Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
175s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 04:53
Static task
static1
Behavioral task
behavioral1
Sample
dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe
Resource
win10v2004-20230915-en
General
-
Target
dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe
-
Size
1.2MB
-
MD5
1040f71460bf21ae11509d672bc00466
-
SHA1
2b767506a77d801f68f18cb5f7f64293becc72d3
-
SHA256
dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd
-
SHA512
f432cdaff9b7a57687c08fe1901d0a48675b9dfb916a8093390b2c48e7985272d8c3a708dca4068c8c80b41a7a58c47f995501ea37ab63fe4b2756ff6ec7fa60
-
SSDEEP
24576:l74crodWKnrkoOYtZaKYjyYhJzjXpUl+55HL4lnlIh6OnEFKcsyXgY4bRqCyG:54crodcoOZzzjXOl+f4kh6IEoyIbRGG
Malware Config
Extracted
redline
petin
77.91.124.82:19071
-
auth_value
f6cf7a48c0291d1ef5a3440429827d6d
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral2/memory/4416-32-0x0000000000400000-0x000000000040A000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 4596 x9766055.exe 4948 x5922132.exe 2696 x7394315.exe 3432 g7711021.exe 4336 h6921083.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" AppLaunch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x9766055.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x5922132.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x7394315.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 224 set thread context of 4332 224 dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe 94 PID 3432 set thread context of 4416 3432 g7711021.exe 101 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4416 AppLaunch.exe 4416 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4416 AppLaunch.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 224 wrote to memory of 4332 224 dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe 94 PID 224 wrote to memory of 4332 224 dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe 94 PID 224 wrote to memory of 4332 224 dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe 94 PID 224 wrote to memory of 4332 224 dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe 94 PID 224 wrote to memory of 4332 224 dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe 94 PID 224 wrote to memory of 4332 224 dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe 94 PID 224 wrote to memory of 4332 224 dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe 94 PID 224 wrote to memory of 4332 224 dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe 94 PID 224 wrote to memory of 4332 224 dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe 94 PID 224 wrote to memory of 4332 224 dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe 94 PID 4332 wrote to memory of 4596 4332 AppLaunch.exe 95 PID 4332 wrote to memory of 4596 4332 AppLaunch.exe 95 PID 4332 wrote to memory of 4596 4332 AppLaunch.exe 95 PID 4596 wrote to memory of 4948 4596 x9766055.exe 96 PID 4596 wrote to memory of 4948 4596 x9766055.exe 96 PID 4596 wrote to memory of 4948 4596 x9766055.exe 96 PID 4948 wrote to memory of 2696 4948 x5922132.exe 97 PID 4948 wrote to memory of 2696 4948 x5922132.exe 97 PID 4948 wrote to memory of 2696 4948 x5922132.exe 97 PID 2696 wrote to memory of 3432 2696 x7394315.exe 99 PID 2696 wrote to memory of 3432 2696 x7394315.exe 99 PID 2696 wrote to memory of 3432 2696 x7394315.exe 99 PID 3432 wrote to memory of 4416 3432 g7711021.exe 101 PID 3432 wrote to memory of 4416 3432 g7711021.exe 101 PID 3432 wrote to memory of 4416 3432 g7711021.exe 101 PID 3432 wrote to memory of 4416 3432 g7711021.exe 101 PID 3432 wrote to memory of 4416 3432 g7711021.exe 101 PID 3432 wrote to memory of 4416 3432 g7711021.exe 101 PID 3432 wrote to memory of 4416 3432 g7711021.exe 101 PID 3432 wrote to memory of 4416 3432 g7711021.exe 101 PID 2696 wrote to memory of 4336 2696 x7394315.exe 102 PID 2696 wrote to memory of 4336 2696 x7394315.exe 102 PID 2696 wrote to memory of 4336 2696 x7394315.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe"C:\Users\Admin\AppData\Local\Temp\dd66b05a32931287f200c0f6ee82ce1b3b52313911780c5ccdf5ace06f3655fd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9766055.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9766055.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5922132.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5922132.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7394315.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7394315.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7711021.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7711021.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6921083.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6921083.exe6⤵
- Executes dropped EXE
PID:4336
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
745KB
MD5eec9493ff80cdd64bd1f495a20d39186
SHA16c964c61f43d65b41af384de30a12bad593db5cc
SHA256b4168d38cb191f89d28916d4c70e7a9ed76c40783d3f303a3b06c77e7ee3fd99
SHA512664acf28155a5e18c309d09c1de3ab456b205eef3fa1572387ee0c76c0dd8b55ee27df771ed1e20cd4c6ca86d47744965693c86d4781d7fbdaa4c8fa91d68b7c
-
Filesize
745KB
MD5eec9493ff80cdd64bd1f495a20d39186
SHA16c964c61f43d65b41af384de30a12bad593db5cc
SHA256b4168d38cb191f89d28916d4c70e7a9ed76c40783d3f303a3b06c77e7ee3fd99
SHA512664acf28155a5e18c309d09c1de3ab456b205eef3fa1572387ee0c76c0dd8b55ee27df771ed1e20cd4c6ca86d47744965693c86d4781d7fbdaa4c8fa91d68b7c
-
Filesize
480KB
MD5f60214e4b9715b5b76aa37ef6043a495
SHA1a657be2684aba93b17b8ddd52f0fa484976b147e
SHA2564a6a6ce61c7bc9aa2076da8ad23bec6e6314be9044a2e31fef27d367a3ec03f3
SHA512e10f4701f444fa084d3fc35ead5ebe0df9a58c29df1174627eb5927c34f677807e45130c7dd25c6977bcd492611c959111ab0624d83f1bf5f6de3695aa86071b
-
Filesize
480KB
MD5f60214e4b9715b5b76aa37ef6043a495
SHA1a657be2684aba93b17b8ddd52f0fa484976b147e
SHA2564a6a6ce61c7bc9aa2076da8ad23bec6e6314be9044a2e31fef27d367a3ec03f3
SHA512e10f4701f444fa084d3fc35ead5ebe0df9a58c29df1174627eb5927c34f677807e45130c7dd25c6977bcd492611c959111ab0624d83f1bf5f6de3695aa86071b
-
Filesize
314KB
MD52339f1fe167146ab8fab67de9cbae202
SHA1e08b9e8bdc9176ab87dcb94837a5dcc8acdb4e24
SHA256c3cf1f80ecb2cc879097fdfaf0cbe485951ee1f833a56e778010ac47193ba6eb
SHA51241dc14e7b23d4b89c08ee7195a1da5dd4fae68e32a8093639eed8c6b45d53be97e74c0a90199033cb74c1a5f4f4dff19dfd1cfe4a61a58c989bd876b2378742a
-
Filesize
314KB
MD52339f1fe167146ab8fab67de9cbae202
SHA1e08b9e8bdc9176ab87dcb94837a5dcc8acdb4e24
SHA256c3cf1f80ecb2cc879097fdfaf0cbe485951ee1f833a56e778010ac47193ba6eb
SHA51241dc14e7b23d4b89c08ee7195a1da5dd4fae68e32a8093639eed8c6b45d53be97e74c0a90199033cb74c1a5f4f4dff19dfd1cfe4a61a58c989bd876b2378742a
-
Filesize
229KB
MD500982fc34e0c3c4d0348d0906102fa4c
SHA18a978f6504faddfd08add57576b165c215cc056a
SHA2560da1bc1a4575667a9d8239ac40b169b51df4ebc0caf47cb650d379726d83f599
SHA512cacf2102cddfbe07f1554e739e859e88486869d4080e1c92084346bebb6398718b9a0669d9fa58d637b700889f1dd7712721370642ccd8002d1117c34e538fa3
-
Filesize
229KB
MD500982fc34e0c3c4d0348d0906102fa4c
SHA18a978f6504faddfd08add57576b165c215cc056a
SHA2560da1bc1a4575667a9d8239ac40b169b51df4ebc0caf47cb650d379726d83f599
SHA512cacf2102cddfbe07f1554e739e859e88486869d4080e1c92084346bebb6398718b9a0669d9fa58d637b700889f1dd7712721370642ccd8002d1117c34e538fa3
-
Filesize
174KB
MD5f519c334f2041b420d6f4219e84fea3b
SHA11214e85845de23469acd11dd12b1a647c7933eb2
SHA2567e045fc1756c3e841bb6d55986cd7536d4ec141c1f82d25a89b3ace86b6e4d84
SHA51287891f6389ede9edf9ace44f5e6a314019126f27f5a3b9b04685e0504736cf0a55d45509c2107709bf0c00c5a36187e24fd8cc71a1de23556de852df857fa77a
-
Filesize
174KB
MD5f519c334f2041b420d6f4219e84fea3b
SHA11214e85845de23469acd11dd12b1a647c7933eb2
SHA2567e045fc1756c3e841bb6d55986cd7536d4ec141c1f82d25a89b3ace86b6e4d84
SHA51287891f6389ede9edf9ace44f5e6a314019126f27f5a3b9b04685e0504736cf0a55d45509c2107709bf0c00c5a36187e24fd8cc71a1de23556de852df857fa77a