Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-1703_x64 -
resource
win10-20230831-en -
resource tags
arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system -
submitted
01/09/2023, 06:26
Static task
static1
Behavioral task
behavioral1
Sample
2b752caeb4c4d5d3d976a4f18bdbbe85a9d33e45248c42e9804a0e0a0be474ec.exe
Resource
win10-20230831-en
General
-
Target
2b752caeb4c4d5d3d976a4f18bdbbe85a9d33e45248c42e9804a0e0a0be474ec.exe
-
Size
923KB
-
MD5
2a95892752ce9221e0e4dda530746b24
-
SHA1
2df82dcd76c16bc7b30d6052d89e65bc17548365
-
SHA256
2b752caeb4c4d5d3d976a4f18bdbbe85a9d33e45248c42e9804a0e0a0be474ec
-
SHA512
6d6c44f6b4dfbc90923d12fbc30ebf9b087dd7286b352f2cd16c29fa812ce2f646f7462ef88547f749c152c85cae5a6a3856580f20c1ccc6d89b839db8825563
-
SSDEEP
24576:OywszlydSyTFkcjPgdLPz2f6ay8NpY2z1B74Ec8aos:dkhFzP+LPD38NpY2JF4Ec8a
Malware Config
Extracted
redline
jang
77.91.124.82:19071
-
auth_value
662102010afcbe9e22b13116b1c1a088
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000700000001af6a-33.dat healer behavioral1/files/0x000700000001af6a-34.dat healer behavioral1/memory/4996-35-0x00000000004E0000-0x00000000004EA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" q6303559.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" q6303559.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" q6303559.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" q6303559.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" q6303559.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 4212 z5581746.exe 2192 z8314766.exe 3136 z0467047.exe 4864 z9505533.exe 4996 q6303559.exe 3544 r1046409.exe 4940 s7672289.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q6303559.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2b752caeb4c4d5d3d976a4f18bdbbe85a9d33e45248c42e9804a0e0a0be474ec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z5581746.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z8314766.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z0467047.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z9505533.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4996 q6303559.exe 4996 q6303559.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4996 q6303559.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4604 wrote to memory of 4212 4604 2b752caeb4c4d5d3d976a4f18bdbbe85a9d33e45248c42e9804a0e0a0be474ec.exe 69 PID 4604 wrote to memory of 4212 4604 2b752caeb4c4d5d3d976a4f18bdbbe85a9d33e45248c42e9804a0e0a0be474ec.exe 69 PID 4604 wrote to memory of 4212 4604 2b752caeb4c4d5d3d976a4f18bdbbe85a9d33e45248c42e9804a0e0a0be474ec.exe 69 PID 4212 wrote to memory of 2192 4212 z5581746.exe 70 PID 4212 wrote to memory of 2192 4212 z5581746.exe 70 PID 4212 wrote to memory of 2192 4212 z5581746.exe 70 PID 2192 wrote to memory of 3136 2192 z8314766.exe 71 PID 2192 wrote to memory of 3136 2192 z8314766.exe 71 PID 2192 wrote to memory of 3136 2192 z8314766.exe 71 PID 3136 wrote to memory of 4864 3136 z0467047.exe 72 PID 3136 wrote to memory of 4864 3136 z0467047.exe 72 PID 3136 wrote to memory of 4864 3136 z0467047.exe 72 PID 4864 wrote to memory of 4996 4864 z9505533.exe 73 PID 4864 wrote to memory of 4996 4864 z9505533.exe 73 PID 4864 wrote to memory of 3544 4864 z9505533.exe 74 PID 4864 wrote to memory of 3544 4864 z9505533.exe 74 PID 4864 wrote to memory of 3544 4864 z9505533.exe 74 PID 3136 wrote to memory of 4940 3136 z0467047.exe 75 PID 3136 wrote to memory of 4940 3136 z0467047.exe 75 PID 3136 wrote to memory of 4940 3136 z0467047.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b752caeb4c4d5d3d976a4f18bdbbe85a9d33e45248c42e9804a0e0a0be474ec.exe"C:\Users\Admin\AppData\Local\Temp\2b752caeb4c4d5d3d976a4f18bdbbe85a9d33e45248c42e9804a0e0a0be474ec.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5581746.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5581746.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8314766.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8314766.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0467047.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0467047.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9505533.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9505533.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6303559.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6303559.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1046409.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1046409.exe6⤵
- Executes dropped EXE
PID:3544
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7672289.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7672289.exe5⤵
- Executes dropped EXE
PID:4940
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
817KB
MD5de6d6d7a1f795b69f2c820cbb332a6ed
SHA138a97c650d89f271682f8baa6e9919a66ddcc2dc
SHA256ad2cea62697af7b6ef0732fc6755ba6cce9187e11aa13630f61d03a4433ab650
SHA512c78fdbb71345cf40ac9ba5e09511756d217ad34e336bfbaf581a003b7f00061e31aa1ba860b6940058d7ca604ee88c0c8eb49a84dbf9579dce34d70c50e5b648
-
Filesize
817KB
MD5de6d6d7a1f795b69f2c820cbb332a6ed
SHA138a97c650d89f271682f8baa6e9919a66ddcc2dc
SHA256ad2cea62697af7b6ef0732fc6755ba6cce9187e11aa13630f61d03a4433ab650
SHA512c78fdbb71345cf40ac9ba5e09511756d217ad34e336bfbaf581a003b7f00061e31aa1ba860b6940058d7ca604ee88c0c8eb49a84dbf9579dce34d70c50e5b648
-
Filesize
599KB
MD5fef2e10d8ca70f4a385538c9701ec2de
SHA128bf9b9637bbc94111f054b84e557bced51ccdc6
SHA256dfd2c4c4264ee9c82c0da0ddf459546f21bcc7cf9b4bb22b950ddf16c72ba8b4
SHA512f68392976a429055f1ea4ef99ebf4d4c5cba8f23c99c85f5f4a11c59a3e1a735525d1e246298b392d2d91a669a5c899fd205b26dd35635760d3c5bb8abc5d050
-
Filesize
599KB
MD5fef2e10d8ca70f4a385538c9701ec2de
SHA128bf9b9637bbc94111f054b84e557bced51ccdc6
SHA256dfd2c4c4264ee9c82c0da0ddf459546f21bcc7cf9b4bb22b950ddf16c72ba8b4
SHA512f68392976a429055f1ea4ef99ebf4d4c5cba8f23c99c85f5f4a11c59a3e1a735525d1e246298b392d2d91a669a5c899fd205b26dd35635760d3c5bb8abc5d050
-
Filesize
373KB
MD5d232d2232b326d442841792b9fe9d132
SHA1c71160369d1df8c450c2601edb65d148a7674f6d
SHA256cbb534b47052ce3653596ca790a0f026c48315cd390330f32fa69f8a08a36d62
SHA512842cc1c91c50f725feb19b1e5af549b696856b96d9bafd33370defd2411af5ff60ad590302c568f8ab59408250399892d647c5282152c2f2e2223240791929d8
-
Filesize
373KB
MD5d232d2232b326d442841792b9fe9d132
SHA1c71160369d1df8c450c2601edb65d148a7674f6d
SHA256cbb534b47052ce3653596ca790a0f026c48315cd390330f32fa69f8a08a36d62
SHA512842cc1c91c50f725feb19b1e5af549b696856b96d9bafd33370defd2411af5ff60ad590302c568f8ab59408250399892d647c5282152c2f2e2223240791929d8
-
Filesize
174KB
MD57bd1038f0a305ab7e49dd8406aa17085
SHA11d504b4fad69e41d1b85da8ec9c2dac232227e17
SHA256d3bdb68fbcb9ba85d21301f286944291bf26db3309e39600e347217df7b809ac
SHA51250b40ba86564070c2b79f393ef1ebe81868c5e1ed63f4c6555637eaeb2ae818b46c0a4dd0cd0c5f5a6bdd5d0fd92cca9651632c8631fb93c3f9b2594ea22e583
-
Filesize
174KB
MD57bd1038f0a305ab7e49dd8406aa17085
SHA11d504b4fad69e41d1b85da8ec9c2dac232227e17
SHA256d3bdb68fbcb9ba85d21301f286944291bf26db3309e39600e347217df7b809ac
SHA51250b40ba86564070c2b79f393ef1ebe81868c5e1ed63f4c6555637eaeb2ae818b46c0a4dd0cd0c5f5a6bdd5d0fd92cca9651632c8631fb93c3f9b2594ea22e583
-
Filesize
217KB
MD55a71520dc80ab293b29288aaa4eaeb10
SHA1fdeaf31f8463d9bb9cf2f93a7ff86a968e510bb7
SHA256c6724edd2418f52d100ba7737fbff3f9a063f96bcd2a6da6db03d9dfd2bd31fc
SHA512084859160c114921fa151e80d21b45e509d8706a715708f83a61566746629202788ebb28cbe0ef2f94a9b8309502e1fa8f133d19f6e817e6fc47a74e427e4079
-
Filesize
217KB
MD55a71520dc80ab293b29288aaa4eaeb10
SHA1fdeaf31f8463d9bb9cf2f93a7ff86a968e510bb7
SHA256c6724edd2418f52d100ba7737fbff3f9a063f96bcd2a6da6db03d9dfd2bd31fc
SHA512084859160c114921fa151e80d21b45e509d8706a715708f83a61566746629202788ebb28cbe0ef2f94a9b8309502e1fa8f133d19f6e817e6fc47a74e427e4079
-
Filesize
19KB
MD553d033a197de5407c3b1622b23aefbd0
SHA1e20d4da9aec3ea3d227d06d1fb0f75ef65c003fc
SHA25609ff91d0eb56f131d3361e9f96b1ed65f9219a1071d40606bd96650017fb9b73
SHA512e948ecb80bd83a673b11fe6c62ecf7cd875137a79e689dfc56e861f7a7cd7a44f8f408c1dd6a145aab7cd6c55f7e9c11ab84ab92a2ad09075d6acaf3ca395ca9
-
Filesize
19KB
MD553d033a197de5407c3b1622b23aefbd0
SHA1e20d4da9aec3ea3d227d06d1fb0f75ef65c003fc
SHA25609ff91d0eb56f131d3361e9f96b1ed65f9219a1071d40606bd96650017fb9b73
SHA512e948ecb80bd83a673b11fe6c62ecf7cd875137a79e689dfc56e861f7a7cd7a44f8f408c1dd6a145aab7cd6c55f7e9c11ab84ab92a2ad09075d6acaf3ca395ca9
-
Filesize
141KB
MD5731c1aa8a9ba69980dcaba32af03c07a
SHA1c0d4c2a2ddd1e06b9e554aabc43cb916f3fcc547
SHA256a39b10c36a6d5a26707993bf795535c75c01a67d78c1a54b8c1c355fc388b6dd
SHA512b6eb07e6b803efbba8b9da8abbcc33389cb3923af48c495f4034592f93367f992692d81c095d66373275e9a9b17fccdaf4622a475e3a3b6e67f9c817c710481c
-
Filesize
141KB
MD5731c1aa8a9ba69980dcaba32af03c07a
SHA1c0d4c2a2ddd1e06b9e554aabc43cb916f3fcc547
SHA256a39b10c36a6d5a26707993bf795535c75c01a67d78c1a54b8c1c355fc388b6dd
SHA512b6eb07e6b803efbba8b9da8abbcc33389cb3923af48c495f4034592f93367f992692d81c095d66373275e9a9b17fccdaf4622a475e3a3b6e67f9c817c710481c