Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
30cc30df7f6...35.exe
windows10-2004-x64
101208df4133...ab.exe
windows10-2004-x64
102d6ce3858d...b0.exe
windows7-x64
32d6ce3858d...b0.exe
windows10-2004-x64
103a484bb7d4...29.exe
windows10-2004-x64
103e36cb02ee...9a.exe
windows10-2004-x64
103f3ae36481...68.exe
windows7-x64
13f3ae36481...68.exe
windows10-2004-x64
14be1f370e8...6b.exe
windows7-x64
34be1f370e8...6b.exe
windows10-2004-x64
1054ca5c456c...76.exe
windows10-2004-x64
106aa8d5d0d6...df.exe
windows10-2004-x64
108db6f54494...1f.exe
windows10-2004-x64
10b07c30e9c2...0f.exe
windows10-2004-x64
10b62068be50...da.exe
windows10-2004-x64
10c1c526ed2a...52.exe
windows10-2004-x64
10cd9de412cd...04.exe
windows7-x64
10cd9de412cd...04.exe
windows10-2004-x64
10dce60a71ca...cc.exe
windows10-2004-x64
e25842dbe6...9e.exe
windows10-2004-x64
10f358ce518b...e2.exe
windows10-2004-x64
9f5bf417643...17.exe
windows7-x64
3f5bf417643...17.exe
windows10-2004-x64
10f6dc0b4c65...d6.exe
windows10-2004-x64
10f8dfa98c4e...be.exe
windows10-2004-x64
10Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 18:07
Static task
static1
Behavioral task
behavioral1
Sample
0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
1208df413315575653953f79f71da4afa0f3816339cca881a3bd12be0cc7f0ab.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
2d6ce3858dc5849cd0e5ce873e285bbd3b6a34ad11e20937b1827c8f3594abb0.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
2d6ce3858dc5849cd0e5ce873e285bbd3b6a34ad11e20937b1827c8f3594abb0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
3a484bb7d4882d8f4ab5dcb7c60a4d1397a642611888b68c5e13702926794729.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
3f3ae364814c4c229616f1792f939131d6af421c4fa431b81f955015d14c8168.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
3f3ae364814c4c229616f1792f939131d6af421c4fa431b81f955015d14c8168.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
4be1f370e880d06da141a2c9957de478c40592a3abf6312aa8c2ef401a37d36b.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
4be1f370e880d06da141a2c9957de478c40592a3abf6312aa8c2ef401a37d36b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
54ca5c456ca4541c7a54027ae67295d9bdec93f29d76b9e8ab36e1fd52b1b876.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
8db6f544940545b4e7f0eef92bc68e65f5e9efd3707f33b7e5594777d56ed71f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
c1c526ed2ab259f0f169f9f6ea8e5765aeff3889749ee6e4c140d24a06cd2f52.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
cd9de412cda28c677351594338bc352dbcafb8652328624f624263b71bac3604.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
cd9de412cda28c677351594338bc352dbcafb8652328624f624263b71bac3604.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
dce60a71ca88a61a579b58be67a969e9f1f6620feaff4c7102883b680d0162cc.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
e25842dbe6ab8469f81bd821ab70c2818962c7a681f45dfcd09f741409b2bb9e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
f358ce518b566bea6bdd08924ef70ab740c7135042e1d38e8776afca44f4c2e2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
f5bf4176434a177447cba0b0c44a2aa84c6964ac958276a5f3d28429824e6a17.exe
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
f5bf4176434a177447cba0b0c44a2aa84c6964ac958276a5f3d28429824e6a17.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral24
Sample
f6dc0b4c65662a9753e54800489b07d9f5a6a4c896a61d93f3a1a3e28d5bc9d6.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
f8dfa98c4e38deff7955c243f9db7b01692e43c0997eca9e5e141cc565cf05be.exe
Resource
win10v2004-20240426-en
General
-
Target
6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe
-
Size
308KB
-
MD5
d5f61fc6a8c52e0a93619aa88abf0823
-
SHA1
e8ab904b74f798424102a1739f810f09f1987d60
-
SHA256
6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df
-
SHA512
3b5a5f2a02c8788cb4e7245073766e30d3bbb4cb635ae648502d80ceed32a876b0103bc90ecc4fb1749f84d354cc3ba91034aad95f3fd1ea82fe12eca0b6b85f
-
SSDEEP
6144:K0y+bnr+jp0yN90QE3lEY+zbPsn4Jkb2LPrKRc57uiL4P7:MMrby901b+zYebLPrKG5fL8
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral12/memory/4636-8-0x0000000002190000-0x00000000021AA000-memory.dmp healer behavioral12/memory/4636-12-0x0000000004990000-0x00000000049A8000-memory.dmp healer behavioral12/memory/4636-29-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-41-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-39-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-37-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-35-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-33-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-31-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-27-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-25-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-23-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-21-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-19-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-17-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-15-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral12/memory/4636-14-0x0000000004990000-0x00000000049A2000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k6912702.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k6912702.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k6912702.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k6912702.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k6912702.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k6912702.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral12/files/0x000700000002343a-44.dat family_redline behavioral12/memory/4940-47-0x0000000000190000-0x00000000001B8000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 4636 k6912702.exe 4940 l1624569.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k6912702.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k6912702.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4636 k6912702.exe 4636 k6912702.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4636 k6912702.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3148 wrote to memory of 4636 3148 6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe 83 PID 3148 wrote to memory of 4636 3148 6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe 83 PID 3148 wrote to memory of 4636 3148 6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe 83 PID 3148 wrote to memory of 4940 3148 6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe 87 PID 3148 wrote to memory of 4940 3148 6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe 87 PID 3148 wrote to memory of 4940 3148 6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe"C:\Users\Admin\AppData\Local\Temp\6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k6912702.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k6912702.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l1624569.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l1624569.exe2⤵
- Executes dropped EXE
PID:4940
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5ddacfe0ab3780ff5989c3f2c32e681cd
SHA1ffeeedaf65d9e6d3634d263d6a42a703777d567e
SHA2563206d9f91f805541bfe3ef067f2b41572a9c7c558db98e8473bb5d7dde6bca05
SHA512bfd8c9a4909bdeca40450a24570fe6031a7c23cc2586c913f944ba2242121b8aad3133fcdbaf55546a50302fbd0894229becc12f4d721848903a5f29aa88e13f
-
Filesize
136KB
MD5100120265e59b27a64574c737cd3dd59
SHA16d525c91ab327ab0fa09dd23e50fb11198d0c8f0
SHA25620e7be4a67709e8af75acd6d7f91f7818e1b85e7cc10690c9904f968f207c46b
SHA512203545141f943c1e5d81b2c105a0db41a49eb9fec335e8bb7cfd63529cfc50a9ce8a7dc49b5059ad7dd7b135a6796dd5c7665b31c6a916a2ccdab31edf08bee4