Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
23/05/2024, 19:03
General
-
Target
8ee3fa55ceed18988822ea9dd7e193a1c7e306b0010f172aee42ec3ddd3b2cd5.exe
-
Size
628KB
-
MD5
128b755cd25a91c7322dd65c70ff4f7a
-
SHA1
c61f3449981c9389672005c0976b26a2f5288950
-
SHA256
8ee3fa55ceed18988822ea9dd7e193a1c7e306b0010f172aee42ec3ddd3b2cd5
-
SHA512
06573cef4530821eb96c797802a3920c98781aeb7b75fc3812c9b4b11cf49e04706580be12a1a6f7b856725e1371c5d178699cc25e22cd4105cd8ef7a4eef441
-
SSDEEP
12288:xMr+y90wTyutwnA6Swsg7w2OwEpzU+5kbesfe6g4mEk0A80:zyRP/HgB0pzU+eyLx4Zk070
Malware Config
Extracted
redline
buben
77.91.124.82:19071
-
auth_value
c62fa04aa45f5b78f62d2c21fcbefdec
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ee3fa55ceed18988822ea9dd7e193a1c7e306b0010f172aee42ec3ddd3b2cd5.exe"C:\Users\Admin\AppData\Local\Temp\8ee3fa55ceed18988822ea9dd7e193a1c7e306b0010f172aee42ec3ddd3b2cd5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6712598.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6712598.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5675384.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5675384.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 5844⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1166075.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1166075.exe3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2636 -ip 26361⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
443KB
MD514af3187195ca11ff6f1455ed1a03b96
SHA176e62d3dbd6f2daaa690602d5ab0cc5d0b60c8fc
SHA256796ad9df894fba0df29f9dc90f4d1741dc436eba68503d9cd8dcff5ebac65026
SHA512fa63a527359daf4dde455aba264fe6059b7ea96e5735e923f43e1822eacf13e6d1cd669261fe5cf9e750bcd2c8b9b33205cf5f049d59342df10dbfb4577cd70a
-
Filesize
861KB
MD5624be5e5545abc5ebee0d55b266b9310
SHA11a2924902fc7d05a3e343ab6b3abfb07fcd54266
SHA2561552ecbd24ac9ee229416c679673cae800c48490e241721f91b538355702d3e7
SHA512f78db8733e1c5ed94dd384d091244bf781e8e1c1c27182705d0537fc2049b13e643b5a5de13ef207430c5cc74c8350447b040ccfda25e14c789e4c58366bf589
-
Filesize
174KB
MD5c6e8730d9d8f1a8e339ac201594a15f3
SHA1f27ff1a5a9a7cb1e1374f21b0297054df9c17e36
SHA2560dc67f2e648d4d96be4dccd6b9d8b0dda074c8b04f6d95c9a2827a157d0b6519
SHA512a9a69e1b1162ae7ac25e62bb45c856eeae7b8532307903669d8a428abd5c548ffba921a4a3c5e24092f236340edd0385a846380f188cc5d38d08aa9baebe433d
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB