Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

x3809978.exe

windows7-x64

10

x3809978.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2023, 22:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    x3809978.exe

  • Size

    472KB

  • MD5

    0a74a2da8c9ff123830eaacb6fd6fb70

  • SHA1

    d0961f548c731fb67474bda1f5a3a9abb1ff656a

  • SHA256

    6bb2de9283392086d93b17c34546bc4cb1e12392e697fec56a187202da275a84

  • SHA512

    1037c8c1e80e49a4218438b80cf582d8f820c457d28764ade2907fc0deee00a3719fea067f4a20e3c85a63a7903e5d454f1f7c441ad6a4dbc2448f83f2298a8a

  • SSDEEP

    6144:Kdy+bnr+Pp0yN90QE1SqA9wSFAGaA7fyYiVaXMx0R02wjlGyQ/Q6KsyTNQ1+tufv:7Mrfy90Sb97FPjRiVuM60p8fKlntu2y

Score
10/10
healerredlinemonerdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes
  • auth_value

    a94cd9e01643e1945b296c28a2f28707

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\x3809978.exe
    "C:\Users\Admin\AppData\Local\Temp\x3809978.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3820
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4764518.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4764518.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7306605.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7306605.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4740
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4572
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i6207862.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i6207862.exe
        3⤵
        • Executes dropped EXE
        PID:3744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4764518.exe
    Filesize

    306KB

    MD5

    3f3cc50c21794ba104585c5d4f1d4627

    SHA1

    65de12fba1a5337ad14f7b2ae256d84a6272ce8f

    SHA256

    a1e18b3b829427c81e8a2743828396522e6d955db27fc522990eda7775998f70

    SHA512

    4c5b7475b9ff8f4b2263081c0ce0b3092a12515953bc7c5541533951d1f287d7a24f319e13a2e9cef03514493257a9d11050e56c18700782e04d14ed158df055

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4764518.exe
    Filesize

    306KB

    MD5

    3f3cc50c21794ba104585c5d4f1d4627

    SHA1

    65de12fba1a5337ad14f7b2ae256d84a6272ce8f

    SHA256

    a1e18b3b829427c81e8a2743828396522e6d955db27fc522990eda7775998f70

    SHA512

    4c5b7475b9ff8f4b2263081c0ce0b3092a12515953bc7c5541533951d1f287d7a24f319e13a2e9cef03514493257a9d11050e56c18700782e04d14ed158df055

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7306605.exe
    Filesize

    213KB

    MD5

    ba2e40d2cf49ce7901cc39e793ed4109

    SHA1

    0e1814555f7b66886d9bce7a2497c65395e3663c

    SHA256

    9d47a47a910ce3505288372749c21ba14978721946403aba4df7cff52aceb9c4

    SHA512

    3f863210fba8af719c52cc69460feb652be6c0abf9ea727e940e637a61cf458b532e5c630ea6d8027984dd7f31875b59ebf1375727e27efc28b837a9ba98bf63

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7306605.exe
    Filesize

    213KB

    MD5

    ba2e40d2cf49ce7901cc39e793ed4109

    SHA1

    0e1814555f7b66886d9bce7a2497c65395e3663c

    SHA256

    9d47a47a910ce3505288372749c21ba14978721946403aba4df7cff52aceb9c4

    SHA512

    3f863210fba8af719c52cc69460feb652be6c0abf9ea727e940e637a61cf458b532e5c630ea6d8027984dd7f31875b59ebf1375727e27efc28b837a9ba98bf63

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i6207862.exe
    Filesize

    174KB

    MD5

    fe8cbe8eab55d1cac15887969ea08baf

    SHA1

    641bce8492ff90a809ca125689deacb62b50844e

    SHA256

    9456182b40b4fa0daa2fca3f2926585e0a7e711eaa9abbe6a863b0a3bdee61df

    SHA512

    5e3ca369d7e143f90f70f87c9adae8b1a19bcf14d69c2bd944cfd6b928aee9727c0fdd70ce3637cb7ccd1d20cb8230ac739ed9cd577816fc5297eb84c170ec87

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i6207862.exe
    Filesize

    174KB

    MD5

    fe8cbe8eab55d1cac15887969ea08baf

    SHA1

    641bce8492ff90a809ca125689deacb62b50844e

    SHA256

    9456182b40b4fa0daa2fca3f2926585e0a7e711eaa9abbe6a863b0a3bdee61df

    SHA512

    5e3ca369d7e143f90f70f87c9adae8b1a19bcf14d69c2bd944cfd6b928aee9727c0fdd70ce3637cb7ccd1d20cb8230ac739ed9cd577816fc5297eb84c170ec87

    Download Submit

  • memory/3744-26-0x0000000004C60000-0x0000000004C9C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3744-27-0x0000000004CA0000-0x0000000004CEC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3744-18-0x0000000000250000-0x0000000000280000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3744-20-0x0000000000B40000-0x0000000000B46000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3744-30-0x0000000002660000-0x0000000002670000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3744-22-0x0000000005240000-0x0000000005858000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3744-23-0x0000000004D30000-0x0000000004E3A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3744-25-0x0000000002660000-0x0000000002670000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3744-24-0x0000000002690000-0x00000000026A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3744-28-0x00000000741B0000-0x0000000074960000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3744-19-0x00000000741B0000-0x0000000074960000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4572-14-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4572-29-0x00000000741B0000-0x0000000074960000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4572-21-0x00000000741B0000-0x0000000074960000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4572-32-0x00000000741B0000-0x0000000074960000-memory.dmp

    Filesize

    7.7MB

    Download