Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 00:22
Static task
static1
Behavioral task
behavioral1
Sample
16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe
Resource
win10v2004-20230915-en
General
-
Target
16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe
-
Size
1.2MB
-
MD5
3aa3a8b330051d89a4464bf133824d94
-
SHA1
2695a9849acf00209505624b254ab68658fbfd05
-
SHA256
16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231
-
SHA512
1ccc83891e2ac27ae8dd7c5c4b9b712b4bfb2996334174d0871680285ce35570635747282545fb458f74d63a28ec456255efebf7c34b617fc13ce2b6f8a8bd2b
-
SSDEEP
24576:jZtJSfVC7okqSyaSBm5My7ZNiEnnq3n6GXhZ:jZtJS0p/S85MyOVXhZ
Malware Config
Extracted
redline
petin
77.91.124.82:19071
-
auth_value
f6cf7a48c0291d1ef5a3440429827d6d
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral2/memory/4884-32-0x0000000000400000-0x000000000040A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 2252 x2797138.exe 4304 x2628021.exe 2844 x0302877.exe 3680 g2471009.exe 4876 h3756296.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x0302877.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" AppLaunch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x2797138.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x2628021.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4144 set thread context of 3260 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 95 PID 3680 set thread context of 4884 3680 g2471009.exe 101 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4884 AppLaunch.exe 4884 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4884 AppLaunch.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 4144 wrote to memory of 2452 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 91 PID 4144 wrote to memory of 2452 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 91 PID 4144 wrote to memory of 2452 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 91 PID 4144 wrote to memory of 1560 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 92 PID 4144 wrote to memory of 1560 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 92 PID 4144 wrote to memory of 1560 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 92 PID 4144 wrote to memory of 3064 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 93 PID 4144 wrote to memory of 3064 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 93 PID 4144 wrote to memory of 3064 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 93 PID 4144 wrote to memory of 1584 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 94 PID 4144 wrote to memory of 1584 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 94 PID 4144 wrote to memory of 1584 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 94 PID 4144 wrote to memory of 3260 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 95 PID 4144 wrote to memory of 3260 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 95 PID 4144 wrote to memory of 3260 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 95 PID 4144 wrote to memory of 3260 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 95 PID 4144 wrote to memory of 3260 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 95 PID 4144 wrote to memory of 3260 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 95 PID 4144 wrote to memory of 3260 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 95 PID 4144 wrote to memory of 3260 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 95 PID 4144 wrote to memory of 3260 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 95 PID 4144 wrote to memory of 3260 4144 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe 95 PID 3260 wrote to memory of 2252 3260 AppLaunch.exe 96 PID 3260 wrote to memory of 2252 3260 AppLaunch.exe 96 PID 3260 wrote to memory of 2252 3260 AppLaunch.exe 96 PID 2252 wrote to memory of 4304 2252 x2797138.exe 97 PID 2252 wrote to memory of 4304 2252 x2797138.exe 97 PID 2252 wrote to memory of 4304 2252 x2797138.exe 97 PID 4304 wrote to memory of 2844 4304 x2628021.exe 98 PID 4304 wrote to memory of 2844 4304 x2628021.exe 98 PID 4304 wrote to memory of 2844 4304 x2628021.exe 98 PID 2844 wrote to memory of 3680 2844 x0302877.exe 99 PID 2844 wrote to memory of 3680 2844 x0302877.exe 99 PID 2844 wrote to memory of 3680 2844 x0302877.exe 99 PID 3680 wrote to memory of 4884 3680 g2471009.exe 101 PID 3680 wrote to memory of 4884 3680 g2471009.exe 101 PID 3680 wrote to memory of 4884 3680 g2471009.exe 101 PID 3680 wrote to memory of 4884 3680 g2471009.exe 101 PID 3680 wrote to memory of 4884 3680 g2471009.exe 101 PID 3680 wrote to memory of 4884 3680 g2471009.exe 101 PID 3680 wrote to memory of 4884 3680 g2471009.exe 101 PID 3680 wrote to memory of 4884 3680 g2471009.exe 101 PID 2844 wrote to memory of 4876 2844 x0302877.exe 102 PID 2844 wrote to memory of 4876 2844 x0302877.exe 102 PID 2844 wrote to memory of 4876 2844 x0302877.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe"C:\Users\Admin\AppData\Local\Temp\16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:2452
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:1560
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:3064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:1584
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2797138.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2797138.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2628021.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2628021.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0302877.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0302877.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2471009.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2471009.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3756296.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3756296.exe6⤵
- Executes dropped EXE
PID:4876
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
749KB
MD52b1aa0d2bad44e096e64bf7be9a22a22
SHA1272cbe63e7ea7f7305357fa13daec61bb5ad5b51
SHA256bd5a32713301bd6fe6bd125c8fefd5907ec1194ebd47f2fe8574e477c24b5ce7
SHA5121006c9bf371d1a99b4e06f2488a8571a9dd62923c389fdc50dafb324f745e6a9c2c8875faa92bf5a78b03511b2df6eea18e21075f0f25a69a3fa613a0b403d72
-
Filesize
749KB
MD52b1aa0d2bad44e096e64bf7be9a22a22
SHA1272cbe63e7ea7f7305357fa13daec61bb5ad5b51
SHA256bd5a32713301bd6fe6bd125c8fefd5907ec1194ebd47f2fe8574e477c24b5ce7
SHA5121006c9bf371d1a99b4e06f2488a8571a9dd62923c389fdc50dafb324f745e6a9c2c8875faa92bf5a78b03511b2df6eea18e21075f0f25a69a3fa613a0b403d72
-
Filesize
483KB
MD5c85d1c4268a675bbf4114b1323765695
SHA1d39dda6768a00469469aeede774620fae0523325
SHA256102f6e8ac1ed2a2637481eaa88a762f567cd06b3a48bde993f639e037dfc061b
SHA51286a432bc3a92ad6b12aa4b513b43d42623310c0a7ab6890db6bb34f840aa83a0be247d8317c044396cc782d4673512daa04719f49a274927dd4ddcec580e3e08
-
Filesize
483KB
MD5c85d1c4268a675bbf4114b1323765695
SHA1d39dda6768a00469469aeede774620fae0523325
SHA256102f6e8ac1ed2a2637481eaa88a762f567cd06b3a48bde993f639e037dfc061b
SHA51286a432bc3a92ad6b12aa4b513b43d42623310c0a7ab6890db6bb34f840aa83a0be247d8317c044396cc782d4673512daa04719f49a274927dd4ddcec580e3e08
-
Filesize
317KB
MD50a0ca8c820fb13c71e3d840bffe429a8
SHA1e822ca717c54c5e777eb6042149ebc696163c7d3
SHA25600ed13c121fd3d890ae5a56360ead3b2b2b649905c34d24dc85c50e51a97af0e
SHA51247115ade674c3b20569c965d229dec4d0b94f19806e109f8829268745e3ef58fe1b459ab3a1396fb736ac318c04270df09c7dddd905e6dcf675a118a2bd72de6
-
Filesize
317KB
MD50a0ca8c820fb13c71e3d840bffe429a8
SHA1e822ca717c54c5e777eb6042149ebc696163c7d3
SHA25600ed13c121fd3d890ae5a56360ead3b2b2b649905c34d24dc85c50e51a97af0e
SHA51247115ade674c3b20569c965d229dec4d0b94f19806e109f8829268745e3ef58fe1b459ab3a1396fb736ac318c04270df09c7dddd905e6dcf675a118a2bd72de6
-
Filesize
230KB
MD5194b8e7f090924e380b41460e098f569
SHA1276553941c9b31fa1c87a342960562fd9ba71c19
SHA256ea64d37a0340a1fe1edbf6cbcee11103c83920775e656f0ae61827e5ba7ef53c
SHA512d38b01b544be7d33808e82a8cf488b44be671efd2b6a1f80791f03db520e0f06dd1c59cff176dc7b6d6856a873d29d30be867248024fb67efd1d921bfc1b3f8f
-
Filesize
230KB
MD5194b8e7f090924e380b41460e098f569
SHA1276553941c9b31fa1c87a342960562fd9ba71c19
SHA256ea64d37a0340a1fe1edbf6cbcee11103c83920775e656f0ae61827e5ba7ef53c
SHA512d38b01b544be7d33808e82a8cf488b44be671efd2b6a1f80791f03db520e0f06dd1c59cff176dc7b6d6856a873d29d30be867248024fb67efd1d921bfc1b3f8f
-
Filesize
174KB
MD5686f2fe3c1e454279bcf84ff4f39301b
SHA10fce8fb4311a65edfeec22aa47c5e14f9ac83e10
SHA256c713226be72373e4417725add81b73464b1b79e7a79f6a09757537ceb9b42830
SHA512ef4a0266973ac5a2117e59ee92547ebdda1d3c1502c7f4c8a40745566d60f657940852c966c882f2a7066f0dc77be5bde9104d78f05272de503983c26800bff4
-
Filesize
174KB
MD5686f2fe3c1e454279bcf84ff4f39301b
SHA10fce8fb4311a65edfeec22aa47c5e14f9ac83e10
SHA256c713226be72373e4417725add81b73464b1b79e7a79f6a09757537ceb9b42830
SHA512ef4a0266973ac5a2117e59ee92547ebdda1d3c1502c7f4c8a40745566d60f657940852c966c882f2a7066f0dc77be5bde9104d78f05272de503983c26800bff4