Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
303cef1108b...25.exe
windows10-2004-x64
10062bf5eda9...2b.exe
windows10-2004-x64
101c0cc29edf...ac.exe
windows10-2004-x64
101c46e1db34...f7.exe
windows10-2004-x64
1020811d5e08...84.exe
windows10-2004-x64
1028627b3333...c8.exe
windows10-2004-x64
10437213eb4b...b5.exe
windows10-2004-x64
1054a19d5a7a...d8.exe
windows10-2004-x64
106407653fb9...7c.exe
windows10-2004-x64
106dd993cade...4e.exe
windows10-2004-x64
10764d92d88b...5f.exe
windows10-2004-x64
109c51d813e0...74.exe
windows7-x64
39c51d813e0...74.exe
windows10-2004-x64
10b813f799e9...17.exe
windows10-2004-x64
10bc2ed7f926...f9.exe
windows10-2004-x64
10c1a9af1ad6...d5.exe
windows10-2004-x64
10cf90d774fa...01.exe
windows10-2004-x64
10e65fa29126...d8.exe
windows10-2004-x64
10e81854abc9...1a.exe
windows10-2004-x64
10ed835b70d5...6c.exe
windows10-2004-x64
10f48c36cb91...ef.exe
windows10-2004-x64
10Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 18:21
Static task
static1
Behavioral task
behavioral1
Sample
03cef1108b01e5304207d3fb3a53f024ec18e0178c6dc16454723a9c7852ab25.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
062bf5eda95fa04c7146882ac1efb5ae43eaee0cd4c121db8c1c2edf9412932b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
1c0cc29edf3fda05ac6cd12ee7acdaf9ca6233c60ef212f53b42d088f670c7ac.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
1c46e1db345610fe8ef6a2fe37c7407b77ab614fd47b00a74971f892275e38f7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
20811d5e089d4e2f65301bba6dbb3776615b8a82ea39cd03d088665a7bf27384.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
437213eb4b67386b44ee8203e45489fe45f788fa215cc4f60982184a2231a6b5.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
54a19d5a7a4bbca3496b0edc5d80a240350e944513622d242341964e048d96d8.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
6407653fb96eb144397cd5292be81f74ffb0eb8949a8d73e1a21ee3c9e85f97c.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
6dd993cadea9e368a14c0ab840b0e2d0dd3ca3d699734998da4237aed7f2354e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
764d92d88ba9348555a1351396433cb6b93afd1bc3dcf27a5a06c2bb7aed5c5f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
9c51d813e0b6dfff0694c63e6d13665bb46ddf09cedb2159d701913f09142374.exe
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
9c51d813e0b6dfff0694c63e6d13665bb46ddf09cedb2159d701913f09142374.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
b813f799e9c2f3b9ed25625bea968e14cbcad8bb1b3918ebcd79f631192ca017.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
bc2ed7f9261c39ac6c835adcdf9ff7f4b70696ce459a50a2645194f5597507f9.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
c1a9af1ad640c504ed95e8f26021a55d127de1e35d0794f2bdaddd1451de08d5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
cf90d774faa53f828a5c0c7fd9b7693ab9e6a5b59349863524aae5284b993f01.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
e65fa291263fc43fdfd3ce7a071b11f1ea2a2f55c02321bfd476a1d4c33e7bd8.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
e81854abc9bd7ae970c918e0839982609691e44919d3a96eee12840676c28e1a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
ed835b70d57f3901ebdd0814415cbc64776d5bb9ee43a7077c0894540d7dde6c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
f48c36cb917c3b50876b9e4240a3abaae73007be0713d0630ca8279bfae862ef.exe
Resource
win10v2004-20240426-en
General
-
Target
bc2ed7f9261c39ac6c835adcdf9ff7f4b70696ce459a50a2645194f5597507f9.exe
-
Size
1.2MB
-
MD5
23f4a44c0cc77486d90c2b5d3db5dfd7
-
SHA1
7c42f90496bc5d268c92f2c07846c32b7f7513f8
-
SHA256
bc2ed7f9261c39ac6c835adcdf9ff7f4b70696ce459a50a2645194f5597507f9
-
SHA512
f4dc5891381f139f01e073b20d0c2c311633eba3cf92b045a739413083a17934f1201b56a48a444325e26b5827077a6ca79bc8aa7a7b3f7fb4e3c855fc222527
-
SSDEEP
24576:My3sw5khZLecoTZ5TlNzhW4hXNcWCz4YPrwk3iRkrIoDb9nBziioUiDfy:7YhZmTTTlBMmXWt4C1kyhQ37
Malware Config
Extracted
redline
lamp
77.91.68.56:19071
-
auth_value
ee1df63bcdbe3de70f52810d94eaff7d
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral15/memory/928-41-0x0000000000580000-0x00000000005BE000-memory.dmp healer behavioral15/files/0x0007000000023444-46.dat healer behavioral15/memory/3532-48-0x0000000000450000-0x000000000045A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a9890667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a9890667.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b1518794.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b1518794.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b1518794.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b1518794.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a9890667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a9890667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a9890667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a9890667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b1518794.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b1518794.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral15/memory/2172-54-0x0000000002030000-0x00000000020BC000-memory.dmp family_redline behavioral15/memory/2172-60-0x0000000002030000-0x00000000020BC000-memory.dmp family_redline -
Executes dropped EXE 7 IoCs
pid Process 2892 v0354038.exe 2936 v6703930.exe 3848 v7884749.exe 4964 v0577172.exe 928 a9890667.exe 3532 b1518794.exe 2172 c1251968.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a9890667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a9890667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b1518794.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bc2ed7f9261c39ac6c835adcdf9ff7f4b70696ce459a50a2645194f5597507f9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v0354038.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v6703930.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v7884749.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v0577172.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 928 a9890667.exe 928 a9890667.exe 3532 b1518794.exe 3532 b1518794.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 928 a9890667.exe Token: SeDebugPrivilege 3532 b1518794.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 684 wrote to memory of 2892 684 bc2ed7f9261c39ac6c835adcdf9ff7f4b70696ce459a50a2645194f5597507f9.exe 82 PID 684 wrote to memory of 2892 684 bc2ed7f9261c39ac6c835adcdf9ff7f4b70696ce459a50a2645194f5597507f9.exe 82 PID 684 wrote to memory of 2892 684 bc2ed7f9261c39ac6c835adcdf9ff7f4b70696ce459a50a2645194f5597507f9.exe 82 PID 2892 wrote to memory of 2936 2892 v0354038.exe 83 PID 2892 wrote to memory of 2936 2892 v0354038.exe 83 PID 2892 wrote to memory of 2936 2892 v0354038.exe 83 PID 2936 wrote to memory of 3848 2936 v6703930.exe 84 PID 2936 wrote to memory of 3848 2936 v6703930.exe 84 PID 2936 wrote to memory of 3848 2936 v6703930.exe 84 PID 3848 wrote to memory of 4964 3848 v7884749.exe 85 PID 3848 wrote to memory of 4964 3848 v7884749.exe 85 PID 3848 wrote to memory of 4964 3848 v7884749.exe 85 PID 4964 wrote to memory of 928 4964 v0577172.exe 86 PID 4964 wrote to memory of 928 4964 v0577172.exe 86 PID 4964 wrote to memory of 928 4964 v0577172.exe 86 PID 4964 wrote to memory of 3532 4964 v0577172.exe 98 PID 4964 wrote to memory of 3532 4964 v0577172.exe 98 PID 3848 wrote to memory of 2172 3848 v7884749.exe 100 PID 3848 wrote to memory of 2172 3848 v7884749.exe 100 PID 3848 wrote to memory of 2172 3848 v7884749.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc2ed7f9261c39ac6c835adcdf9ff7f4b70696ce459a50a2645194f5597507f9.exe"C:\Users\Admin\AppData\Local\Temp\bc2ed7f9261c39ac6c835adcdf9ff7f4b70696ce459a50a2645194f5597507f9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0354038.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0354038.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6703930.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6703930.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7884749.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7884749.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0577172.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0577172.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9890667.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9890667.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1518794.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1518794.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1251968.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1251968.exe5⤵
- Executes dropped EXE
PID:2172
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
1.0MB
MD592e86d78d4350887640aaeeb5e7c3425
SHA1d0d8bdc560dad3ac4a84b652726fa63165c04d13
SHA2569e4df12d224fdc7667d06cf88a1905f94ae5fdfd27a13b61324fc0331b22d184
SHA5127a95708827257d4b74862cc40f7c907e361bf1c26ed7db03f3d98a3248fb47a9561b1778626354bbbc5adcb6bbf5b58cc3a51d0cf48d812885fd63016fd55d4b
-
Filesize
907KB
MD58d4c8d0b1f299cc81343137775122dec
SHA192bf8571f82db7b3bcb281d5ab80530e5e60e9d9
SHA25674dfba8da94d0f048336d8eec0a3110a4be3f0b896c981ac34af9c35297d8522
SHA512802f3c84faa4021a8fc7b8ecffd9f70b657246d9e566bdb4ffbc717bf827d3cedd5bb31c9d219f3f6a7115147d42ddfa2b52f1875dd23eb216b8fcd99a7afa7c
-
Filesize
723KB
MD5db3ef61c2c9c99656329b695b68ffd39
SHA14b594f448eb1ab8b4c0984db0b4e921a12e0551c
SHA256766828940f20ed4e5a0feb58c5f264aaa5f4050b68da0335bbbb7d9073d96de6
SHA51281f7c478b412db1bb9e1a693566a64eb61b76f85a2fd70d9cb21d1205067192b591e1a1ce37240fe86048f3f1578f6ee7f44e4bcb1bc6cb14fd02c681244f4a7
-
Filesize
493KB
MD59aee504b815fef2bfe0ce1b11a601fcb
SHA162b23efee83d87063fdd0b1d62acc67021b230ee
SHA2568b1f80f97032002f7b6a451ebf1922d4df8d81ed2995bdc82e7da19b4ae28598
SHA5122bf36835f5b4619eb982313d85db2410adb98e2cb566b6ecbc42e017c038ba1ea2919883f8802804d8e56c881804a92034dacda6d4630a4d12c5f8f5ab5ee2bb
-
Filesize
324KB
MD549ca4635866912230c077d2b1fe0cc2b
SHA1c4f544dddff8df94353625657ff7a5254b70ef82
SHA25615547ab2ac86255c8c1678e626e57777317237a9813e287c7739decf5a58195f
SHA51287ed81100bdd3071ef93b89ce863a22475ab4eae6ddf5181e7472cf398c52e8f6103ea356af6186ac9aa805252204ca8b854c1c7d0253a46e3a18e5d69c75267
-
Filesize
294KB
MD581e48785f5bdd376bd6544827f5c4572
SHA15877519fb94e20ba97102d0bf51614e8a1badac8
SHA25673d04daa6938538edc7c960bdbc34083c580c611d77a05689ee440fb708e1730
SHA512d5b276128acb072717ec6e133bba9d0f92eed651244663cf35add8f532747d182c19e73e12635c2413b87dfe984f2789722eb5ceb46ed0f0d7bd969622faaa20
-
Filesize
11KB
MD53ac1b24465f4e57bc71bd5cffac8250b
SHA1c8f45bd1dae58b1b2245198b67cb2fa1e3b6d09c
SHA256406657aaf7b8938aa5db2bff065067fd426907275f7164414bf6e93dc5a26853
SHA512f6653af6ee91930162954b1e4c936a04acc298ad590a9b8411dd6568a44253ca9596863087b90d89cf8b378445e63c4fafa9d6e3ac38f13ff76a9fef6070a1b2