Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
01/09/2023, 18:41
Static task
static1
Behavioral task
behavioral1
Sample
JC_1b1b6c41b66c60e8bb1f51ef0fbe493086413a9b48d3eda96809b94e4db2b805.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
JC_1b1b6c41b66c60e8bb1f51ef0fbe493086413a9b48d3eda96809b94e4db2b805.exe
Resource
win10v2004-20230831-en
General
-
Target
JC_1b1b6c41b66c60e8bb1f51ef0fbe493086413a9b48d3eda96809b94e4db2b805.exe
-
Size
821KB
-
MD5
d1a4d86694839533a78a9a2bbac11c05
-
SHA1
a051ac20ad98ac14ae43e609a94107a8bb74313f
-
SHA256
1b1b6c41b66c60e8bb1f51ef0fbe493086413a9b48d3eda96809b94e4db2b805
-
SHA512
82eeaebe3081e5b4fffd70826957692ce29beeabb2509bfa77df343e14aebe382d3747693ceb1ec561f852c2c5bda1ac2b518ef356e5035b92bf4556f8144d8e
-
SSDEEP
24576:lyysJf1+Q2AbEw5Yi3uz58voZCmIpG9+rmbBw:AysN1SgEwSeu+G7b
Malware Config
Extracted
redline
domka
77.91.124.82:19071
-
auth_value
74e19436acac85e44d691aebcc617529
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral2/files/0x0008000000023250-33.dat healer behavioral2/files/0x0008000000023250-34.dat healer behavioral2/memory/2724-35-0x0000000000BB0000-0x0000000000BBA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a1349604.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a1349604.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a1349604.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a1349604.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a1349604.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a1349604.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 2548 v3173523.exe 4636 v5718877.exe 4456 v3572509.exe 4800 v8006400.exe 2724 a1349604.exe 3180 b0356693.exe 2776 c2455442.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a1349604.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" JC_1b1b6c41b66c60e8bb1f51ef0fbe493086413a9b48d3eda96809b94e4db2b805.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3173523.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v5718877.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v3572509.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v8006400.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2724 a1349604.exe 2724 a1349604.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2724 a1349604.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1284 wrote to memory of 2548 1284 JC_1b1b6c41b66c60e8bb1f51ef0fbe493086413a9b48d3eda96809b94e4db2b805.exe 84 PID 1284 wrote to memory of 2548 1284 JC_1b1b6c41b66c60e8bb1f51ef0fbe493086413a9b48d3eda96809b94e4db2b805.exe 84 PID 1284 wrote to memory of 2548 1284 JC_1b1b6c41b66c60e8bb1f51ef0fbe493086413a9b48d3eda96809b94e4db2b805.exe 84 PID 2548 wrote to memory of 4636 2548 v3173523.exe 85 PID 2548 wrote to memory of 4636 2548 v3173523.exe 85 PID 2548 wrote to memory of 4636 2548 v3173523.exe 85 PID 4636 wrote to memory of 4456 4636 v5718877.exe 86 PID 4636 wrote to memory of 4456 4636 v5718877.exe 86 PID 4636 wrote to memory of 4456 4636 v5718877.exe 86 PID 4456 wrote to memory of 4800 4456 v3572509.exe 87 PID 4456 wrote to memory of 4800 4456 v3572509.exe 87 PID 4456 wrote to memory of 4800 4456 v3572509.exe 87 PID 4800 wrote to memory of 2724 4800 v8006400.exe 89 PID 4800 wrote to memory of 2724 4800 v8006400.exe 89 PID 4800 wrote to memory of 3180 4800 v8006400.exe 92 PID 4800 wrote to memory of 3180 4800 v8006400.exe 92 PID 4800 wrote to memory of 3180 4800 v8006400.exe 92 PID 4456 wrote to memory of 2776 4456 v3572509.exe 93 PID 4456 wrote to memory of 2776 4456 v3572509.exe 93 PID 4456 wrote to memory of 2776 4456 v3572509.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\JC_1b1b6c41b66c60e8bb1f51ef0fbe493086413a9b48d3eda96809b94e4db2b805.exe"C:\Users\Admin\AppData\Local\Temp\JC_1b1b6c41b66c60e8bb1f51ef0fbe493086413a9b48d3eda96809b94e4db2b805.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3173523.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3173523.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5718877.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5718877.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3572509.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3572509.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8006400.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8006400.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1349604.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1349604.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0356693.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0356693.exe6⤵
- Executes dropped EXE
PID:3180
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2455442.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2455442.exe5⤵
- Executes dropped EXE
PID:2776
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
716KB
MD56115e38d51b22efa5b8f7cde0c4c3d2f
SHA1dfb9b496092b4936f196dee9013328bf515a9e0b
SHA2562b55e962829b12e350522aec0de7c6af34bee4de40b27bea8db2043925ec66c4
SHA51248691ed9b43a72fa4024ec6980435d4cb89a9395e0b41e2141f7b1318d1e0b2cc07f68c8258ecac4a9c0fcf697398d7f2d260c4a7a0fec97209d2b3a9d3975dd
-
Filesize
716KB
MD56115e38d51b22efa5b8f7cde0c4c3d2f
SHA1dfb9b496092b4936f196dee9013328bf515a9e0b
SHA2562b55e962829b12e350522aec0de7c6af34bee4de40b27bea8db2043925ec66c4
SHA51248691ed9b43a72fa4024ec6980435d4cb89a9395e0b41e2141f7b1318d1e0b2cc07f68c8258ecac4a9c0fcf697398d7f2d260c4a7a0fec97209d2b3a9d3975dd
-
Filesize
497KB
MD51aaa0cf317a03097aa89c72144405a64
SHA180543750986161af11e06c09a1186ce2cf787de0
SHA256af4011e92e4d7b4427085548a5a24f854fa6d59c177caac372fce3432aead396
SHA5128a64028380db93835e3d1bb58d0b7b1fbbee9525b1356847dea142e0601d8cadbf3f7e3cda3d8f286655715b63642f4640f2276caab1c48bc9770dc2180538fc
-
Filesize
497KB
MD51aaa0cf317a03097aa89c72144405a64
SHA180543750986161af11e06c09a1186ce2cf787de0
SHA256af4011e92e4d7b4427085548a5a24f854fa6d59c177caac372fce3432aead396
SHA5128a64028380db93835e3d1bb58d0b7b1fbbee9525b1356847dea142e0601d8cadbf3f7e3cda3d8f286655715b63642f4640f2276caab1c48bc9770dc2180538fc
-
Filesize
372KB
MD57d90e491e20e813ae0d6d09ad1736534
SHA1567371a7ba458a3b3d8b0fa4b1ad9c73450d0887
SHA25693d2e9500329353614c0428d2e7d5af09555769e2005297e1e1c09f83b3a9658
SHA5124dfdb0fd239ac6001ceb0890597173417bef2c35273882c6469910a8506b1d82b074ec839fdae274ef98c329346b3f0cb7c03181cd7ca4092f16ea5365364d0f
-
Filesize
372KB
MD57d90e491e20e813ae0d6d09ad1736534
SHA1567371a7ba458a3b3d8b0fa4b1ad9c73450d0887
SHA25693d2e9500329353614c0428d2e7d5af09555769e2005297e1e1c09f83b3a9658
SHA5124dfdb0fd239ac6001ceb0890597173417bef2c35273882c6469910a8506b1d82b074ec839fdae274ef98c329346b3f0cb7c03181cd7ca4092f16ea5365364d0f
-
Filesize
174KB
MD5ee38160df0e055f00b14a7fff3ac1062
SHA1a03abb735bc389dd893a19901d9067c9b855fb4a
SHA2569a1665fd499127757e85c601002292561626d4dc7fb9564f7aeb3cfa4e199558
SHA5127fc6deccb21a2078389bfb75af0a5b570b076f2446613337fbdd5a159cb0d846c19be3fcdf3e0c55ff926d579cd00fb616e3b48618a9b08584004d77235ba17b
-
Filesize
174KB
MD5ee38160df0e055f00b14a7fff3ac1062
SHA1a03abb735bc389dd893a19901d9067c9b855fb4a
SHA2569a1665fd499127757e85c601002292561626d4dc7fb9564f7aeb3cfa4e199558
SHA5127fc6deccb21a2078389bfb75af0a5b570b076f2446613337fbdd5a159cb0d846c19be3fcdf3e0c55ff926d579cd00fb616e3b48618a9b08584004d77235ba17b
-
Filesize
217KB
MD555ec25f14434716f460537a897850a0c
SHA110f44f330be919edf7f89df7c58f6e69d03a21e5
SHA2560a0ca06bbfecf9ace770fd9ed8a323309b5ee6adf696922d360ba896e7c546fb
SHA512fd4e9024407280ef796a9c0764540d7e0c03a93dfa41e02808e8f361844f5f46033f3f40c5891fc206cad06e769a59a8c8e0c3d9f3d0cddadc6a1a19f2b73afa
-
Filesize
217KB
MD555ec25f14434716f460537a897850a0c
SHA110f44f330be919edf7f89df7c58f6e69d03a21e5
SHA2560a0ca06bbfecf9ace770fd9ed8a323309b5ee6adf696922d360ba896e7c546fb
SHA512fd4e9024407280ef796a9c0764540d7e0c03a93dfa41e02808e8f361844f5f46033f3f40c5891fc206cad06e769a59a8c8e0c3d9f3d0cddadc6a1a19f2b73afa
-
Filesize
19KB
MD5d0f9c5fe093f19164d711fd9762b438f
SHA1a2591dd96703899afaa9dd5cf7d3d69f3c81add7
SHA25640bf99c7345d1335267301f014b0b88ceb07662e14f2fe5dca352314d21dd9b8
SHA51275f67125582fcd033f6f9b4e946b21282e7c6656ec6823b8ff3f273b0f15a9a648341b40c28288e0e0f4b21b6dea73bd66a1de392d20aa5683ed2828ebb146ba
-
Filesize
19KB
MD5d0f9c5fe093f19164d711fd9762b438f
SHA1a2591dd96703899afaa9dd5cf7d3d69f3c81add7
SHA25640bf99c7345d1335267301f014b0b88ceb07662e14f2fe5dca352314d21dd9b8
SHA51275f67125582fcd033f6f9b4e946b21282e7c6656ec6823b8ff3f273b0f15a9a648341b40c28288e0e0f4b21b6dea73bd66a1de392d20aa5683ed2828ebb146ba
-
Filesize
140KB
MD5ffbc15d96c69b3ad1ec9624f5a459fb7
SHA1dc9489325a09d0f1f9ad37f07f7d16bc7e423366
SHA256d614ec7127d1ec92e4cdbbbe1ff66a1ef835970d9dc5012af4b8b71b79085108
SHA512f7e4f10923d2b49507f596da1a10fea10f3386619663a8a7037b45ab2694f20af2aa4fbdee45c8a75e9bb32b882a288fc269114dc37ae4ad007bcef7bc219cc5
-
Filesize
140KB
MD5ffbc15d96c69b3ad1ec9624f5a459fb7
SHA1dc9489325a09d0f1f9ad37f07f7d16bc7e423366
SHA256d614ec7127d1ec92e4cdbbbe1ff66a1ef835970d9dc5012af4b8b71b79085108
SHA512f7e4f10923d2b49507f596da1a10fea10f3386619663a8a7037b45ab2694f20af2aa4fbdee45c8a75e9bb32b882a288fc269114dc37ae4ad007bcef7bc219cc5