Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    277s
  • max time network
    297s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25/08/2023, 04:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    z4921733.exe

  • Size

    372KB

  • MD5

    3356f0a504f98ebe19bb177856184fbd

  • SHA1

    be551871751081f37f458b7bf62656f3dc6ed89d

  • SHA256

    04564577997141d823ae97f19f8febb05160bde567c2c1439c74e4d24255ecdd

  • SHA512

    5cf27fcf13ed56ad49dff48ea7c8359d81c5ebe641aba8e4a31b4de783a8734770bfd3ca7e3188e3518b39be890bbe74baa90ffbda980c20e833d22428a1f6c6

  • SSDEEP

    6144:K3y+bnr+Tp0yN90QESpbj/Pj4BgD2zUcPD+lSLwwvohu5/p8qWlt6lHC4+k0e:ZMr/y90Ij/Pj4aqb9wY8qWl8xCy

Score
10/10
healerredlinevagadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

vaga

C2

77.91.124.73:19071

Attributes
  • auth_value

    393905212ded984248e8e000e612d4fe

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\z4921733.exe
    "C:\Users\Admin\AppData\Local\Temp\z4921733.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6122764.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6122764.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4952
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0556973.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0556973.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4828
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3006724.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3006724.exe
        3⤵
        • Executes dropped EXE
        PID:3300
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1389380.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1389380.exe
      2⤵
      • Executes dropped EXE
      PID:4876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1389380.exe
    Filesize

    174KB

    MD5

    06f2a58cc262f752e8c67b4345c16b6c

    SHA1

    737541609d2bbefd038e0c848a0ff5da2c2e768a

    SHA256

    e100b806bc9587accd03ab26aae2f37b4136b0bb6aa0415bdc49815bd83196b1

    SHA512

    cc73836af52d14150122604f6c5fc4d7195943a2be106fb44fcddc8002c2aa0ee73840c7f5d65c9c7bfcf44460587df9959788f3e53ab121db48f7538854aa65

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1389380.exe
    Filesize

    174KB

    MD5

    06f2a58cc262f752e8c67b4345c16b6c

    SHA1

    737541609d2bbefd038e0c848a0ff5da2c2e768a

    SHA256

    e100b806bc9587accd03ab26aae2f37b4136b0bb6aa0415bdc49815bd83196b1

    SHA512

    cc73836af52d14150122604f6c5fc4d7195943a2be106fb44fcddc8002c2aa0ee73840c7f5d65c9c7bfcf44460587df9959788f3e53ab121db48f7538854aa65

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6122764.exe
    Filesize

    217KB

    MD5

    3339c50a2fddaeb1d68cc1ebae24c240

    SHA1

    a225a8359680f957be893f237894b050d0a6b720

    SHA256

    af36c2a3af9e6714c8280892d49405fd76f3fd8d50c44121969018759f7e6264

    SHA512

    6af46d550829615d498b32f34724f34aac960853e0a19b0d522904d81cde6df188895df0bde4583ea90af506dec7d045dbd0b9675430b4aa07a4a3b3b2e20119

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6122764.exe
    Filesize

    217KB

    MD5

    3339c50a2fddaeb1d68cc1ebae24c240

    SHA1

    a225a8359680f957be893f237894b050d0a6b720

    SHA256

    af36c2a3af9e6714c8280892d49405fd76f3fd8d50c44121969018759f7e6264

    SHA512

    6af46d550829615d498b32f34724f34aac960853e0a19b0d522904d81cde6df188895df0bde4583ea90af506dec7d045dbd0b9675430b4aa07a4a3b3b2e20119

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0556973.exe
    Filesize

    13KB

    MD5

    18e4e8a529a08a0d453d509cc4a44665

    SHA1

    0dfc8ce833e94545ba31a5b41c722664021aac44

    SHA256

    349ca83cbed28a8a42764969725bb9b049565b613842a3954a041d474fb0e62d

    SHA512

    8b81a06ff7c021fd3299b2140641e2f18a6ccabde04c79c962bfbca410addf5938795cc2de84e0778a15f5ada6b394ee6e56d2787430be801d6fc572c0accd19

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0556973.exe
    Filesize

    13KB

    MD5

    18e4e8a529a08a0d453d509cc4a44665

    SHA1

    0dfc8ce833e94545ba31a5b41c722664021aac44

    SHA256

    349ca83cbed28a8a42764969725bb9b049565b613842a3954a041d474fb0e62d

    SHA512

    8b81a06ff7c021fd3299b2140641e2f18a6ccabde04c79c962bfbca410addf5938795cc2de84e0778a15f5ada6b394ee6e56d2787430be801d6fc572c0accd19

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3006724.exe
    Filesize

    140KB

    MD5

    577820ffc3f05e7ba539b190c28ef6a0

    SHA1

    b88220edcf973f1a010e6c2323c1715f63d2780b

    SHA256

    8b262c918bcada4f425885d75c18731164e5f6996fd56f03ab1c30ff70f618e7

    SHA512

    7b8c089211a5510f85fce759700fa16112beb4435bc37e4c894c7cccf439599b08c9a3b33ee9a9c438ac65c9f38faa4a17e89a37fee519b434ef3cbf9c92ede8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3006724.exe
    Filesize

    140KB

    MD5

    577820ffc3f05e7ba539b190c28ef6a0

    SHA1

    b88220edcf973f1a010e6c2323c1715f63d2780b

    SHA256

    8b262c918bcada4f425885d75c18731164e5f6996fd56f03ab1c30ff70f618e7

    SHA512

    7b8c089211a5510f85fce759700fa16112beb4435bc37e4c894c7cccf439599b08c9a3b33ee9a9c438ac65c9f38faa4a17e89a37fee519b434ef3cbf9c92ede8

    Download Submit

  • memory/4828-15-0x00007FFB75EB0000-0x00007FFB7689C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4828-17-0x00007FFB75EB0000-0x00007FFB7689C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4828-14-0x0000000000D20000-0x0000000000D2A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4876-24-0x0000000000BF0000-0x0000000000C20000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4876-25-0x0000000073230000-0x000000007391E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4876-26-0x0000000002DD0000-0x0000000002DD6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4876-27-0x000000000AEC0000-0x000000000B4C6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4876-28-0x000000000AA00000-0x000000000AB0A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4876-29-0x000000000A930000-0x000000000A942000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4876-30-0x000000000A990000-0x000000000A9CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4876-31-0x000000000AB10000-0x000000000AB5B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4876-32-0x0000000073230000-0x000000007391E000-memory.dmp

    Filesize

    6.9MB

    Download