Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
19/09/2023, 00:39
Static task
static1
Behavioral task
behavioral1
Sample
a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe
Resource
win10-20230915-en
General
-
Target
a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe
-
Size
1.3MB
-
MD5
d82c8056a71e8e53e597a87fbb4aab76
-
SHA1
afe664fb4de8d2ecfb701d5083732dc27193294b
-
SHA256
a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4
-
SHA512
8a52c8540f7490224319ee1758c98a0c45600d49d51d0def0ce6770575e7aa291566076e6fe8a58941a0dbec80b7f90f2b9539b388775325f817791f9974a90e
-
SSDEEP
24576:QlT85U+qoBdTTgtZkqm+fQZ8hchV35eF0fUgDlxJbKHPDLs:p5UFq+t2G3qVgFLafboDLs
Malware Config
Extracted
redline
vasha
77.91.124.82:19071
-
auth_value
42fc61786274daca54d589b85a2c1954
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral1/memory/4152-34-0x0000000000400000-0x000000000040A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 1136 x5729809.exe 3456 x4003952.exe 4952 x8197398.exe 4940 g8753574.exe 4452 h9937611.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x5729809.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x4003952.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x8197398.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5072 set thread context of 2524 5072 a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe 73 PID 4940 set thread context of 4152 4940 g8753574.exe 79 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4152 AppLaunch.exe 4152 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4152 AppLaunch.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 5072 wrote to memory of 3256 5072 a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe 72 PID 5072 wrote to memory of 3256 5072 a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe 72 PID 5072 wrote to memory of 3256 5072 a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe 72 PID 5072 wrote to memory of 2524 5072 a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe 73 PID 5072 wrote to memory of 2524 5072 a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe 73 PID 5072 wrote to memory of 2524 5072 a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe 73 PID 5072 wrote to memory of 2524 5072 a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe 73 PID 5072 wrote to memory of 2524 5072 a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe 73 PID 5072 wrote to memory of 2524 5072 a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe 73 PID 5072 wrote to memory of 2524 5072 a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe 73 PID 5072 wrote to memory of 2524 5072 a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe 73 PID 5072 wrote to memory of 2524 5072 a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe 73 PID 5072 wrote to memory of 2524 5072 a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe 73 PID 2524 wrote to memory of 1136 2524 AppLaunch.exe 74 PID 2524 wrote to memory of 1136 2524 AppLaunch.exe 74 PID 2524 wrote to memory of 1136 2524 AppLaunch.exe 74 PID 1136 wrote to memory of 3456 1136 x5729809.exe 75 PID 1136 wrote to memory of 3456 1136 x5729809.exe 75 PID 1136 wrote to memory of 3456 1136 x5729809.exe 75 PID 3456 wrote to memory of 4952 3456 x4003952.exe 76 PID 3456 wrote to memory of 4952 3456 x4003952.exe 76 PID 3456 wrote to memory of 4952 3456 x4003952.exe 76 PID 4952 wrote to memory of 4940 4952 x8197398.exe 77 PID 4952 wrote to memory of 4940 4952 x8197398.exe 77 PID 4952 wrote to memory of 4940 4952 x8197398.exe 77 PID 4940 wrote to memory of 4152 4940 g8753574.exe 79 PID 4940 wrote to memory of 4152 4940 g8753574.exe 79 PID 4940 wrote to memory of 4152 4940 g8753574.exe 79 PID 4940 wrote to memory of 4152 4940 g8753574.exe 79 PID 4940 wrote to memory of 4152 4940 g8753574.exe 79 PID 4940 wrote to memory of 4152 4940 g8753574.exe 79 PID 4940 wrote to memory of 4152 4940 g8753574.exe 79 PID 4940 wrote to memory of 4152 4940 g8753574.exe 79 PID 4952 wrote to memory of 4452 4952 x8197398.exe 80 PID 4952 wrote to memory of 4452 4952 x8197398.exe 80 PID 4952 wrote to memory of 4452 4952 x8197398.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe"C:\Users\Admin\AppData\Local\Temp\a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:3256
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5729809.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5729809.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4003952.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4003952.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8197398.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8197398.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8753574.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8753574.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9937611.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9937611.exe6⤵
- Executes dropped EXE
PID:4452
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
776KB
MD51fca6cc14ce237375fb7f454b3a9ab1f
SHA1a00ff0ec09307b44aead002c0ca0987e412e7897
SHA2563e292de69db371975892dee70eb5ba0a2a816485798ebe7d88d4a5899db1d8e9
SHA5125c9f069fd7fcbc22dde88ab10a098699452391de10364fd6a495b912ab682942e77414c12a54a4cb0119695a7c87c697741a6aa5cbf06f45250e2868bd21c3bf
-
Filesize
776KB
MD51fca6cc14ce237375fb7f454b3a9ab1f
SHA1a00ff0ec09307b44aead002c0ca0987e412e7897
SHA2563e292de69db371975892dee70eb5ba0a2a816485798ebe7d88d4a5899db1d8e9
SHA5125c9f069fd7fcbc22dde88ab10a098699452391de10364fd6a495b912ab682942e77414c12a54a4cb0119695a7c87c697741a6aa5cbf06f45250e2868bd21c3bf
-
Filesize
506KB
MD5b53e5062058d256e6d05707a2bd19a65
SHA1130d86daf40f57e0d02048ee8e2d5c801dc82f38
SHA25656559aef0a5db645f7adc4186c2e4ce917e769c3dc1e5314618684d1164326c1
SHA512017369ccb244cdd0e6403ee0e7eb90457d2367c0a10c867e4c10edaca0ae15880ee17205861672371279e1f3bfcb3558c0668a106c4ba0ef41438446d689be0e
-
Filesize
506KB
MD5b53e5062058d256e6d05707a2bd19a65
SHA1130d86daf40f57e0d02048ee8e2d5c801dc82f38
SHA25656559aef0a5db645f7adc4186c2e4ce917e769c3dc1e5314618684d1164326c1
SHA512017369ccb244cdd0e6403ee0e7eb90457d2367c0a10c867e4c10edaca0ae15880ee17205861672371279e1f3bfcb3558c0668a106c4ba0ef41438446d689be0e
-
Filesize
321KB
MD5551e3f3b6c5667df98e47f60ecbf892d
SHA1ca9469739e4b3d897e5c10b5160c8de55d469a0d
SHA2562debcbc09ddd65ee0382580dd2f9eab7ee565c157dd9e525019d88bd5b48a7fe
SHA512e18a6e71ee806ba0311736a6cdb2e86b02f6f530a5939d6057566c102e27d51f6ed04d16104179a02557fa03bc4bde116d72ed067e90e1312dbd4b2c2c12b657
-
Filesize
321KB
MD5551e3f3b6c5667df98e47f60ecbf892d
SHA1ca9469739e4b3d897e5c10b5160c8de55d469a0d
SHA2562debcbc09ddd65ee0382580dd2f9eab7ee565c157dd9e525019d88bd5b48a7fe
SHA512e18a6e71ee806ba0311736a6cdb2e86b02f6f530a5939d6057566c102e27d51f6ed04d16104179a02557fa03bc4bde116d72ed067e90e1312dbd4b2c2c12b657
-
Filesize
236KB
MD5a9bfd17e6ee65c6b33af273c9aa9bb5d
SHA14d0eb5c18801e0f78f44287cb61bb5fc573635cd
SHA25684368d8ca5bb9ca6c0cc57551e21ad0f167cd44f953addcf16f7f78f48c4cabb
SHA512394380fe3db6eff9bea828ce17aa6739b12fcc36e7ad7b3f96ec15c04d0eaf615f3149262af5fc5d16c4a284a1c7839a8d932395b3ceb54004930b1cad7775c4
-
Filesize
236KB
MD5a9bfd17e6ee65c6b33af273c9aa9bb5d
SHA14d0eb5c18801e0f78f44287cb61bb5fc573635cd
SHA25684368d8ca5bb9ca6c0cc57551e21ad0f167cd44f953addcf16f7f78f48c4cabb
SHA512394380fe3db6eff9bea828ce17aa6739b12fcc36e7ad7b3f96ec15c04d0eaf615f3149262af5fc5d16c4a284a1c7839a8d932395b3ceb54004930b1cad7775c4
-
Filesize
174KB
MD58ec0e3ed8fbabf07689731564962b4df
SHA1edb7a959d80ed281442c6769638559071e8a33e1
SHA25659a3dc284acd6ea1595ce47228ba8e4c2598c6eee8f318b855beefa53e7f0a3a
SHA51264ee02dc0961ea036a265a14dfea71fca0d6aaa0d1b68ce14b7fa7836443e49dd0d7cd4cf2b5431c680fe4d9d027cbf13b147a46115a5926d707ec1fe82bb05c
-
Filesize
174KB
MD58ec0e3ed8fbabf07689731564962b4df
SHA1edb7a959d80ed281442c6769638559071e8a33e1
SHA25659a3dc284acd6ea1595ce47228ba8e4c2598c6eee8f318b855beefa53e7f0a3a
SHA51264ee02dc0961ea036a265a14dfea71fca0d6aaa0d1b68ce14b7fa7836443e49dd0d7cd4cf2b5431c680fe4d9d027cbf13b147a46115a5926d707ec1fe82bb05c