Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
09/05/2024, 18:07
General
-
Target
b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f.exe
-
Size
925KB
-
MD5
dd93ee60c259b6d6649066385f4244ee
-
SHA1
d07a767c2cc5a3f4e22536f80cd5403d48e79f31
-
SHA256
b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f
-
SHA512
77da63cbd5f5c49e42b7c8d31388ce5a5f310ab7435e9200ad94f74339d371dd8e4100c1de2700f908c44f849e293b4ae80d8354c03e9c20ab5057df4d2d126f
-
SSDEEP
24576:jyvRZtvqBOv+fxZ0j5MqJu/2vUx4SoSoG:2vXtCVxZ06qg/lX
Malware Config
Extracted
redline
lamp
77.91.68.56:19071
-
auth_value
ee1df63bcdbe3de70f52810d94eaff7d
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f.exe"C:\Users\Admin\AppData\Local\Temp\b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2482363.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2482363.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5282091.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5282091.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4201526.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4201526.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6091152.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6091152.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
769KB
MD5672bff291b38885617823399ef70b555
SHA14a7f60f83e53a7da12068d50e8e0a92c4633f187
SHA256b536b905629c03cb86e63c1bf94b1cbf8a7a792df24d4904c4918e64d7c18fec
SHA512167ecae7df2a247e326c6bb329953b19e41b2cff7e730e11a3f6fabf1aefb6c119f1cf2495388dec0961328c2e7b585b0b01b4ccc9ed32f6f206c56d08afb769
-
Filesize
585KB
MD5b33a2914d46d878780b909b6f1c9e28a
SHA137365cb918168c76217112923047b8cb5fce24ff
SHA256cd76d29e86c9061251c4db66dd62b6e9721e8f333e800e7b3e8dd3ab7f23384b
SHA5121c42a950e9b4ad4c63d07b2da343cb273057337d379f38bbd7914de31b8a527b2c7b0bc9fe07a2096fd4726ca88a3c1df2e2e7a7d2a643b24f84aff32325ee49
-
Filesize
295KB
MD509eec7f364a56ec5491caf643ad17697
SHA16b1d0a4ca9ed4ced105e7eec6dfc2a7d3e65d415
SHA2563c95a536651751d027c53005524d9d580917f52e4c0a0c30fac8f6fd55279cf3
SHA5124f97ae75bdbac6f2c52c8189c31ee3b80c6991a15b017f0a5aac6feebe83c6505fefaf0d79c980f967bd5efec7c35961d30e50ddb19969a05be8aec5cdbbb1a0
-
Filesize
493KB
MD5dc11c027caa1f3eca389e929921e4a1a
SHA17bc540dbfa7367f8c7e1761c4de6cb110aceda76
SHA256cc338e14b24d1832ff2badca78ba12388cc65b05124b525e95080c969e805966
SHA512b1153e9eecbf5bdae7093fc472f331f0c71aedeee8072fc54b9657986d42a5a653e88a8712fa9230bdf1bc516ff630e5c1c791ab41ed822b6592ff60103c5105
-
Filesize
248KB
-
Filesize
12KB
-
Filesize
248KB
-
Filesize
4KB
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB