Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 03:11
Static task
static1
Behavioral task
behavioral1
Sample
eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe
Resource
win10v2004-20230915-en
General
-
Target
eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe
-
Size
1.2MB
-
MD5
9cb509a501dca0ca4bd43e7bd8800319
-
SHA1
8800bb6f3df45a90a6f581b4cd8bd22cd4962ffd
-
SHA256
eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db
-
SHA512
b5e025194912f27c8474448476b816f332a41ce508cdf6c0e32f5a7a01293cdbe8d833dc1f8f09c121c3eccd8821aec75181cdd96887fa63b0cc4b14fb916294
-
SSDEEP
24576:MZtxDwqN5sh/Y7VH8pdBF9lpQyz3u9hEhbfx/vhZ:MZtRH01oyzuAtVhZ
Malware Config
Extracted
redline
petin
77.91.124.82:19071
-
auth_value
f6cf7a48c0291d1ef5a3440429827d6d
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral2/memory/2212-33-0x0000000000400000-0x000000000040A000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 1896 x4112606.exe 4716 x8931942.exe 2096 x4459478.exe 1264 g1456264.exe 3592 h1265912.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" AppLaunch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x4112606.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x8931942.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x4459478.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5116 set thread context of 1884 5116 eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe 91 PID 1264 set thread context of 2212 1264 g1456264.exe 99 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2212 AppLaunch.exe 2212 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2212 AppLaunch.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 5116 wrote to memory of 1884 5116 eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe 91 PID 5116 wrote to memory of 1884 5116 eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe 91 PID 5116 wrote to memory of 1884 5116 eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe 91 PID 5116 wrote to memory of 1884 5116 eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe 91 PID 5116 wrote to memory of 1884 5116 eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe 91 PID 5116 wrote to memory of 1884 5116 eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe 91 PID 5116 wrote to memory of 1884 5116 eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe 91 PID 5116 wrote to memory of 1884 5116 eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe 91 PID 5116 wrote to memory of 1884 5116 eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe 91 PID 5116 wrote to memory of 1884 5116 eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe 91 PID 1884 wrote to memory of 1896 1884 AppLaunch.exe 92 PID 1884 wrote to memory of 1896 1884 AppLaunch.exe 92 PID 1884 wrote to memory of 1896 1884 AppLaunch.exe 92 PID 1896 wrote to memory of 4716 1896 x4112606.exe 94 PID 1896 wrote to memory of 4716 1896 x4112606.exe 94 PID 1896 wrote to memory of 4716 1896 x4112606.exe 94 PID 4716 wrote to memory of 2096 4716 x8931942.exe 95 PID 4716 wrote to memory of 2096 4716 x8931942.exe 95 PID 4716 wrote to memory of 2096 4716 x8931942.exe 95 PID 2096 wrote to memory of 1264 2096 x4459478.exe 96 PID 2096 wrote to memory of 1264 2096 x4459478.exe 96 PID 2096 wrote to memory of 1264 2096 x4459478.exe 96 PID 1264 wrote to memory of 4868 1264 g1456264.exe 98 PID 1264 wrote to memory of 4868 1264 g1456264.exe 98 PID 1264 wrote to memory of 4868 1264 g1456264.exe 98 PID 1264 wrote to memory of 2212 1264 g1456264.exe 99 PID 1264 wrote to memory of 2212 1264 g1456264.exe 99 PID 1264 wrote to memory of 2212 1264 g1456264.exe 99 PID 1264 wrote to memory of 2212 1264 g1456264.exe 99 PID 1264 wrote to memory of 2212 1264 g1456264.exe 99 PID 1264 wrote to memory of 2212 1264 g1456264.exe 99 PID 1264 wrote to memory of 2212 1264 g1456264.exe 99 PID 1264 wrote to memory of 2212 1264 g1456264.exe 99 PID 2096 wrote to memory of 3592 2096 x4459478.exe 100 PID 2096 wrote to memory of 3592 2096 x4459478.exe 100 PID 2096 wrote to memory of 3592 2096 x4459478.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe"C:\Users\Admin\AppData\Local\Temp\eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4112606.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4112606.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8931942.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8931942.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4459478.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4459478.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1456264.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1456264.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1265912.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1265912.exe6⤵
- Executes dropped EXE
PID:3592
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
750KB
MD51e1e984ca01441792b0efa253a96ca4c
SHA1700d3a718f07c7ca49b606d351f9558077d0bf32
SHA2568814cddfeb5d32b60235d7d2431128743c9cee8d6dc005fd2a9b84624e5e9b7a
SHA5126fd48e3061413f56a419bb727ebf70f0e6f9c6020883733ee8f21accbd8fb2d2c0270cf47725cd264255bbedc768da735c2e46ae88670e4c62d8d4224675c26a
-
Filesize
750KB
MD51e1e984ca01441792b0efa253a96ca4c
SHA1700d3a718f07c7ca49b606d351f9558077d0bf32
SHA2568814cddfeb5d32b60235d7d2431128743c9cee8d6dc005fd2a9b84624e5e9b7a
SHA5126fd48e3061413f56a419bb727ebf70f0e6f9c6020883733ee8f21accbd8fb2d2c0270cf47725cd264255bbedc768da735c2e46ae88670e4c62d8d4224675c26a
-
Filesize
483KB
MD55344eba6db5ad86e75bc82eb22eb4d7a
SHA1b37ccdb830db91d6680cc6c13a3785092713aa5c
SHA256c62771542a7334a7dd8bb128e59279119d2749310c2251694a990cf38840fedb
SHA512e28a24dd31cb2ed03f9fe43b626c17e9de20ee85e9f4100ef3641e4966fdb42fc3e75a11f94a333feb12acf97296ca546debc1b2d1e1b635a59fa2f4c9417694
-
Filesize
483KB
MD55344eba6db5ad86e75bc82eb22eb4d7a
SHA1b37ccdb830db91d6680cc6c13a3785092713aa5c
SHA256c62771542a7334a7dd8bb128e59279119d2749310c2251694a990cf38840fedb
SHA512e28a24dd31cb2ed03f9fe43b626c17e9de20ee85e9f4100ef3641e4966fdb42fc3e75a11f94a333feb12acf97296ca546debc1b2d1e1b635a59fa2f4c9417694
-
Filesize
317KB
MD5fa83f77033b8bb337eda497b36fd350b
SHA1c8bd45c0b0334c11dec84c8f96ee503c5a3db191
SHA256d42a5106a52ec21132362c44f19de06ceda30031fcc6844216c818e5caaa3afd
SHA512b5469b679780639355fd009c9311a5200878bbb3e5994113fd54a4bc8e51ab7636f2f24365a6ea2addde51f26fd3fd4a39c48dd65b99abd2529950640fc1402d
-
Filesize
317KB
MD5fa83f77033b8bb337eda497b36fd350b
SHA1c8bd45c0b0334c11dec84c8f96ee503c5a3db191
SHA256d42a5106a52ec21132362c44f19de06ceda30031fcc6844216c818e5caaa3afd
SHA512b5469b679780639355fd009c9311a5200878bbb3e5994113fd54a4bc8e51ab7636f2f24365a6ea2addde51f26fd3fd4a39c48dd65b99abd2529950640fc1402d
-
Filesize
230KB
MD5f1ba3be24fbcb545485754002346efc3
SHA140405a04149346602ddf2f0ccde20cbd606a594d
SHA25669d5635af160cadf82e04121eeb764b432bd1af011410aaa326f9eaba6c402b7
SHA5129919a806ec3717fdb5ea2b6caced3ea9815a9d9cce30babbb24127fa4fb212f344ffa546883f7d055d97df2de95c63a000c81b28880ab04b8cad8ea335ae8283
-
Filesize
230KB
MD5f1ba3be24fbcb545485754002346efc3
SHA140405a04149346602ddf2f0ccde20cbd606a594d
SHA25669d5635af160cadf82e04121eeb764b432bd1af011410aaa326f9eaba6c402b7
SHA5129919a806ec3717fdb5ea2b6caced3ea9815a9d9cce30babbb24127fa4fb212f344ffa546883f7d055d97df2de95c63a000c81b28880ab04b8cad8ea335ae8283
-
Filesize
174KB
MD53bc22ce44a6fe6c53fc69c5a9f7b6e3f
SHA1549165f0a51be5ea30ff600990d34dcff58da18c
SHA256ae9777c51e11bac77a0f4fc357066eae54ec2ff254b5941259302ce1c57dc38a
SHA512324ba599f0ab7bb7531f9d1e4c81612e08bf9af3d4951a0ee879b1896e45f70146a1a3e134eafd45dcfa8b45f412ea911f3e42367cc49a371e19e34b985f654c
-
Filesize
174KB
MD53bc22ce44a6fe6c53fc69c5a9f7b6e3f
SHA1549165f0a51be5ea30ff600990d34dcff58da18c
SHA256ae9777c51e11bac77a0f4fc357066eae54ec2ff254b5941259302ce1c57dc38a
SHA512324ba599f0ab7bb7531f9d1e4c81612e08bf9af3d4951a0ee879b1896e45f70146a1a3e134eafd45dcfa8b45f412ea911f3e42367cc49a371e19e34b985f654c