Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2023, 15:07
Static task
static1
Behavioral task
behavioral1
Sample
97e220c2c48fe6321fd8b7507b2c2508106a7137691c7224f020d6fd99df6f00.exe
Resource
win10v2004-20230703-en
General
-
Target
97e220c2c48fe6321fd8b7507b2c2508106a7137691c7224f020d6fd99df6f00.exe
-
Size
929KB
-
MD5
5078ac99d7507eb4473849beafb88198
-
SHA1
926320d9d26cc34da0726351afd595e0b5587483
-
SHA256
97e220c2c48fe6321fd8b7507b2c2508106a7137691c7224f020d6fd99df6f00
-
SHA512
c4d5f2df89dfd0e1843c71429b85169f87a79691ef6510df89c7c4c082fa6d8886a5ca7e69e1ffaa227796b0018a1096c9168892058bd90dc38521cb2774387f
-
SSDEEP
24576:eymS4N2PzzSAkndiDJ85MvCf/hgbMIkNBL4B9GMA:tmyXQdimqaFjNZi8
Malware Config
Extracted
redline
gogi
77.91.124.73:19071
-
auth_value
c7dbabcf1eff128a595c7532cb5489a8
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x00070000000230c3-33.dat healer behavioral1/files/0x00070000000230c3-34.dat healer behavioral1/memory/3560-35-0x00000000007E0000-0x00000000007EA000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection q8989810.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" q8989810.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" q8989810.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" q8989810.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" q8989810.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" q8989810.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 3352 z8062768.exe 3032 z3785936.exe 952 z6330702.exe 1324 z3769683.exe 3560 q8989810.exe 2640 r8798218.exe 4952 s3408297.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q8989810.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z3785936.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z6330702.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z3769683.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 97e220c2c48fe6321fd8b7507b2c2508106a7137691c7224f020d6fd99df6f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z8062768.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3560 q8989810.exe 3560 q8989810.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3560 q8989810.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1800 wrote to memory of 3352 1800 97e220c2c48fe6321fd8b7507b2c2508106a7137691c7224f020d6fd99df6f00.exe 82 PID 1800 wrote to memory of 3352 1800 97e220c2c48fe6321fd8b7507b2c2508106a7137691c7224f020d6fd99df6f00.exe 82 PID 1800 wrote to memory of 3352 1800 97e220c2c48fe6321fd8b7507b2c2508106a7137691c7224f020d6fd99df6f00.exe 82 PID 3352 wrote to memory of 3032 3352 z8062768.exe 83 PID 3352 wrote to memory of 3032 3352 z8062768.exe 83 PID 3352 wrote to memory of 3032 3352 z8062768.exe 83 PID 3032 wrote to memory of 952 3032 z3785936.exe 84 PID 3032 wrote to memory of 952 3032 z3785936.exe 84 PID 3032 wrote to memory of 952 3032 z3785936.exe 84 PID 952 wrote to memory of 1324 952 z6330702.exe 85 PID 952 wrote to memory of 1324 952 z6330702.exe 85 PID 952 wrote to memory of 1324 952 z6330702.exe 85 PID 1324 wrote to memory of 3560 1324 z3769683.exe 86 PID 1324 wrote to memory of 3560 1324 z3769683.exe 86 PID 1324 wrote to memory of 2640 1324 z3769683.exe 93 PID 1324 wrote to memory of 2640 1324 z3769683.exe 93 PID 1324 wrote to memory of 2640 1324 z3769683.exe 93 PID 952 wrote to memory of 4952 952 z6330702.exe 96 PID 952 wrote to memory of 4952 952 z6330702.exe 96 PID 952 wrote to memory of 4952 952 z6330702.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\97e220c2c48fe6321fd8b7507b2c2508106a7137691c7224f020d6fd99df6f00.exe"C:\Users\Admin\AppData\Local\Temp\97e220c2c48fe6321fd8b7507b2c2508106a7137691c7224f020d6fd99df6f00.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8062768.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8062768.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3785936.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3785936.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6330702.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6330702.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3769683.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3769683.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8989810.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8989810.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3560
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8798218.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8798218.exe6⤵
- Executes dropped EXE
PID:2640
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3408297.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3408297.exe5⤵
- Executes dropped EXE
PID:4952
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
823KB
MD55e03d177d0b17ac89fb28aa7c74e6cf1
SHA1543f6c8a808e2ef8cedbef79847a35d4cae5bba5
SHA25631b0288a4a54a74964e3c5c88cede492e4972cffb6bc92efbcd66f2e2bfec824
SHA512c02d724329602cf859bb3b60690dc486c31f50116b772ee50a1f21b15d0550c65cd2d2fdfbd1be8becd7757fc09e68c8d7f4eb81eef78e645b183787d9334eda
-
Filesize
823KB
MD55e03d177d0b17ac89fb28aa7c74e6cf1
SHA1543f6c8a808e2ef8cedbef79847a35d4cae5bba5
SHA25631b0288a4a54a74964e3c5c88cede492e4972cffb6bc92efbcd66f2e2bfec824
SHA512c02d724329602cf859bb3b60690dc486c31f50116b772ee50a1f21b15d0550c65cd2d2fdfbd1be8becd7757fc09e68c8d7f4eb81eef78e645b183787d9334eda
-
Filesize
598KB
MD5cafe96f4898af7d49eda6ee15f321b48
SHA1a9262c37c15e388ba9a824de7eabc224982913e8
SHA256e5dce672e3130ed3ed22dab77e78f387238eee8c58162f244cbe4fb13af6d5c7
SHA5126fca7f86ccbdd52628cf5a4554e407e532e3200b15654657e6a5e847c0387d9e93c91fcbb2c905af67db3181c558ebf1f917b8c5ee7ed4cc7611b37a5eab4d38
-
Filesize
598KB
MD5cafe96f4898af7d49eda6ee15f321b48
SHA1a9262c37c15e388ba9a824de7eabc224982913e8
SHA256e5dce672e3130ed3ed22dab77e78f387238eee8c58162f244cbe4fb13af6d5c7
SHA5126fca7f86ccbdd52628cf5a4554e407e532e3200b15654657e6a5e847c0387d9e93c91fcbb2c905af67db3181c558ebf1f917b8c5ee7ed4cc7611b37a5eab4d38
-
Filesize
372KB
MD53a54d268dea09ef0164fba7d6d2d9e11
SHA11f916535e8e9fabf5f7f4071b1cfdbc7f93a1697
SHA2560420ca09a458212280ecfe05ee7171da3d8b2d48c0085d214590b44ed11266f4
SHA512ad2213d3e03e7b15addd57cc7c5566869851bd19de849a84bdf4ef279298590c7e3a49a29811bf25674854aa7247b21b4d3f7f0de6aa52f9fcb5ff5d4472d24d
-
Filesize
372KB
MD53a54d268dea09ef0164fba7d6d2d9e11
SHA11f916535e8e9fabf5f7f4071b1cfdbc7f93a1697
SHA2560420ca09a458212280ecfe05ee7171da3d8b2d48c0085d214590b44ed11266f4
SHA512ad2213d3e03e7b15addd57cc7c5566869851bd19de849a84bdf4ef279298590c7e3a49a29811bf25674854aa7247b21b4d3f7f0de6aa52f9fcb5ff5d4472d24d
-
Filesize
173KB
MD5acb613cf468452a3b30a54bd1d4fad2d
SHA1a58b042deadcd5abd465ae094ef12473354911e5
SHA2564b543706a7174652177c1c84711b659b9f1fa010e26c07463324135a392e0d74
SHA512a819d552841f7e1452caec0e2c52437ef5a51066c605bac2c6f117df26c43e1bb4d655ef69ed477652906c2816f057721a7b1ea88a735d9280214a0fe1c9516d
-
Filesize
173KB
MD5acb613cf468452a3b30a54bd1d4fad2d
SHA1a58b042deadcd5abd465ae094ef12473354911e5
SHA2564b543706a7174652177c1c84711b659b9f1fa010e26c07463324135a392e0d74
SHA512a819d552841f7e1452caec0e2c52437ef5a51066c605bac2c6f117df26c43e1bb4d655ef69ed477652906c2816f057721a7b1ea88a735d9280214a0fe1c9516d
-
Filesize
217KB
MD5674795f48b2f1881bec669f6ee740c93
SHA173ae156329c9fc911a3f26e91a3034bda9ee6a2f
SHA2563abffb765a9ca50a697724ca06a5dac54bf642bc9da968d06240c60ba09d700f
SHA512d6b72b735351b69a984530efc9d63d4412a5848b7d11eecd2ea85560031a26a84339513769d1d45bbd04e4748507aba3297e9d4ccbe83969bc23bfc9f7628acf
-
Filesize
217KB
MD5674795f48b2f1881bec669f6ee740c93
SHA173ae156329c9fc911a3f26e91a3034bda9ee6a2f
SHA2563abffb765a9ca50a697724ca06a5dac54bf642bc9da968d06240c60ba09d700f
SHA512d6b72b735351b69a984530efc9d63d4412a5848b7d11eecd2ea85560031a26a84339513769d1d45bbd04e4748507aba3297e9d4ccbe83969bc23bfc9f7628acf
-
Filesize
12KB
MD57c54c74def66969ea23e92d3aa8271c6
SHA18fb5470c63caad82094ff94d5503405ceeeead95
SHA256f9e08f4d91232719e55875369d032cf75a8b68946663f5209ee44d12085fdc9e
SHA51273c404e489f9a909bdb8717ae2cbe79e583fb7d7ec592935eb870fd756b62326a00bb64440e8d594571679793cf1647bb6febb88b579320f2b97b03f489af7d0
-
Filesize
12KB
MD57c54c74def66969ea23e92d3aa8271c6
SHA18fb5470c63caad82094ff94d5503405ceeeead95
SHA256f9e08f4d91232719e55875369d032cf75a8b68946663f5209ee44d12085fdc9e
SHA51273c404e489f9a909bdb8717ae2cbe79e583fb7d7ec592935eb870fd756b62326a00bb64440e8d594571679793cf1647bb6febb88b579320f2b97b03f489af7d0
-
Filesize
140KB
MD5f8dc80f99721a453334760821b1e7521
SHA123cd246b2694b024533fa57789c380e0a37e6e5d
SHA25660c3ff37cf97138173f55896c9ac83feb722098d7537a20cb4f18771aa332edc
SHA51219e29f7a8b65c0b83b055202aba51da91a85f948b75b5d5e9e5fe72373afbcd3e363491bb782d591e47e493be294c4bd11638994d8cd7c00be2005c2d04dbd14
-
Filesize
140KB
MD5f8dc80f99721a453334760821b1e7521
SHA123cd246b2694b024533fa57789c380e0a37e6e5d
SHA25660c3ff37cf97138173f55896c9ac83feb722098d7537a20cb4f18771aa332edc
SHA51219e29f7a8b65c0b83b055202aba51da91a85f948b75b5d5e9e5fe72373afbcd3e363491bb782d591e47e493be294c4bd11638994d8cd7c00be2005c2d04dbd14