Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

SecuriteIn...86.exe

windows7-x64

5

SecuriteIn...86.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2023, 03:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.CrypterX-gen.31728.27686.exe

  • Size

    930KB

  • MD5

    003a5adb39b4aae944fcee366eeecb08

  • SHA1

    34603c966fd5bb29b671275d215db348a66e8ea6

  • SHA256

    c680e5bf89609a2bc8f50217c7bc859fa7d60bdcb53660475bd49e980e2c1e6f

  • SHA512

    d8ebaed7db5a8f2991e88a3c03c0d03137867369b10b9d07fa5dee377424fa9d85b71d3cee02c63a2c73b6737c7b6f1b48309de33dfa429685f3762ad9f47545

  • SSDEEP

    12288:50//yfYb5BIQZVtRXPWfrcojoQkFAaoDUTlJ/Y/ezShebbLAfIoo/d2kgExJkPy9:GiuBtZeraPKengSVL6oJgFbBmW8XBh

Score
10/10
healerredlinemonerdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes
  • auth_value

    a94cd9e01643e1945b296c28a2f28707

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.31728.27686.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.31728.27686.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3856
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5698455.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5698455.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4000
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7036598.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7036598.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3436
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4392317.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4392317.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:552
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4188
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i7885357.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i7885357.exe
            5⤵
            • Executes dropped EXE
            PID:3752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5698455.exe
    Filesize

    472KB

    MD5

    1c27eaa1bec64afac44138dac9516234

    SHA1

    b6bd0cedbcac50a681150b64bbb94b24be145cbe

    SHA256

    79f498c67bb64e7b40ea5dfe2c46e702e5d681a0e0d323b779d100e9895f6de7

    SHA512

    5ef72f48cc2f704e87a9a5a8c852fed18ce3fd05ce751fb36708ca7426c404761a90bd1fca4e1409ebede5ae0f748d70858b3fc5db2f0b5f74a9e542936d7517

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5698455.exe
    Filesize

    472KB

    MD5

    1c27eaa1bec64afac44138dac9516234

    SHA1

    b6bd0cedbcac50a681150b64bbb94b24be145cbe

    SHA256

    79f498c67bb64e7b40ea5dfe2c46e702e5d681a0e0d323b779d100e9895f6de7

    SHA512

    5ef72f48cc2f704e87a9a5a8c852fed18ce3fd05ce751fb36708ca7426c404761a90bd1fca4e1409ebede5ae0f748d70858b3fc5db2f0b5f74a9e542936d7517

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7036598.exe
    Filesize

    307KB

    MD5

    7e6c7033ed2a212226d8b68162029983

    SHA1

    e85c15fb89c11a925fed240e564ec9fcf83429a0

    SHA256

    af289cf7bc0a63df86d167d97bd5a48a8220aa9cbf675b7ee1f249c29d1e35a2

    SHA512

    22f22da9327637865e709dc771fb5a5dc54db2d9b84d8c31b9b1493ba41d3bf968e081acadf1be22102debe4794e904a167af8f4b6b34c71690e7c65aa2a9c1a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7036598.exe
    Filesize

    307KB

    MD5

    7e6c7033ed2a212226d8b68162029983

    SHA1

    e85c15fb89c11a925fed240e564ec9fcf83429a0

    SHA256

    af289cf7bc0a63df86d167d97bd5a48a8220aa9cbf675b7ee1f249c29d1e35a2

    SHA512

    22f22da9327637865e709dc771fb5a5dc54db2d9b84d8c31b9b1493ba41d3bf968e081acadf1be22102debe4794e904a167af8f4b6b34c71690e7c65aa2a9c1a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4392317.exe
    Filesize

    213KB

    MD5

    5ec496bb5683ef7e3a48e2d8ca3951d1

    SHA1

    dc1ed109d83f51e07dbc64593ec47f180f496846

    SHA256

    dde54bf709a7cf9a51d3fa4f4e5c97052c9419d909343fb93a48e4bcfb4ffd23

    SHA512

    c3cb7f118079e0a3dd113a870f220dcfce08b913bf64c784a71dda451df78557885f3272051df8bfff1a64457b9ed31b95f264c43ca5dbea6d0434f641f53eae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4392317.exe
    Filesize

    213KB

    MD5

    5ec496bb5683ef7e3a48e2d8ca3951d1

    SHA1

    dc1ed109d83f51e07dbc64593ec47f180f496846

    SHA256

    dde54bf709a7cf9a51d3fa4f4e5c97052c9419d909343fb93a48e4bcfb4ffd23

    SHA512

    c3cb7f118079e0a3dd113a870f220dcfce08b913bf64c784a71dda451df78557885f3272051df8bfff1a64457b9ed31b95f264c43ca5dbea6d0434f641f53eae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i7885357.exe
    Filesize

    174KB

    MD5

    01127829196770ec06b1ec31956fe3f2

    SHA1

    9e3f7032122c65a05fe0e8ed8bfa0076c1915923

    SHA256

    1d48c0aa7f9925c1e751c4021b8df169520c59fd1af08d6993168a4a398be824

    SHA512

    829a15cb3ccef47f673655994d77d17fb5dc8200219db5a0e55792438ee0c5f42e99f5a843ae8717d7ef15322055509dadf5aa40be0a0a77f2af54d66129cb28

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i7885357.exe
    Filesize

    174KB

    MD5

    01127829196770ec06b1ec31956fe3f2

    SHA1

    9e3f7032122c65a05fe0e8ed8bfa0076c1915923

    SHA256

    1d48c0aa7f9925c1e751c4021b8df169520c59fd1af08d6993168a4a398be824

    SHA512

    829a15cb3ccef47f673655994d77d17fb5dc8200219db5a0e55792438ee0c5f42e99f5a843ae8717d7ef15322055509dadf5aa40be0a0a77f2af54d66129cb28

    Download Submit

  • memory/2148-3-0x0000000000400000-0x00000000004BB000-memory.dmp

    Filesize

    748KB

    Download

  • memory/2148-2-0x0000000000400000-0x00000000004BB000-memory.dmp

    Filesize

    748KB

    Download

  • memory/2148-1-0x0000000000400000-0x00000000004BB000-memory.dmp

    Filesize

    748KB

    Download

  • memory/2148-31-0x0000000000400000-0x00000000004BB000-memory.dmp

    Filesize

    748KB

    Download

  • memory/2148-0-0x0000000000400000-0x00000000004BB000-memory.dmp

    Filesize

    748KB

    Download

  • memory/3752-37-0x000000000A5D0000-0x000000000A6DA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3752-36-0x000000000AA50000-0x000000000B068000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3752-29-0x0000000073DF0000-0x00000000745A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3752-32-0x0000000000760000-0x0000000000790000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3752-33-0x0000000073DF0000-0x00000000745A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3752-44-0x0000000004FA0000-0x0000000004FEC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3752-35-0x00000000029B0000-0x00000000029B6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3752-43-0x0000000004F20000-0x0000000004F30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3752-42-0x000000000A920000-0x000000000A95C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3752-38-0x0000000004F20000-0x0000000004F30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3752-39-0x000000000A510000-0x000000000A522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4188-41-0x0000000073DF0000-0x00000000745A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4188-25-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4188-30-0x0000000073DF0000-0x00000000745A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4188-34-0x0000000073DF0000-0x00000000745A0000-memory.dmp

    Filesize

    7.7MB

    Download