Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230824-en -
resource tags
arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system -
submitted
26/08/2023, 16:49
Static task
static1
Behavioral task
behavioral1
Sample
5fe055b4e902f7f10cc3a3b9a2b1551893cee26c7e4b67c1bc48d2444491e981.exe
Resource
win10v2004-20230824-en
General
-
Target
5fe055b4e902f7f10cc3a3b9a2b1551893cee26c7e4b67c1bc48d2444491e981.exe
-
Size
924KB
-
MD5
ec353d467192e790537851ad396b8533
-
SHA1
b7aa8f141bad7ff14d86faad78c5f185a9e12306
-
SHA256
5fe055b4e902f7f10cc3a3b9a2b1551893cee26c7e4b67c1bc48d2444491e981
-
SHA512
ba4713e381de77e3a25a0a9f927f4fe3c57dd87958cbe30d47c6d0b244a7e541d8c7916e2756fc79469e67c19453980baa9aa68c84b5c72e5529c04874eeb2ec
-
SSDEEP
24576:My9tMv2wJnlVFyH3s8E0gUhfvmZbiSbUv4:78lVFyH3s8EbuSbU
Malware Config
Extracted
redline
jaja
77.91.124.73:19071
-
auth_value
3670179d176ca399ed08e7914610b43c
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000002303f-35.dat healer behavioral1/files/0x000700000002303f-34.dat healer behavioral1/memory/1760-36-0x0000000000BC0000-0x0000000000BCA000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection q1269939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" q1269939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" q1269939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" q1269939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" q1269939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" q1269939.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 2940 z1106831.exe 64 z8119300.exe 3240 z6046573.exe 2532 z7368317.exe 1760 q1269939.exe 5012 r2802402.exe 4028 s4478368.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q1269939.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z7368317.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5fe055b4e902f7f10cc3a3b9a2b1551893cee26c7e4b67c1bc48d2444491e981.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z1106831.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z8119300.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z6046573.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{9D5ABA89-089D-46BE-9048-6F925A6451D8}.catalogItem svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1760 q1269939.exe 1760 q1269939.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1760 q1269939.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2940 2236 5fe055b4e902f7f10cc3a3b9a2b1551893cee26c7e4b67c1bc48d2444491e981.exe 85 PID 2236 wrote to memory of 2940 2236 5fe055b4e902f7f10cc3a3b9a2b1551893cee26c7e4b67c1bc48d2444491e981.exe 85 PID 2236 wrote to memory of 2940 2236 5fe055b4e902f7f10cc3a3b9a2b1551893cee26c7e4b67c1bc48d2444491e981.exe 85 PID 2940 wrote to memory of 64 2940 z1106831.exe 86 PID 2940 wrote to memory of 64 2940 z1106831.exe 86 PID 2940 wrote to memory of 64 2940 z1106831.exe 86 PID 64 wrote to memory of 3240 64 z8119300.exe 88 PID 64 wrote to memory of 3240 64 z8119300.exe 88 PID 64 wrote to memory of 3240 64 z8119300.exe 88 PID 3240 wrote to memory of 2532 3240 z6046573.exe 89 PID 3240 wrote to memory of 2532 3240 z6046573.exe 89 PID 3240 wrote to memory of 2532 3240 z6046573.exe 89 PID 2532 wrote to memory of 1760 2532 z7368317.exe 90 PID 2532 wrote to memory of 1760 2532 z7368317.exe 90 PID 2532 wrote to memory of 5012 2532 z7368317.exe 92 PID 2532 wrote to memory of 5012 2532 z7368317.exe 92 PID 2532 wrote to memory of 5012 2532 z7368317.exe 92 PID 3240 wrote to memory of 4028 3240 z6046573.exe 93 PID 3240 wrote to memory of 4028 3240 z6046573.exe 93 PID 3240 wrote to memory of 4028 3240 z6046573.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fe055b4e902f7f10cc3a3b9a2b1551893cee26c7e4b67c1bc48d2444491e981.exe"C:\Users\Admin\AppData\Local\Temp\5fe055b4e902f7f10cc3a3b9a2b1551893cee26c7e4b67c1bc48d2444491e981.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1106831.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1106831.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8119300.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8119300.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6046573.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6046573.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7368317.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7368317.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1269939.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1269939.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2802402.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2802402.exe6⤵
- Executes dropped EXE
PID:5012
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4478368.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4478368.exe5⤵
- Executes dropped EXE
PID:4028
-
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
PID:3312
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
824KB
MD5591cc199daad9d28a365658e7f21c976
SHA14f677015a5c7887b7315cd69ddd55c8f66c164eb
SHA2566df4f290e3bb09cc7255c9bdf41eaf7089cdca006fa5cf0097af7a36c860a61e
SHA512f12d50b5d161f738070c8c48855d451de12ccd280d880726bd721b81cdeb6de296f7597c2b1479b7c1e19c3fb5138e8ef11ebf2ad4f3dc7f7d8dcc92a39469ca
-
Filesize
824KB
MD5591cc199daad9d28a365658e7f21c976
SHA14f677015a5c7887b7315cd69ddd55c8f66c164eb
SHA2566df4f290e3bb09cc7255c9bdf41eaf7089cdca006fa5cf0097af7a36c860a61e
SHA512f12d50b5d161f738070c8c48855d451de12ccd280d880726bd721b81cdeb6de296f7597c2b1479b7c1e19c3fb5138e8ef11ebf2ad4f3dc7f7d8dcc92a39469ca
-
Filesize
598KB
MD5e9ec1b92267fdbb281fee69a05c8fe75
SHA11876314ef8373e88d49d2815f16d25ad9fe5a5d8
SHA256078400fd677ba8bf0ea24cab31facc16ebb68be436e89b49abbd4a37f40bb6ae
SHA512434227e84aebbb87647cd31915a117a12efea3e037d99aaa43afac0115ec791dc2079e985772db89c0d81cee92d3ada5238995b4aa6aaf73c216de31949da311
-
Filesize
598KB
MD5e9ec1b92267fdbb281fee69a05c8fe75
SHA11876314ef8373e88d49d2815f16d25ad9fe5a5d8
SHA256078400fd677ba8bf0ea24cab31facc16ebb68be436e89b49abbd4a37f40bb6ae
SHA512434227e84aebbb87647cd31915a117a12efea3e037d99aaa43afac0115ec791dc2079e985772db89c0d81cee92d3ada5238995b4aa6aaf73c216de31949da311
-
Filesize
372KB
MD52e501cdc818af8adbee76373ecf2605e
SHA1db311a922aeac1d6eff149e1ca31e431467d5cee
SHA25685f83dd9156fd1e9519281b6b14631454a202de9cff51f89e11c1fc0dbf2bc37
SHA5123c933eced74a4e7749599d282003653759a751e2c8ae411350563362a42e7c6671194599b04bfb841c119726c5d13b36cf64592e826a70eea039beeb58b2e9b3
-
Filesize
372KB
MD52e501cdc818af8adbee76373ecf2605e
SHA1db311a922aeac1d6eff149e1ca31e431467d5cee
SHA25685f83dd9156fd1e9519281b6b14631454a202de9cff51f89e11c1fc0dbf2bc37
SHA5123c933eced74a4e7749599d282003653759a751e2c8ae411350563362a42e7c6671194599b04bfb841c119726c5d13b36cf64592e826a70eea039beeb58b2e9b3
-
Filesize
174KB
MD5a6049a9ea9e76ddeb426251ce82f5965
SHA1f6ee69acb122eef23756665d4c82a18ff72320b2
SHA2566b06b5b0c2d93f501742034f577a388cee32472c8c8239cd2e76755185ee62a4
SHA512cf5fd6488bf0af6352d32bdca53ca170d3beccfcf132f0da95c417255a5bbc087074e1390daec3ea11825f41efb6f6c150a0f53a6e719f3085d12828bf9d5c06
-
Filesize
174KB
MD5a6049a9ea9e76ddeb426251ce82f5965
SHA1f6ee69acb122eef23756665d4c82a18ff72320b2
SHA2566b06b5b0c2d93f501742034f577a388cee32472c8c8239cd2e76755185ee62a4
SHA512cf5fd6488bf0af6352d32bdca53ca170d3beccfcf132f0da95c417255a5bbc087074e1390daec3ea11825f41efb6f6c150a0f53a6e719f3085d12828bf9d5c06
-
Filesize
217KB
MD501a73b8363793b0b77c5e038055cff7f
SHA164f92fb56ba723f52fd82c43cadf9ca8efe4a261
SHA25614f4f2ad10ec510443a6734ff90c8274d1cd8714b3e66d1b00ba4e56c14301dc
SHA51241021d7468eac50563e85ff6790fceb238a3a939a8a26de6c777becde42f3acd8e2ca204f9ffb05b03ba83aa9b2aad0bfa73fd177bddc7fbc79991236f01ef8c
-
Filesize
217KB
MD501a73b8363793b0b77c5e038055cff7f
SHA164f92fb56ba723f52fd82c43cadf9ca8efe4a261
SHA25614f4f2ad10ec510443a6734ff90c8274d1cd8714b3e66d1b00ba4e56c14301dc
SHA51241021d7468eac50563e85ff6790fceb238a3a939a8a26de6c777becde42f3acd8e2ca204f9ffb05b03ba83aa9b2aad0bfa73fd177bddc7fbc79991236f01ef8c
-
Filesize
14KB
MD59009b3ba758e40c0c940770362320e18
SHA19f326facfdfb39593e65d70da7b0a458b8dccdad
SHA25699738084ca6fc26b4bfced904ae92d4aab87cd12e155661f9ce0065034e2e448
SHA512557a1ef022c424847e6dcdb093db2f18ef85d5817c29958d512a5ff04e918080b0cd873a271fb145a375c6b0cee43ecfa32e85b9963d6b8d75af681862d610b4
-
Filesize
14KB
MD59009b3ba758e40c0c940770362320e18
SHA19f326facfdfb39593e65d70da7b0a458b8dccdad
SHA25699738084ca6fc26b4bfced904ae92d4aab87cd12e155661f9ce0065034e2e448
SHA512557a1ef022c424847e6dcdb093db2f18ef85d5817c29958d512a5ff04e918080b0cd873a271fb145a375c6b0cee43ecfa32e85b9963d6b8d75af681862d610b4
-
Filesize
141KB
MD569285e97cacb83157f1e888410eea73e
SHA1ecd6527385b27c706ca604368f173829c3d6e885
SHA25678e18e6876e3fe78f2b91c220616a3e27f7fb2c9e3c0630c9c32ce4524f8ed10
SHA5123ed50e6f982b0339d44edf86270ce45840793882da2133f84ba8457161a02c6e8c48bb2f3bad2b1d8e2bcde772a0f910aa1d9193d64d6f795f9205af88e425a2
-
Filesize
141KB
MD569285e97cacb83157f1e888410eea73e
SHA1ecd6527385b27c706ca604368f173829c3d6e885
SHA25678e18e6876e3fe78f2b91c220616a3e27f7fb2c9e3c0630c9c32ce4524f8ed10
SHA5123ed50e6f982b0339d44edf86270ce45840793882da2133f84ba8457161a02c6e8c48bb2f3bad2b1d8e2bcde772a0f910aa1d9193d64d6f795f9205af88e425a2