Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
31/08/2023, 14:20
Static task
static1
Behavioral task
behavioral1
Sample
0047034ae90772403d49aa5de1041a6f9bb3d64adaf42466dc58fc2e36bcec3c.exe
Resource
win10v2004-20230703-en
General
-
Target
0047034ae90772403d49aa5de1041a6f9bb3d64adaf42466dc58fc2e36bcec3c.exe
-
Size
930KB
-
MD5
8eb730276ea7aac10a9a71c46e15fb5c
-
SHA1
94852ebe01d80cb0ee62d76c0ae23dc3eb4144ef
-
SHA256
0047034ae90772403d49aa5de1041a6f9bb3d64adaf42466dc58fc2e36bcec3c
-
SHA512
92f27ae7c6fa20951044097051a05ebdc06adfb11321f940716c4fe94b2e6ac63e4ea296f2317549aaca47d6e8623207ee967f57f9e811abae3fa8076344bbd4
-
SSDEEP
24576:MygGcgjs/2ex/n6EuVh0uBZXfYGNdrST:7Cgjs/2E/nq2uvfZNdrS
Malware Config
Extracted
redline
sruta
77.91.124.82:19071
-
auth_value
c556edcd49703319eca74247de20c236
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x0007000000023239-34.dat healer behavioral1/files/0x0007000000023239-33.dat healer behavioral1/memory/3928-35-0x0000000000220000-0x000000000022A000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection q7861507.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" q7861507.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" q7861507.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" q7861507.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" q7861507.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" q7861507.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 4576 z2211842.exe 2472 z6961747.exe 1608 z5853863.exe 844 z6675446.exe 3928 q7861507.exe 4620 r3095229.exe 4504 s0661561.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q7861507.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0047034ae90772403d49aa5de1041a6f9bb3d64adaf42466dc58fc2e36bcec3c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z2211842.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z6961747.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z5853863.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z6675446.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3928 q7861507.exe 3928 q7861507.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3928 q7861507.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 492 wrote to memory of 4576 492 0047034ae90772403d49aa5de1041a6f9bb3d64adaf42466dc58fc2e36bcec3c.exe 82 PID 492 wrote to memory of 4576 492 0047034ae90772403d49aa5de1041a6f9bb3d64adaf42466dc58fc2e36bcec3c.exe 82 PID 492 wrote to memory of 4576 492 0047034ae90772403d49aa5de1041a6f9bb3d64adaf42466dc58fc2e36bcec3c.exe 82 PID 4576 wrote to memory of 2472 4576 z2211842.exe 83 PID 4576 wrote to memory of 2472 4576 z2211842.exe 83 PID 4576 wrote to memory of 2472 4576 z2211842.exe 83 PID 2472 wrote to memory of 1608 2472 z6961747.exe 84 PID 2472 wrote to memory of 1608 2472 z6961747.exe 84 PID 2472 wrote to memory of 1608 2472 z6961747.exe 84 PID 1608 wrote to memory of 844 1608 z5853863.exe 85 PID 1608 wrote to memory of 844 1608 z5853863.exe 85 PID 1608 wrote to memory of 844 1608 z5853863.exe 85 PID 844 wrote to memory of 3928 844 z6675446.exe 86 PID 844 wrote to memory of 3928 844 z6675446.exe 86 PID 844 wrote to memory of 4620 844 z6675446.exe 95 PID 844 wrote to memory of 4620 844 z6675446.exe 95 PID 844 wrote to memory of 4620 844 z6675446.exe 95 PID 1608 wrote to memory of 4504 1608 z5853863.exe 97 PID 1608 wrote to memory of 4504 1608 z5853863.exe 97 PID 1608 wrote to memory of 4504 1608 z5853863.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\0047034ae90772403d49aa5de1041a6f9bb3d64adaf42466dc58fc2e36bcec3c.exe"C:\Users\Admin\AppData\Local\Temp\0047034ae90772403d49aa5de1041a6f9bb3d64adaf42466dc58fc2e36bcec3c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2211842.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2211842.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6961747.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6961747.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5853863.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5853863.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6675446.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6675446.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7861507.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7861507.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3095229.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3095229.exe6⤵
- Executes dropped EXE
PID:4620
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0661561.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0661561.exe5⤵
- Executes dropped EXE
PID:4504
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
824KB
MD5f3bde9dc7c966bd5eca0083f423143e9
SHA100d7df58bbf92b4252c13877a26ae91fb5071834
SHA25648501d1bbc489fa08fa42be0f2b8295aa1fef3cf59d913ae929980b0a2fb75da
SHA512384dcbbb82bbc45db53beb186a4e94b681371617a6aed6ad6ec8006ab2899346d2aa5b1ea86513d95a2b7715a0a6a79c697bba68d5b7cb42c653e2f6632d4fde
-
Filesize
824KB
MD5f3bde9dc7c966bd5eca0083f423143e9
SHA100d7df58bbf92b4252c13877a26ae91fb5071834
SHA25648501d1bbc489fa08fa42be0f2b8295aa1fef3cf59d913ae929980b0a2fb75da
SHA512384dcbbb82bbc45db53beb186a4e94b681371617a6aed6ad6ec8006ab2899346d2aa5b1ea86513d95a2b7715a0a6a79c697bba68d5b7cb42c653e2f6632d4fde
-
Filesize
598KB
MD55e7358460072c07a08afffb1f321d571
SHA1b7f29f6eebc4ed25f97d9da32e950b180e5c3473
SHA25642efd6fef7a3d9fe2f7508efbc719312457dcc38cc553bb32853ac7c201c0368
SHA512bd84195d475dd72158f2bc10a9c470d4bf7b234d8a22dc7f0a12e5a0ff3b43b5b5660b0e0a832039f64a7d6575deaf650be590a34c323e918a0d3cf956f1e026
-
Filesize
598KB
MD55e7358460072c07a08afffb1f321d571
SHA1b7f29f6eebc4ed25f97d9da32e950b180e5c3473
SHA25642efd6fef7a3d9fe2f7508efbc719312457dcc38cc553bb32853ac7c201c0368
SHA512bd84195d475dd72158f2bc10a9c470d4bf7b234d8a22dc7f0a12e5a0ff3b43b5b5660b0e0a832039f64a7d6575deaf650be590a34c323e918a0d3cf956f1e026
-
Filesize
372KB
MD56e1c4f6093d26e5a5718f55d474e38f5
SHA1be20c57f2f60dbb7ae04c9d7bc821ee5b3ba90b0
SHA256eb6176ed626657a3d92bb9dbb7957803d532ec17509fdef9dd94b1b8b49d9710
SHA51261b3132e0bb438b687373e6acd15a455ca2e3a38e03de73bc0214e5cffdacf3f01f85629cddbda3af6da8f78cd00961f6689ded05ae4f33d9bc64abf57f9b20f
-
Filesize
372KB
MD56e1c4f6093d26e5a5718f55d474e38f5
SHA1be20c57f2f60dbb7ae04c9d7bc821ee5b3ba90b0
SHA256eb6176ed626657a3d92bb9dbb7957803d532ec17509fdef9dd94b1b8b49d9710
SHA51261b3132e0bb438b687373e6acd15a455ca2e3a38e03de73bc0214e5cffdacf3f01f85629cddbda3af6da8f78cd00961f6689ded05ae4f33d9bc64abf57f9b20f
-
Filesize
176KB
MD5cc68d10346b1afdace498400919aebf1
SHA111a183866eb78679f02fda9fa2a51f424957a2ad
SHA25641bfb6d1c4b3e580d0b0f094f683ed5944f8ebee0af27f532e9216d3f736aaf5
SHA51280a0c18f33360e7920c7ebe52ecdd247bef48889e26849bf7d8dee6c2004d06ce3de8b6ee5b52c6cee27dbc9526b4da405882a8c6206394be5fe9b63314c0194
-
Filesize
176KB
MD5cc68d10346b1afdace498400919aebf1
SHA111a183866eb78679f02fda9fa2a51f424957a2ad
SHA25641bfb6d1c4b3e580d0b0f094f683ed5944f8ebee0af27f532e9216d3f736aaf5
SHA51280a0c18f33360e7920c7ebe52ecdd247bef48889e26849bf7d8dee6c2004d06ce3de8b6ee5b52c6cee27dbc9526b4da405882a8c6206394be5fe9b63314c0194
-
Filesize
217KB
MD56e8979a561c016416ba73bd52cf7a299
SHA159731711557e0b697dc312e82362f8dceff7df0d
SHA25682413fd112089bc2a974c4ea969896a678c225de785a2e61b273af75e2d4be6e
SHA5121887c88a95d612d48d033e09b6d6f9203a2417f6d5fe7a6554e696a60ad8e8a47167febaa9a8fcf7800a2d534b7b509abedc89f4353cdf6631c363d6713f213d
-
Filesize
217KB
MD56e8979a561c016416ba73bd52cf7a299
SHA159731711557e0b697dc312e82362f8dceff7df0d
SHA25682413fd112089bc2a974c4ea969896a678c225de785a2e61b273af75e2d4be6e
SHA5121887c88a95d612d48d033e09b6d6f9203a2417f6d5fe7a6554e696a60ad8e8a47167febaa9a8fcf7800a2d534b7b509abedc89f4353cdf6631c363d6713f213d
-
Filesize
18KB
MD580efc1d0c0199b0bd855600ed2f0373e
SHA10809d3c5657182e8055fd6a145b08a39623744f0
SHA25604754a207b86de59513fcd62427957b2543dfbd13ff8af57eeb15bf053d230fb
SHA512c47067926621ab430943df54408bdb010ad7ba01b6154e63b05033bb1ebddcd45acdeaac4b656fa2d2f5c6aa6e9314a9bf4de3c60ccf4463246a6293ccdd2c4b
-
Filesize
18KB
MD580efc1d0c0199b0bd855600ed2f0373e
SHA10809d3c5657182e8055fd6a145b08a39623744f0
SHA25604754a207b86de59513fcd62427957b2543dfbd13ff8af57eeb15bf053d230fb
SHA512c47067926621ab430943df54408bdb010ad7ba01b6154e63b05033bb1ebddcd45acdeaac4b656fa2d2f5c6aa6e9314a9bf4de3c60ccf4463246a6293ccdd2c4b
-
Filesize
141KB
MD51c05248b737b8f63b8f37b275cf34d2c
SHA1f837c06e1f2cb6a33b2af116f0d97cfd0bb1e1e6
SHA256c62b87604a6b026c186c16e9afaa09d84bc84c3499f40a1fc209df1bfad610a1
SHA512a77ae76cd997d7b544e954c02a0aac46dc55a4168c9224ef7477754195f041dc13c6f20e22f3e3a506f162b8894b870ea45232de09a40d88ea2ec779910c1b5b
-
Filesize
141KB
MD51c05248b737b8f63b8f37b275cf34d2c
SHA1f837c06e1f2cb6a33b2af116f0d97cfd0bb1e1e6
SHA256c62b87604a6b026c186c16e9afaa09d84bc84c3499f40a1fc209df1bfad610a1
SHA512a77ae76cd997d7b544e954c02a0aac46dc55a4168c9224ef7477754195f041dc13c6f20e22f3e3a506f162b8894b870ea45232de09a40d88ea2ec779910c1b5b