fd7d082e72a2931ecb325c498e6c62c0e77b82dc902b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v6486195.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2260 a9762231.exe 2260 a9762231.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2260 a9762231.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2860 wrote to memory of 1900 2860 237c684649d711320a39fd7d082e72a2931ecb325c498e6c62c0e77b82dc902b.exe 82 PID 2860 wrote to memory of 1900 2860 237c684649d711320a39fd7d082e72a2931ecb325c498e6c62c0e77b82dc902b.exe 82 PID 2860 wrote to memory of 1900 2860 237c684649d711320a39fd7d082e72a2931ecb325c498e6c62c0e77b82dc902b.exe 82 PID 1900 wrote to memory of 4896 1900 v6486195.exe 83 PID 1900 wrote to memory of 4896 1900 v6486195.exe 83 PID 1900 wrote to memory of 4896 1900 v6486195.exe 83 PID 4896 wrote to memory of 4812 4896 v8882386.exe 84 PID 4896 wrote to memory of 4812 4896 v8882386.exe 84 PID 4896 wrote to memory of 4812 4896 v8882386.exe 84 PID 4812 wrote to memory of 5064 4812 v6198440.exe 85 PID 4812 wrote to memory of 5064 4812 v6198440.exe 85 PID 4812 wrote to memory of 5064 4812 v6198440.exe 85 PID 5064 wrote to memory of 2260 5064 v3612864.exe 86 PID 5064 wrote to memory of 2260 5064 v3612864.exe 86 PID 5064 wrote to memory of 4448 5064 v3612864.exe 91 PID 5064 wrote to memory of 4448 5064 v3612864.exe 91 PID 5064 wrote to memory of 4448 5064 v3612864.exe 91 PID 4812 wrote to memory of 1764 4812 v6198440.exe 92 PID 4812 wrote to memory of 1764 4812 v6198440.exe 92 PID 4812 wrote to memory of 1764 4812 v6198440.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\237c684649d711320a39fd7d082e72a2931ecb325c498e6c62c0e77b82dc902b.exe"C:\Users\Admin\AppData\Local\Temp\237c684649d711320a39fd7d082e72a2931ecb325c498e6c62c0e77b82dc902b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6486195.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6486195.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8882386.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8882386.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6198440.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6198440.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3612864.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3612864.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9762231.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9762231.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0840550.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0840550.exe6⤵
- Executes dropped EXE
PID:4448
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5735330.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5735330.exe5⤵
- Executes dropped EXE
PID:1764
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
723KB
MD55a40bedb7c560598e0e8bb97827eb787
SHA10fa5a0acd890f04d3fbb84575e4370b97eedf87e
SHA25646ee9f7b4b56b65f8b3d8616a2c447462974cd44a6ede313cb26ff2846c5cb0e
SHA51261bc2fbfc920acbe91a97b0dbc16735864836be7022718cb6f551998c44d0d1eba34a0c1cd5c45ea1585b5c35cde560f0aebb46d74cef77e06b055e887b8352b
-
Filesize
723KB
MD55a40bedb7c560598e0e8bb97827eb787
SHA10fa5a0acd890f04d3fbb84575e4370b97eedf87e
SHA25646ee9f7b4b56b65f8b3d8616a2c447462974cd44a6ede313cb26ff2846c5cb0e
SHA51261bc2fbfc920acbe91a97b0dbc16735864836be7022718cb6f551998c44d0d1eba34a0c1cd5c45ea1585b5c35cde560f0aebb46d74cef77e06b055e887b8352b
-
Filesize
497KB
MD5b932e55871f7282c0ba197dfe0b99ffc
SHA1b18eb5201c54d260a84735b45e423a28ee0964eb
SHA256872dd46ae1cc8c43b02373d0f23e2b95594fe7f1b334259969f5bfd65ad09515
SHA512b9153b3e8951cf51bb18e1ef1e072a283d0c51732c1e3636b976e5068d11bca4d22dd8e162383845279746cfff7566ecb24cf56d00cb0310ef068b7249962f6e
-
Filesize
497KB
MD5b932e55871f7282c0ba197dfe0b99ffc
SHA1b18eb5201c54d260a84735b45e423a28ee0964eb
SHA256872dd46ae1cc8c43b02373d0f23e2b95594fe7f1b334259969f5bfd65ad09515
SHA512b9153b3e8951cf51bb18e1ef1e072a283d0c51732c1e3636b976e5068d11bca4d22dd8e162383845279746cfff7566ecb24cf56d00cb0310ef068b7249962f6e
-
Filesize
372KB
MD53cceb3ef2fa3e36a677a915b41b6d1f8
SHA15919a593d3887d12c381de84ab46f5a5605e624b
SHA256d5b458c3845766a4b6c2bac89772ee3259dd838b78c8313537be6c550efb9e31
SHA512fadb99b824cd25cc6dfae1de47ff075f749da6853677f6de535661d8e200e679c8b2b0288fe080462f6d16fa6105896e05d6bbd4f67ba14c0b930f9da7ceae52
-
Filesize
372KB
MD53cceb3ef2fa3e36a677a915b41b6d1f8
SHA15919a593d3887d12c381de84ab46f5a5605e624b
SHA256d5b458c3845766a4b6c2bac89772ee3259dd838b78c8313537be6c550efb9e31
SHA512fadb99b824cd25cc6dfae1de47ff075f749da6853677f6de535661d8e200e679c8b2b0288fe080462f6d16fa6105896e05d6bbd4f67ba14c0b930f9da7ceae52
-
Filesize
174KB
MD5fddabb80b29e54714fbe416d8c935155
SHA1db63b8ba4592864eb0068d930208e55ac083ca36
SHA25679a63663fc4acabbbb08f11f7f1c9494202ccda93c58f01aa48bfa781523e6cb
SHA512e1b13f5b7b22034ec7ff1c824400c3e9d050a610d0865908b518b0ad638f17d269c5800510664702b96e8be7face019812e24c564e1ed04b97ffe3d76b7768aa
-
Filesize
174KB
MD5fddabb80b29e54714fbe416d8c935155
SHA1db63b8ba4592864eb0068d930208e55ac083ca36
SHA25679a63663fc4acabbbb08f11f7f1c9494202ccda93c58f01aa48bfa781523e6cb
SHA512e1b13f5b7b22034ec7ff1c824400c3e9d050a610d0865908b518b0ad638f17d269c5800510664702b96e8be7face019812e24c564e1ed04b97ffe3d76b7768aa
-
Filesize
217KB
MD59fa1ce3bca475de64f786d62d6a13d30
SHA19a01ef94a413df891b54998eb262285e9048eabb
SHA2562834c107aba1de3e43af4248083c686e0bbffcfc99ce0999600456d8bc7b4376
SHA512ebef3e2c3fcc7ea50b26897b7aeab7f8189b6307c0d214a4870359bddb7b5b2d5642441fff0557ecfbab57f254eb6da15860a2c790a7b3ca00804904646f8f8f
-
Filesize
217KB
MD59fa1ce3bca475de64f786d62d6a13d30
SHA19a01ef94a413df891b54998eb262285e9048eabb
SHA2562834c107aba1de3e43af4248083c686e0bbffcfc99ce0999600456d8bc7b4376
SHA512ebef3e2c3fcc7ea50b26897b7aeab7f8189b6307c0d214a4870359bddb7b5b2d5642441fff0557ecfbab57f254eb6da15860a2c790a7b3ca00804904646f8f8f
-
Filesize
12KB
MD568d7d958f30640f42ecdb2e431c2bcab
SHA1d9c0f817ae81a88c8d6f7fe2bc4226c961c573db
SHA256a3e1a180c400b8abd4ab310148a9da4493eeaf11bc30012191c20474562210b0
SHA512690c83503338b543669960fbe1846a1a29b0bce173c1462f5d4624b0a0e926171971e5ce7a03e6216782b538c4da15c932823bc8ab9c9f2999f1d3bf1f93256f
-
Filesize
12KB
MD568d7d958f30640f42ecdb2e431c2bcab
SHA1d9c0f817ae81a88c8d6f7fe2bc4226c961c573db
SHA256a3e1a180c400b8abd4ab310148a9da4493eeaf11bc30012191c20474562210b0
SHA512690c83503338b543669960fbe1846a1a29b0bce173c1462f5d4624b0a0e926171971e5ce7a03e6216782b538c4da15c932823bc8ab9c9f2999f1d3bf1f93256f
-
Filesize
140KB
MD5bd1f0f82725037052ed73b3f83b098dd
SHA198a2a878ddb9434ba0a7f3489a029a83339ff9f9
SHA25609077838ee57edd0338bc67495a8876b270f9278adcd1b982862d78f1f7cc23b
SHA512456babb9ae329bd51fb628c2a4adff0505d3242edf98f6f5401c6b34a998bef0f7d400ef6c187dd6527cafa32cf7e3ddd5a1e23857a726583d2479dc8fe7686a
-
Filesize
140KB
MD5bd1f0f82725037052ed73b3f83b098dd
SHA198a2a878ddb9434ba0a7f3489a029a83339ff9f9
SHA25609077838ee57edd0338bc67495a8876b270f9278adcd1b982862d78f1f7cc23b
SHA512456babb9ae329bd51fb628c2a4adff0505d3242edf98f6f5401c6b34a998bef0f7d400ef6c187dd6527cafa32cf7e3ddd5a1e23857a726583d2479dc8fe7686a