Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

30b55fc29e...75.exe

windows10-2004-x64

10

4f6b8faa68...86.exe

windows10-2004-x64

10

68c37c8307...6a.exe

windows10-2004-x64

10

699bfc597d...1d.exe

windows10-2004-x64

10

844b5b7693...ab.exe

windows10-2004-x64

10

86a6beb680...62.exe

windows10-2004-x64

10

9cf3d2bf3c...cb.exe

windows10-2004-x64

10

ca9f078739...a4.exe

windows10-2004-x64

10

d0ab8687e3...e2.exe

windows10-2004-x64

10

fb468a211d...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f6b8faa6814b26627c6c8eac0bc9c5237229efaec31a93ac5634db12970f986.exe

  • Size

    921KB

  • MD5

    806e422c72778033c5ab84a122ee219d

  • SHA1

    2a82b3feba5337f550d857fdd39290c1edbeaaff

  • SHA256

    4f6b8faa6814b26627c6c8eac0bc9c5237229efaec31a93ac5634db12970f986

  • SHA512

    ac7a914896275cd09d64faee9eb7259f370f58845dd50b5ddfcd139296e57aedf457eec534d6498c0a0b67266a1c9b07c222bba27d65aee1304dba7a16b880eb

  • SSDEEP

    24576:lyxIBM9mCnbl4MASk1HCUvk9gY6gmZw76pr:AxASDx7HzHy

Score
10/10
healerredlinelampdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f6b8faa6814b26627c6c8eac0bc9c5237229efaec31a93ac5634db12970f986.exe
    "C:\Users\Admin\AppData\Local\Temp\4f6b8faa6814b26627c6c8eac0bc9c5237229efaec31a93ac5634db12970f986.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3648461.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3648461.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8860082.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8860082.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4204
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0381995.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0381995.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:720
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4476781.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4476781.exe
          4⤵
          • Executes dropped EXE
          PID:2724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3648461.exe
    Filesize

    766KB

    MD5

    318a8eb67e8bcaee3b89dc081807d46b

    SHA1

    f78a8e23612e270f6b6d3307f41bb920a7fc192e

    SHA256

    ab1b9e632564fb3c2826cd638e3277d9bdf07dddc041266d361a6d4cc95015f6

    SHA512

    661fea1e8059173d551c6b538f46220e6d8f911f53977df24f55be72d5d25346b360e1acdfeb101f2e861acd4011ecd752e809279c7664fd082198aebb935c97

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8860082.exe
    Filesize

    582KB

    MD5

    2677f8194fefee3ab023a4d84fe7f80f

    SHA1

    40d025e65fbb8f2e14b8e26c961cd8c1fec08105

    SHA256

    f1cf4820bb2702cf7511d9a2d90c3fe80b263088ac476a3595a7eaa049212f88

    SHA512

    ad3daa1d49f8378c9ebae85817748f539fd19af5a95baa4033726edf12ec8ea7a103a673c736d68e5ae102143e33dd29d1405fef35a790bed9d95ee9bb07ff92

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0381995.exe
    Filesize

    295KB

    MD5

    61311f348b60fae73c1dec88ddb812b8

    SHA1

    e584bec72429d0f2aac1b5d351a03f6dedf9146d

    SHA256

    5e01d277979e902ec4bae4561368f84e9d5d1cc3cf340ca5ed832ae63e97052b

    SHA512

    82464d99004b7f9f8db0cca14c31dd18a40c1db4c2eba889bf9937fe6278f3d7798ec068a2f66b375518dc479edc68201003ea6bc944480b9c1cb85416b73eb0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4476781.exe
    Filesize

    491KB

    MD5

    f958d6d636e5b3fb2432867cfe738c1d

    SHA1

    aa869b349e1cb254c21a4a0f73ae8ea0a1a0a4e6

    SHA256

    27ee8475b77ceb67b815e186029dd46601683d36f1fed7e2c9d8228eda8efcdd

    SHA512

    fae9b3392255b0d7be0d75cfcab8b97ff1278f79c811fc349483ba56592989d2a30788d2cb01873afc79adf28069fc684b797818f46090d1d8c3d3875ebc5bf9

    Download Submit

  • memory/720-21-0x00000000006D0000-0x000000000070E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/720-27-0x0000000000401000-0x0000000000404000-memory.dmp

    Filesize

    12KB

    Download

  • memory/720-29-0x00000000024A0000-0x00000000024A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/720-28-0x00000000006D0000-0x000000000070E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2724-35-0x0000000002000000-0x000000000208C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/2724-42-0x0000000002000000-0x000000000208C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/2724-44-0x0000000002270000-0x0000000002276000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2724-45-0x0000000004BE0000-0x00000000051F8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2724-46-0x0000000005200000-0x000000000530A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2724-47-0x0000000005320000-0x0000000005332000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2724-48-0x0000000005340000-0x000000000537C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2724-49-0x00000000053B0000-0x00000000053FC000-memory.dmp

    Filesize

    304KB

    Download