Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
128s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 22:18
Static task
static1
Behavioral task
behavioral1
Sample
3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe
-
Size
1.2MB
-
MD5
20495df89962673387ca7b9925e4f434
-
SHA1
73970d9530574f3bd2912ab6dc797391c60d9cfc
-
SHA256
3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302
-
SHA512
cdef891691bf2d6ced9c74d662ce7f058548149f7ece07574a52b99421b98da40cd407fcacc9651acace8f4a31fd661bdc5b49e897478e36e27ccfd8b4a8d8e5
-
SSDEEP
24576:wZtQ76aJrc/lYW3RxIZ+MxbcGAVa0Ga7okOMhZ:wZtQeaJrZZ+MxbD+s4MMhZ
Malware Config
Extracted
redline
petin
77.91.124.82:19071
-
auth_value
f6cf7a48c0291d1ef5a3440429827d6d
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral2/memory/4056-32-0x0000000000400000-0x000000000040A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 756 x9182313.exe 2332 x6526992.exe 3708 x0135441.exe 3768 g9661120.exe 4200 h5369637.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" AppLaunch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x9182313.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x6526992.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x0135441.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4320 set thread context of 216 4320 3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe 90 PID 3768 set thread context of 4056 3768 g9661120.exe 97 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4056 AppLaunch.exe 4056 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4056 AppLaunch.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4320 wrote to memory of 216 4320 3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe 90 PID 4320 wrote to memory of 216 4320 3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe 90 PID 4320 wrote to memory of 216 4320 3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe 90 PID 4320 wrote to memory of 216 4320 3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe 90 PID 4320 wrote to memory of 216 4320 3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe 90 PID 4320 wrote to memory of 216 4320 3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe 90 PID 4320 wrote to memory of 216 4320 3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe 90 PID 4320 wrote to memory of 216 4320 3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe 90 PID 4320 wrote to memory of 216 4320 3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe 90 PID 4320 wrote to memory of 216 4320 3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe 90 PID 216 wrote to memory of 756 216 AppLaunch.exe 91 PID 216 wrote to memory of 756 216 AppLaunch.exe 91 PID 216 wrote to memory of 756 216 AppLaunch.exe 91 PID 756 wrote to memory of 2332 756 x9182313.exe 92 PID 756 wrote to memory of 2332 756 x9182313.exe 92 PID 756 wrote to memory of 2332 756 x9182313.exe 92 PID 2332 wrote to memory of 3708 2332 x6526992.exe 93 PID 2332 wrote to memory of 3708 2332 x6526992.exe 93 PID 2332 wrote to memory of 3708 2332 x6526992.exe 93 PID 3708 wrote to memory of 3768 3708 x0135441.exe 94 PID 3708 wrote to memory of 3768 3708 x0135441.exe 94 PID 3708 wrote to memory of 3768 3708 x0135441.exe 94 PID 3768 wrote to memory of 4948 3768 g9661120.exe 96 PID 3768 wrote to memory of 4948 3768 g9661120.exe 96 PID 3768 wrote to memory of 4948 3768 g9661120.exe 96 PID 3768 wrote to memory of 4056 3768 g9661120.exe 97 PID 3768 wrote to memory of 4056 3768 g9661120.exe 97 PID 3768 wrote to memory of 4056 3768 g9661120.exe 97 PID 3768 wrote to memory of 4056 3768 g9661120.exe 97 PID 3768 wrote to memory of 4056 3768 g9661120.exe 97 PID 3768 wrote to memory of 4056 3768 g9661120.exe 97 PID 3768 wrote to memory of 4056 3768 g9661120.exe 97 PID 3768 wrote to memory of 4056 3768 g9661120.exe 97 PID 3708 wrote to memory of 4200 3708 x0135441.exe 98 PID 3708 wrote to memory of 4200 3708 x0135441.exe 98 PID 3708 wrote to memory of 4200 3708 x0135441.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe"C:\Users\Admin\AppData\Local\Temp\3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9182313.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9182313.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6526992.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6526992.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0135441.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0135441.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9661120.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9661120.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4948
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5369637.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5369637.exe6⤵
- Executes dropped EXE
PID:4200
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
749KB
MD58beefed927e2edf0069e2c8ce56440d2
SHA1707157e93c9d0310bc3c3fea7c99b3d072b58114
SHA256a1baa208dc89b9fbd1bfb19380c92f8e866d49858eb890308f101dc5bbbfd09f
SHA512498c73993ac682a7990efb7dc02bb026d1d85fad9efc2dcc89f4fe9d0ceedd2caaa9b66f3a0a6c3b792090de6f4a79d45e5a71c1a68b6ffc2aa5c02915d75a37
-
Filesize
749KB
MD58beefed927e2edf0069e2c8ce56440d2
SHA1707157e93c9d0310bc3c3fea7c99b3d072b58114
SHA256a1baa208dc89b9fbd1bfb19380c92f8e866d49858eb890308f101dc5bbbfd09f
SHA512498c73993ac682a7990efb7dc02bb026d1d85fad9efc2dcc89f4fe9d0ceedd2caaa9b66f3a0a6c3b792090de6f4a79d45e5a71c1a68b6ffc2aa5c02915d75a37
-
Filesize
483KB
MD5724836836f4de883923290fbe55675c6
SHA1d98e922a12ca284723b8d797be3477140e9aba67
SHA256f0fa79e7a0b2b0d26131d58d906afabd073793b59f575cb1b4a9c4d9760b9346
SHA5120750cb6a4f1378d49e546f8a33c82e1a897672a05f03dc40472671ea55923556126910a0f9554cc79d6756066393dacef7bbfb9479d88bceff6f638f1a141f58
-
Filesize
483KB
MD5724836836f4de883923290fbe55675c6
SHA1d98e922a12ca284723b8d797be3477140e9aba67
SHA256f0fa79e7a0b2b0d26131d58d906afabd073793b59f575cb1b4a9c4d9760b9346
SHA5120750cb6a4f1378d49e546f8a33c82e1a897672a05f03dc40472671ea55923556126910a0f9554cc79d6756066393dacef7bbfb9479d88bceff6f638f1a141f58
-
Filesize
317KB
MD569e6874662896642331eb66c1dd16c35
SHA154eb018ed50e358ca230aa2559b53e18b50ffbd5
SHA256e37b26c0669f0735010624992b85e0976c7547890bb18ef71d491c05e8a5d978
SHA51226ff82496750d17fbd81f25676bde843b7cd44c1aa32a86c717ab2c1129e4c27046d34c98e87dc521de00c3732ea958e5d7be06edf634231d0ca4be1638a9b0d
-
Filesize
317KB
MD569e6874662896642331eb66c1dd16c35
SHA154eb018ed50e358ca230aa2559b53e18b50ffbd5
SHA256e37b26c0669f0735010624992b85e0976c7547890bb18ef71d491c05e8a5d978
SHA51226ff82496750d17fbd81f25676bde843b7cd44c1aa32a86c717ab2c1129e4c27046d34c98e87dc521de00c3732ea958e5d7be06edf634231d0ca4be1638a9b0d
-
Filesize
230KB
MD585264644b778a0d9c27b771a5eb0a3d0
SHA11e2023b6b27b30250269313bfc2c8c099b46c563
SHA2560a2aaf5fd990cd9ed4a990ae1841e82db5600a59dd981fc19474c9b5a2742357
SHA512ed94575f3041dbcebec6ba944bfbf3c19483693eea64b2beed47dc810f3c41c6fcb79367cb85679179b10c6f01d606a88a746f5f486a32ad2db9818fa30a0608
-
Filesize
230KB
MD585264644b778a0d9c27b771a5eb0a3d0
SHA11e2023b6b27b30250269313bfc2c8c099b46c563
SHA2560a2aaf5fd990cd9ed4a990ae1841e82db5600a59dd981fc19474c9b5a2742357
SHA512ed94575f3041dbcebec6ba944bfbf3c19483693eea64b2beed47dc810f3c41c6fcb79367cb85679179b10c6f01d606a88a746f5f486a32ad2db9818fa30a0608
-
Filesize
174KB
MD5ba501349a2ebbe39703bb4b5be044f55
SHA1cd564a661e9e815b448c8ec725cfb744fd09cb99
SHA2565019558875416fab440d2300dd557c721924651ee9801bdc792998be04100013
SHA512608d5b80722deaa1a64c749c35f7363494c9b298814ccfe0bc438bedb3cee78eb9caceb104a69bbf97f120d6c37cdca25a300ef50c559cd2998b5ec01b56422b
-
Filesize
174KB
MD5ba501349a2ebbe39703bb4b5be044f55
SHA1cd564a661e9e815b448c8ec725cfb744fd09cb99
SHA2565019558875416fab440d2300dd557c721924651ee9801bdc792998be04100013
SHA512608d5b80722deaa1a64c749c35f7363494c9b298814ccfe0bc438bedb3cee78eb9caceb104a69bbf97f120d6c37cdca25a300ef50c559cd2998b5ec01b56422b