Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
01/09/2023, 05:12
Static task
static1
Behavioral task
behavioral1
Sample
c33db0df2a0ba843176dfaf8a0277f9e3640056dd9539d56103929bc46b9bf08.exe
Resource
win10v2004-20230831-en
General
-
Target
c33db0df2a0ba843176dfaf8a0277f9e3640056dd9539d56103929bc46b9bf08.exe
-
Size
930KB
-
MD5
4eed99a25e71ac5564127defdb2ba0d4
-
SHA1
96e7d6aabe5dd29ccc47b92038b50fd2f1a04bf2
-
SHA256
c33db0df2a0ba843176dfaf8a0277f9e3640056dd9539d56103929bc46b9bf08
-
SHA512
c34447641117c72c9ca9581485a8ea11a3f2f5c210fb404063b46a9027628059865ebcf3025fd4c371b2634998bfc6931a0c216b324a03cf5c789e43669bb2ca
-
SSDEEP
24576:ByXAxGYxE5zFEBeBX8PMIVQh0yoxhDPOB3G5t:0XJYxiFEeX8PpTN5Wc5
Malware Config
Extracted
redline
jang
77.91.124.82:19071
-
auth_value
662102010afcbe9e22b13116b1c1a088
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x00060000000231ec-33.dat healer behavioral1/files/0x00060000000231ec-34.dat healer behavioral1/memory/1788-35-0x0000000000D00000-0x0000000000D0A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" q4159494.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" q4159494.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" q4159494.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" q4159494.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection q4159494.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" q4159494.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 4700 z1520346.exe 4360 z9235571.exe 1684 z0360909.exe 5104 z5482980.exe 1788 q4159494.exe 2032 r8229073.exe 2772 s2620502.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q4159494.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c33db0df2a0ba843176dfaf8a0277f9e3640056dd9539d56103929bc46b9bf08.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z1520346.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z9235571.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z0360909.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z5482980.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1788 q4159494.exe 1788 q4159494.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1788 q4159494.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2128 wrote to memory of 4700 2128 c33db0df2a0ba843176dfaf8a0277f9e3640056dd9539d56103929bc46b9bf08.exe 83 PID 2128 wrote to memory of 4700 2128 c33db0df2a0ba843176dfaf8a0277f9e3640056dd9539d56103929bc46b9bf08.exe 83 PID 2128 wrote to memory of 4700 2128 c33db0df2a0ba843176dfaf8a0277f9e3640056dd9539d56103929bc46b9bf08.exe 83 PID 4700 wrote to memory of 4360 4700 z1520346.exe 84 PID 4700 wrote to memory of 4360 4700 z1520346.exe 84 PID 4700 wrote to memory of 4360 4700 z1520346.exe 84 PID 4360 wrote to memory of 1684 4360 z9235571.exe 85 PID 4360 wrote to memory of 1684 4360 z9235571.exe 85 PID 4360 wrote to memory of 1684 4360 z9235571.exe 85 PID 1684 wrote to memory of 5104 1684 z0360909.exe 86 PID 1684 wrote to memory of 5104 1684 z0360909.exe 86 PID 1684 wrote to memory of 5104 1684 z0360909.exe 86 PID 5104 wrote to memory of 1788 5104 z5482980.exe 87 PID 5104 wrote to memory of 1788 5104 z5482980.exe 87 PID 5104 wrote to memory of 2032 5104 z5482980.exe 90 PID 5104 wrote to memory of 2032 5104 z5482980.exe 90 PID 5104 wrote to memory of 2032 5104 z5482980.exe 90 PID 1684 wrote to memory of 2772 1684 z0360909.exe 91 PID 1684 wrote to memory of 2772 1684 z0360909.exe 91 PID 1684 wrote to memory of 2772 1684 z0360909.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\c33db0df2a0ba843176dfaf8a0277f9e3640056dd9539d56103929bc46b9bf08.exe"C:\Users\Admin\AppData\Local\Temp\c33db0df2a0ba843176dfaf8a0277f9e3640056dd9539d56103929bc46b9bf08.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1520346.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1520346.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9235571.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9235571.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0360909.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0360909.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5482980.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5482980.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4159494.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4159494.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8229073.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8229073.exe6⤵
- Executes dropped EXE
PID:2032
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2620502.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2620502.exe5⤵
- Executes dropped EXE
PID:2772
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
824KB
MD596517e0a71b136fba578a225c3716087
SHA1e68e7bb8f43e52ea2e17a3ac86f697c07c3261c0
SHA256f31d109ba1f17ab091a47bbd08a284c5fb1c238b833e74b09698abe5be96f5dd
SHA512776d423d9efc2155b1c29d97450bdbb7a8316a8776aa4a9d89ce66192b869caa99aef619bcad9b2ade1944ce49549fbf00c7629eeb0eb23d7a624a83f81b2d2f
-
Filesize
824KB
MD596517e0a71b136fba578a225c3716087
SHA1e68e7bb8f43e52ea2e17a3ac86f697c07c3261c0
SHA256f31d109ba1f17ab091a47bbd08a284c5fb1c238b833e74b09698abe5be96f5dd
SHA512776d423d9efc2155b1c29d97450bdbb7a8316a8776aa4a9d89ce66192b869caa99aef619bcad9b2ade1944ce49549fbf00c7629eeb0eb23d7a624a83f81b2d2f
-
Filesize
598KB
MD5e634679bb3d676adac8d423246ff34c6
SHA1cc7ee399631f1fa6c30a6b5cbb6cc7ddc1060dfc
SHA256605dd5a6b9ce88eee933541fea0fa74520b9609330915ec89ea4d15cf7c1f7e2
SHA51220f37265e16dba9139620676587cde32fcdd6f6ace689c3558348d23cf8aac993d4031c7cc2fb6b4d5bc3ac7ca38c8df67dd4f6afae2c9744a4a1850e63cf0dd
-
Filesize
598KB
MD5e634679bb3d676adac8d423246ff34c6
SHA1cc7ee399631f1fa6c30a6b5cbb6cc7ddc1060dfc
SHA256605dd5a6b9ce88eee933541fea0fa74520b9609330915ec89ea4d15cf7c1f7e2
SHA51220f37265e16dba9139620676587cde32fcdd6f6ace689c3558348d23cf8aac993d4031c7cc2fb6b4d5bc3ac7ca38c8df67dd4f6afae2c9744a4a1850e63cf0dd
-
Filesize
372KB
MD55a953ce502cec428cf42153ba592479f
SHA1682f598b94004a21fb939b3919dcea5ae0fe0ee7
SHA256167d50fbc284550d7093518c4d5796d485c4bb5d142dc4b1ce21131708128ce6
SHA5125c39745c368fcc45782025ccb4bfc519ef853c035585aeedc63d238b23f052368dc21257c7cae1c9fb5c6ba935d948a374ad50fcac670accfcdc0cec608fecda
-
Filesize
372KB
MD55a953ce502cec428cf42153ba592479f
SHA1682f598b94004a21fb939b3919dcea5ae0fe0ee7
SHA256167d50fbc284550d7093518c4d5796d485c4bb5d142dc4b1ce21131708128ce6
SHA5125c39745c368fcc45782025ccb4bfc519ef853c035585aeedc63d238b23f052368dc21257c7cae1c9fb5c6ba935d948a374ad50fcac670accfcdc0cec608fecda
-
Filesize
174KB
MD5a985dd3dc5c3fc50a041d8735d94774d
SHA16d2153a91c81161bf3053c38b11906eb940cd843
SHA256e1197d589ae86c46c4958d10700c48302c654fffefdc931b7c7f6835dd6cd394
SHA512056c67a889dcec9206f4ab7caebb8405d03a69124594385cbc3295402f9d5fbb4e3d145262023d027c52e7fb9ce604f8e686ceeb7880952b6d7e47d4a0b1b6d4
-
Filesize
174KB
MD5a985dd3dc5c3fc50a041d8735d94774d
SHA16d2153a91c81161bf3053c38b11906eb940cd843
SHA256e1197d589ae86c46c4958d10700c48302c654fffefdc931b7c7f6835dd6cd394
SHA512056c67a889dcec9206f4ab7caebb8405d03a69124594385cbc3295402f9d5fbb4e3d145262023d027c52e7fb9ce604f8e686ceeb7880952b6d7e47d4a0b1b6d4
-
Filesize
217KB
MD56705c6cc2801fdbe04e9ab828e7ea15d
SHA14f77c413a522e8b163d5ad0ef5c54c2d7ca5206e
SHA25659876b0691f9a36c282060610d851efe8e1fbc236b7be78f4397ea3fe9756867
SHA51230f0fdfa957918e89d8af10b49426a6ac0de4094351157bda02c2f38ad51034e87718d0b063a277e693ff0a83864f38c099b1293e5f424aaeb56f94454ca0e02
-
Filesize
217KB
MD56705c6cc2801fdbe04e9ab828e7ea15d
SHA14f77c413a522e8b163d5ad0ef5c54c2d7ca5206e
SHA25659876b0691f9a36c282060610d851efe8e1fbc236b7be78f4397ea3fe9756867
SHA51230f0fdfa957918e89d8af10b49426a6ac0de4094351157bda02c2f38ad51034e87718d0b063a277e693ff0a83864f38c099b1293e5f424aaeb56f94454ca0e02
-
Filesize
19KB
MD5cb3b949c583fef756a1b54f04d1fb0cd
SHA101d17a65275555021491d38e087d14cc565b0432
SHA256b400e57897dfe1670392c05cdf8e4dd79243a67a187bd30500695f9254561740
SHA512e4d501792bffaee9ecad46a81da3d8e9589abce65fc12a624743bca65d13b6239216ded3c5a2576fbff1e814b932153244f101f94df5f33353f679827f6ceef7
-
Filesize
19KB
MD5cb3b949c583fef756a1b54f04d1fb0cd
SHA101d17a65275555021491d38e087d14cc565b0432
SHA256b400e57897dfe1670392c05cdf8e4dd79243a67a187bd30500695f9254561740
SHA512e4d501792bffaee9ecad46a81da3d8e9589abce65fc12a624743bca65d13b6239216ded3c5a2576fbff1e814b932153244f101f94df5f33353f679827f6ceef7
-
Filesize
141KB
MD562e47c8cefa185bb6e6155e50827bc89
SHA17591afed0026ccde4f0aa6177eaed875feff9b3f
SHA25630f8eb1c836657be5629fd81683e33cfbfa07724cc130e2eb4f0aac4a03a809e
SHA512685cc7cfcbb1728a3a7d62aead05dffa3e72fb69af7492bb2b00ddd261e876dbc97f46905c112dc097796edf0ce10dc3dc5547275222c86bd6418022a228a23f
-
Filesize
141KB
MD562e47c8cefa185bb6e6155e50827bc89
SHA17591afed0026ccde4f0aa6177eaed875feff9b3f
SHA25630f8eb1c836657be5629fd81683e33cfbfa07724cc130e2eb4f0aac4a03a809e
SHA512685cc7cfcbb1728a3a7d62aead05dffa3e72fb69af7492bb2b00ddd261e876dbc97f46905c112dc097796edf0ce10dc3dc5547275222c86bd6418022a228a23f