Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

05b48b2909...29.exe

windows10-2004-x64

10

143e14de3a...c5.exe

windows10-2004-x64

10

2c899ff55c...31.exe

windows10-2004-x64

10

2e0a9b6a39...9b.exe

windows10-2004-x64

10

4250b0250d...ee.exe

windows10-2004-x64

10

464a716862...38.exe

windows10-2004-x64

10

4d09936a4a...bf.exe

windows10-2004-x64

10

59c1607382...01.exe

windows10-2004-x64

10

61f1416a77...2b.exe

windows10-2004-x64

10

68ca177d42...f8.exe

windows7-x64

7

68ca177d42...f8.exe

windows10-2004-x64

7

6ba0db3b66...b3.exe

windows10-2004-x64

10

8b549a8688...5b.exe

windows10-2004-x64

10

a8dffd83e4...8a.exe

windows10-2004-x64

7

b6b53c7022...c9.exe

windows10-2004-x64

10

ccc5c313f4...94.exe

windows10-2004-x64

10

e04ecd64b5...1b.exe

windows7-x64

3

e04ecd64b5...1b.exe

windows10-2004-x64

10

e38bd93e74...28.exe

windows7-x64

3

e38bd93e74...28.exe

windows10-2004-x64

10

eab14d8dad...38.exe

windows10-2004-x64

10

f943251c5b...1b.exe

windows10-2004-x64

10

fb49b50c0d...90.exe

windows7-x64

3

fb49b50c0d...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 13:23 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738.exe

  • Size

    479KB

  • MD5

    2cb6553c9840b3d0b75e3cb6dfceabdb

  • SHA1

    b795b91e6e19782f031fbdae21de93ea2b7be2be

  • SHA256

    eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738

  • SHA512

    3025a44d0ebb216787f8c39833aa68450592891f7d861a8e010c2f537ea7190192572c0a8a61591f1f889401dcc07ebf4a1b027c692438826b8097907aac9314

  • SSDEEP

    12288:7MrLy90YhqS1jB9dQopQaVuKga3WM3s0l5f+nf:Iy9UUldMJaCQmf

Score
10/10
healerredlinedumuddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738.exe
    "C:\Users\Admin\AppData\Local\Temp\eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3564
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3468
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7564883.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7564883.exe
        3⤵
        • Executes dropped EXE
        PID:2096

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    79.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.190.18.2.in-addr.arpa
    IN PTR
    Response
    79.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-79deploystaticakamaitechnologiescom
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    31.121.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.121.18.2.in-addr.arpa
    IN PTR
    Response
    31.121.18.2.in-addr.arpa
    IN PTR
    a2-18-121-31deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 217.196.96.101:4132
    l7564883.exe
    260 B
     5
  • 217.196.96.101:4132
    l7564883.exe
    260 B
     5
  • 217.196.96.101:4132
    l7564883.exe
    260 B
     5
  • 217.196.96.101:4132
    l7564883.exe
    260 B
     5
  • 217.196.96.101:4132
    l7564883.exe
    260 B
     5
  • 217.196.96.101:4132
    l7564883.exe
    208 B
     4
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    79.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    79.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    31.121.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    31.121.18.2.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe
    Filesize

    307KB

    MD5

    216c883d69e5b676dadcbbc3c49b2ea7

    SHA1

    bd25ba694b75cfc5c747073abbe9344001c05d48

    SHA256

    cd05c707896cf6721f13c5f314b2a73e413a8bc42acd0b01164a2d36426728c7

    SHA512

    b3b74dea447966ffde82d33e7ae96df894e8145a431eb795af1d882358814ceafc2b22406a522c114a6abcd9b43f2ee166f6c492ed1194aab257b314c3bb5120

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe
    Filesize

    180KB

    MD5

    769430943362861334421dba770826e7

    SHA1

    f4452cae4df613a4a7cb22da4ff12a671e0debb4

    SHA256

    9eb85dd00a91711de4dbcb01f144368839954d6ec1bdc80bf3df63123b55089d

    SHA512

    a33420ec4fdda34810b86899b12d38449a85af6b46ac88d630b71bd92f5e9f74fad13b0f51d948bbd3de43d060632af5b81deffb692a5e3e4e6a327614434741

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7564883.exe
    Filesize

    168KB

    MD5

    c89a4c50b55d8b6f3a41d465a1aec944

    SHA1

    5ffbb28b771af6bc8f9f327294605c4bb4edfa65

    SHA256

    b1266f818eaf91dfe5c7aa2deaf6a428374e2bee21deffb52a3b1c22a49b8759

    SHA512

    29d7856defe832254a4e0f5d90ada57090bb9f960a8d53deb49273702e3eee04bfe25ac7c0ea1367a76687a1061e16302dcb6147bed30acec4901a2c83418d12

    Download Submit

  • memory/2096-60-0x0000000005390000-0x00000000053DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2096-59-0x0000000005210000-0x000000000524C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2096-58-0x00000000051B0000-0x00000000051C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2096-57-0x0000000005280000-0x000000000538A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2096-56-0x0000000005750000-0x0000000005D68000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2096-55-0x0000000004E90000-0x0000000004E96000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2096-54-0x0000000000830000-0x0000000000860000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3468-30-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-20-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-38-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-36-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-34-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-32-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-42-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-28-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-26-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-24-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-22-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-40-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-47-0x0000000074260000-0x0000000074A10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3468-48-0x0000000074260000-0x0000000074A10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3468-50-0x0000000074260000-0x0000000074A10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3468-46-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-44-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-19-0x0000000004990000-0x00000000049A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3468-18-0x0000000004990000-0x00000000049A8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3468-17-0x0000000004A20000-0x0000000004FC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3468-16-0x0000000074260000-0x0000000074A10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3468-15-0x0000000002190000-0x00000000021AA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3468-14-0x000000007426E000-0x000000007426F000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.