Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    138s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 15:13 UTC

General

  • Target

    6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119.exe

  • Size

    1.5MB

  • MD5

    b6bd0fe9e2f14162d22a601e59a1740b

  • SHA1

    5a60ae626817e3638caca0fc80ad9a8200357e52

  • SHA256

    6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119

  • SHA512

    af2f072c83766dc801720af1f3a94dca12035b46b3a038a4df7afecfb85021020f25b2f4827bcba7d6109176631730e0527772b37946564a40d6dc9ea92ae8d0

  • SSDEEP

    24576:GygAJsoOr2n6P8VRrbjJJ+XODPh25hMojCFMQsEtJoFs/dboavD3ZCzY2:VgABQ+6kpcoh2MntHdbJvD3ZCz

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119.exe
    "C:\Users\Admin\AppData\Local\Temp\6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3594017.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3594017.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6910325.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6910325.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1780
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7180197.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7180197.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3904
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8123398.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8123398.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4668
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6245387.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6245387.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4428
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2489469.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2489469.exe
          4⤵
          • Executes dropped EXE
          PID:556
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4736

    Network

    • flag-us
      DNS
      77.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      77.190.18.2.in-addr.arpa
      IN PTR
      Response
      77.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-77deploystaticakamaitechnologiescom
    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      chromewebstore.googleapis.com
      Remote address:
      8.8.8.8:53
      Request
      chromewebstore.googleapis.com
      IN A
      Response
      chromewebstore.googleapis.com
      IN A
      172.217.169.10
      chromewebstore.googleapis.com
      IN A
      216.58.212.202
      chromewebstore.googleapis.com
      IN A
      172.217.169.42
      chromewebstore.googleapis.com
      IN A
      142.250.179.234
      chromewebstore.googleapis.com
      IN A
      142.250.180.10
      chromewebstore.googleapis.com
      IN A
      142.250.187.202
      chromewebstore.googleapis.com
      IN A
      142.250.187.234
      chromewebstore.googleapis.com
      IN A
      142.250.178.10
      chromewebstore.googleapis.com
      IN A
      172.217.16.234
      chromewebstore.googleapis.com
      IN A
      142.250.200.10
      chromewebstore.googleapis.com
      IN A
      142.250.200.42
      chromewebstore.googleapis.com
      IN A
      216.58.201.106
      chromewebstore.googleapis.com
      IN A
      216.58.204.74
    • flag-us
      DNS
      chromewebstore.googleapis.com
      Remote address:
      8.8.8.8:53
      Request
      chromewebstore.googleapis.com
      IN Unknown
      Response
    • flag-us
      DNS
      pki.goog
      Remote address:
      8.8.8.8:53
      Request
      pki.goog
      IN A
      Response
      pki.goog
      IN A
      216.239.32.29
    • flag-us
      DNS
      pki.goog
      Remote address:
      8.8.8.8:53
      Request
      pki.goog
      IN Unknown
      Response
    • flag-us
      GET
      http://pki.goog/gsr1/gsr1.crt
      Remote address:
      216.239.32.29:80
      Request
      GET /gsr1/gsr1.crt HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Encoding: gzip
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 797
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Fri, 10 May 2024 15:14:19 GMT
      Expires: Fri, 10 May 2024 16:04:19 GMT
      Cache-Control: public, max-age=3000
      Age: 28
      Last-Modified: Wed, 20 May 2020 16:45:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      GET
      http://pki.goog/repo/certs/gtsr1.der
      Remote address:
      216.239.32.29:80
      Request
      GET /repo/certs/gtsr1.der HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 1371
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Fri, 10 May 2024 14:31:22 GMT
      Expires: Fri, 10 May 2024 15:21:22 GMT
      Cache-Control: public, max-age=3000
      Age: 2605
      Last-Modified: Sun, 25 Jun 2023 02:58:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      GET
      http://pki.goog/repo/certs/gts1c3.der
      Remote address:
      216.239.32.29:80
      Request
      GET /repo/certs/gts1c3.der HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Encoding: gzip
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 1304
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Fri, 10 May 2024 14:42:11 GMT
      Expires: Fri, 10 May 2024 15:32:11 GMT
      Cache-Control: public, max-age=3000
      Age: 1956
      Last-Modified: Mon, 17 Aug 2020 09:45:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      DNS
      10.169.217.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      10.169.217.172.in-addr.arpa
      IN PTR
      Response
      10.169.217.172.in-addr.arpa
      IN PTR
      lhr25s26-in-f101e100net
    • flag-us
      DNS
      29.32.239.216.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      29.32.239.216.in-addr.arpa
      IN PTR
      Response
      29.32.239.216.in-addr.arpa
      IN PTR
      any-in-201d1e100net
    • flag-us
      DNS
      103.169.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      103.169.127.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      136.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      136.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      139.53.16.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      139.53.16.96.in-addr.arpa
      IN PTR
      Response
      139.53.16.96.in-addr.arpa
      IN PTR
      a96-16-53-139deploystaticakamaitechnologiescom
    • flag-us
      DNS
      133.211.185.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.211.185.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      31.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      31.243.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      31.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      31.243.111.52.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      201.201.50.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      201.201.50.20.in-addr.arpa
      IN PTR
      Response
    • 172.217.169.10:443
      chromewebstore.googleapis.com
      tls
      973 B
      5.2kB
      8
      8
    • 216.239.32.29:80
      http://pki.goog/repo/certs/gts1c3.der
      http
      1.3kB
      6.2kB
      11
      11

      HTTP Request

      GET http://pki.goog/gsr1/gsr1.crt

      HTTP Response

      200

      HTTP Request

      GET http://pki.goog/repo/certs/gtsr1.der

      HTTP Response

      200

      HTTP Request

      GET http://pki.goog/repo/certs/gts1c3.der

      HTTP Response

      200
    • 77.91.68.48:19071
      c2489469.exe
      260 B
      5
    • 77.91.68.48:19071
      c2489469.exe
      260 B
      5
    • 77.91.68.48:19071
      c2489469.exe
      260 B
      5
    • 77.91.68.48:19071
      c2489469.exe
      260 B
      5
    • 8.8.8.8:53
      77.190.18.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      77.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
      159 B
      1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      chromewebstore.googleapis.com
      dns
      75 B
      283 B
      1
      1

      DNS Request

      chromewebstore.googleapis.com

      DNS Response

      172.217.169.10
      216.58.212.202
      172.217.169.42
      142.250.179.234
      142.250.180.10
      142.250.187.202
      142.250.187.234
      142.250.178.10
      172.217.16.234
      142.250.200.10
      142.250.200.42
      216.58.201.106
      216.58.204.74

    • 8.8.8.8:53
      chromewebstore.googleapis.com
      dns
      75 B
      132 B
      1
      1

      DNS Request

      chromewebstore.googleapis.com

    • 8.8.8.8:53
      pki.goog
      dns
      54 B
      70 B
      1
      1

      DNS Request

      pki.goog

      DNS Response

      216.239.32.29

    • 8.8.8.8:53
      pki.goog
      dns
      54 B
      128 B
      1
      1

      DNS Request

      pki.goog

    • 8.8.8.8:53
      10.169.217.172.in-addr.arpa
      dns
      73 B
      112 B
      1
      1

      DNS Request

      10.169.217.172.in-addr.arpa

    • 8.8.8.8:53
      29.32.239.216.in-addr.arpa
      dns
      72 B
      107 B
      1
      1

      DNS Request

      29.32.239.216.in-addr.arpa

    • 8.8.8.8:53
      103.169.127.40.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      103.169.127.40.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      136.32.126.40.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      136.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      139.53.16.96.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      139.53.16.96.in-addr.arpa

    • 8.8.8.8:53
      133.211.185.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      133.211.185.52.in-addr.arpa

    • 8.8.8.8:53
      31.243.111.52.in-addr.arpa
      dns
      144 B
      158 B
      2
      1

      DNS Request

      31.243.111.52.in-addr.arpa

      DNS Request

      31.243.111.52.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      148 B
      128 B
      2
      1

      DNS Request

      172.210.232.199.in-addr.arpa

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      201.201.50.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      201.201.50.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

      Filesize

      226B

      MD5

      916851e072fbabc4796d8916c5131092

      SHA1

      d48a602229a690c512d5fdaf4c8d77547a88e7a2

      SHA256

      7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

      SHA512

      07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3594017.exe

      Filesize

      1.4MB

      MD5

      6dcf605b283d99f56267f2b456b144b0

      SHA1

      07c2968c300b767ea952dfa70766de0f5e0a01e4

      SHA256

      338a566494a7bec1e3b1a3402a6411cdce4f6b9a43f91cf635b6e623e841b0b2

      SHA512

      19db68dbdb0a91825cecd2cc95dff3c4b6ea4e7bda9bd5133a8659889278e2050e52a19c7b2e3c92f3141ed5c0f01218b274b84b34750fb8f184dd1018d7f6ff

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6910325.exe

      Filesize

      1.2MB

      MD5

      4b8bec8c7d90c10a6c3a4206cd0daacd

      SHA1

      3ee5c267c9f1941a77df3fe9f7496ee317c9b946

      SHA256

      5bbd2b8698ae1d319de29643dedf3409bb9dd36465d0819a5ee0f8d2bc699dc3

      SHA512

      21541e4b32b87567499a5630950c46d3cdb93daa1cd56bfff2fb510b3df2d1483973a183a4a7cdbd5f966f5af043999eb70b5fc41d47e6af2e743884062ffe74

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2489469.exe

      Filesize

      692KB

      MD5

      e6cd29bf585e04ccee606ec312366e6e

      SHA1

      6ce37e0bce59a8902615918436a0e9f8771aedab

      SHA256

      0c52bae0af3af62e8abfeb1f39bef2518d59a00d62e3b0f8a3617f1b934192bf

      SHA512

      02258ada9982d2553c99abd3d8ecf5322aadfaceaa09373bd77029a43f743a55992206cc9d16394a112ef989a24bd96ba50cbaa0ec9557f207f8d42207c60100

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7180197.exe

      Filesize

      620KB

      MD5

      b16e4a16f725f2433e720ce4e53b11c3

      SHA1

      d0ce61897edd0987c07973f8528843657059e1c7

      SHA256

      5cd250f298fde835d29a5626f9f04885e6ab5d2038524b54c17418a7803aa4ed

      SHA512

      805c1a61ca8023438f695bf72c69cf6e7eca12f0378ad7cf429607481da678c53eaea9bf0849505e493e83fbcab61abc240320f9d10d0633eb9c046a63e0fc03

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8123398.exe

      Filesize

      530KB

      MD5

      168857576903636965cac80e95ea7283

      SHA1

      96d8cac6e77c26e6eb0f998486ab5fa944dcefd6

      SHA256

      929f8a773b6bd8b411cc67be1d2d091486dc07b342b953778f3bb11296e04013

      SHA512

      61af83f8484c30e950c940eba5cb112f3981ad408c8133d50a321e1239b16ebb0e031b8d683437386baf925734a103a76b904cdf1a8bff0090a144199df07ab4

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6245387.exe

      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    • memory/556-49-0x000000000A500000-0x000000000A60A000-memory.dmp

      Filesize

      1.0MB

    • memory/556-42-0x0000000000450000-0x0000000000480000-memory.dmp

      Filesize

      192KB

    • memory/556-47-0x00000000020D0000-0x00000000020D6000-memory.dmp

      Filesize

      24KB

    • memory/556-48-0x0000000009EA0000-0x000000000A4B8000-memory.dmp

      Filesize

      6.1MB

    • memory/556-50-0x000000000A640000-0x000000000A652000-memory.dmp

      Filesize

      72KB

    • memory/556-51-0x000000000A660000-0x000000000A69C000-memory.dmp

      Filesize

      240KB

    • memory/556-52-0x000000000A700000-0x000000000A74C000-memory.dmp

      Filesize

      304KB

    • memory/4428-37-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

      Filesize

      40KB

    • memory/4668-28-0x0000000000510000-0x000000000051A000-memory.dmp

      Filesize

      40KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.