Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

1cc8de6168...ba.exe

windows7-x64

10

1cc8de6168...ba.exe

windows10-2004-x64

10

1cc8de6168...ba.exe

windows10-ltsc 2021-x64

10

1cc8de6168...ba.exe

windows11-21h2-x64

10

Resubmissions

29/10/2024, 12:54 UTC

241029-p5dzaavjbw 10

06/05/2023, 23:47 UTC

230506-3tc5habf7v 10

Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    29/10/2024, 12:54 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1cc8de61685ced27317a99c7f04145f5a732bffa2a1bb062d5518d0165d5f9ba.exe

  • Size

    1.2MB

  • MD5

    a97748f56e8ebc584cb4e09f55419ec2

  • SHA1

    af7da012d6acb8a207487c4581a1b80eeaeb7a62

  • SHA256

    1cc8de61685ced27317a99c7f04145f5a732bffa2a1bb062d5518d0165d5f9ba

  • SHA512

    1d9759acb064ae17b4edcba626b7b26b1365e51eef19a422c9f660962ab2ad7cc41999e5832bdd2c988f9c68c8c3b6de3e1087acfe1492bd0afadae65ebbf153

  • SSDEEP

    24576:W0zwEbpelsnjkyfxpcP7kJxnSnF83PRiGBgy3rIgBQzbypT6bg6gO:W0zNUYjkCcPoJgK3ss+y4bN

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Redline family
    redline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1cc8de61685ced27317a99c7f04145f5a732bffa2a1bb062d5518d0165d5f9ba.exe
    "C:\Users\Admin\AppData\Local\Temp\1cc8de61685ced27317a99c7f04145f5a732bffa2a1bb062d5518d0165d5f9ba.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:768
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3728
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4976
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4908
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1220
            5⤵
            • Program crash
            PID:3552
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4812
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4908 -ip 4908
    1⤵
      PID:3112

    Network

    • flag-us
      DNS
      140.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      140.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      77.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      77.190.18.2.in-addr.arpa
      IN PTR
      Response
      77.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-77deploystaticakamaitechnologiescom
    • 185.161.248.143:38452
      211336502.exe
      260 B
       5
    • 185.161.248.143:38452
      211336502.exe
      260 B
       5
    • 185.161.248.143:38452
      211336502.exe
      260 B
       5
    • 185.161.248.143:38452
      211336502.exe
      260 B
       5
    • 185.161.248.143:38452
      211336502.exe
      260 B
       5
    • 185.161.248.143:38452
      211336502.exe
      260 B
       5
    • 185.161.248.143:38452
      211336502.exe
      208 B
       4
    • 8.8.8.8:53
      140.32.126.40.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      140.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      77.190.18.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      77.190.18.2.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe
      Filesize

      762KB

      MD5

      f06e39167486fc96f3eeb3ac7407b38b

      SHA1

      f330a5b7b428a395615b8f95c30107e1ab039b7e

      SHA256

      39a59c9411b604de582b4d0defd8af49451ed7bb019e4eb8bf66fee6250edcd8

      SHA512

      4b97f8d7443c6a4b193940f31673283e11b0751fd2594d5485ee1f26985651d3e32bd7cde6ade4150c804aa5c79faaffdbf5cf51ac7a4b0b3c592e3aa13c6048

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe
      Filesize

      591KB

      MD5

      b5d38b0b9fec4b6c942b149c0e893bbd

      SHA1

      2707e6fac8b5cf387d9fdcc489c9e9f3116c5ee0

      SHA256

      dfb7f1f7c6de8988f69b12dbcc4c9bf2ddb8ddaec696fe86a0be556ca94daadd

      SHA512

      4cbc1419c027daf6a762506c2d83d769758663c0ebbef8a7b1ea04facc20b2dea2774a31996779a06f61231480e1817d19f1b78831459830e960a38eaa6d151e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe
      Filesize

      376KB

      MD5

      16143c4bd073fcf8abd2525f982c6190

      SHA1

      549358b2aa895b77df17f1d9fd597ed5b2798478

      SHA256

      14f7f92ecee0d34d1f2d355ecd7c1f45e0c5ed9bb2d2446260f042a9e330bbc9

      SHA512

      0c4d29781074baacd9d75299020938b68058ae91a78217cb07764d3d047af9171ba5f1630da15184c45dd6f20ea0872fdfcc68e6c4a49274eca5d11fe62bd497

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe
      Filesize

      459KB

      MD5

      2186dc864e1223afb8e92fe85dc5c4ce

      SHA1

      ee85f66eb3a79d8e1791aebc68ca8992d82ac0c8

      SHA256

      566d0becdc1909aebbb4db85776e196fc0bd50a704f6731286852881723b5b78

      SHA512

      544dfeb63e25fe4dcd761bd653d18bd5fedb3eb24923a99f06415c28cc2f6297e644952f67b824c3a5ba5222afa640166d6e4f019da89e9c9ed469699c977cfa

      Download Submit

    • memory/768-60-0x0000000002680000-0x0000000002789000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/768-2-0x00000000027D0000-0x00000000028D6000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/768-3-0x0000000000400000-0x0000000000509000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/768-1-0x0000000002680000-0x0000000002789000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/768-63-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/768-62-0x0000000000400000-0x0000000000509000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/768-61-0x00000000027D0000-0x00000000028D6000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4812-80-0x0000000004E30000-0x0000000004E65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4812-74-0x0000000004E30000-0x0000000004E65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4812-869-0x00000000048C0000-0x000000000490C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4812-868-0x0000000008310000-0x000000000834C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4812-867-0x00000000081F0000-0x00000000082FA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4812-866-0x00000000081D0000-0x00000000081E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4812-865-0x0000000007BB0000-0x00000000081C8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4812-94-0x0000000004E30000-0x0000000004E65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4812-96-0x0000000004E30000-0x0000000004E65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4812-98-0x0000000004E30000-0x0000000004E65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4812-100-0x0000000004E30000-0x0000000004E65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4812-102-0x0000000004E30000-0x0000000004E65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4812-73-0x0000000004E30000-0x0000000004E65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4812-76-0x0000000004E30000-0x0000000004E65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4812-78-0x0000000004E30000-0x0000000004E65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4812-104-0x0000000004E30000-0x0000000004E65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4812-82-0x0000000004E30000-0x0000000004E65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4812-84-0x0000000004E30000-0x0000000004E65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4812-88-0x0000000004E30000-0x0000000004E65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4812-90-0x0000000004E30000-0x0000000004E65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4812-92-0x0000000004E30000-0x0000000004E65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4812-86-0x0000000004E30000-0x0000000004E65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4812-71-0x0000000004DF0000-0x0000000004E2C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4812-72-0x0000000004E30000-0x0000000004E6A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/4908-32-0x0000000002580000-0x0000000002592000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4908-39-0x0000000002580000-0x0000000002592000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4908-28-0x0000000000400000-0x0000000000803000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4908-29-0x00000000024E0000-0x00000000024FA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4908-30-0x0000000005110000-0x00000000056B6000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4908-31-0x0000000002580000-0x0000000002598000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4908-33-0x0000000002580000-0x0000000002592000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4908-26-0x0000000000400000-0x0000000000803000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4908-35-0x0000000002580000-0x0000000002592000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4908-41-0x0000000002580000-0x0000000002592000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4908-66-0x0000000000400000-0x0000000000803000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4908-27-0x0000000000400000-0x0000000000803000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4908-37-0x0000000002580000-0x0000000002592000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4908-43-0x0000000002580000-0x0000000002592000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4908-45-0x0000000002580000-0x0000000002592000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4908-47-0x0000000002580000-0x0000000002592000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4908-49-0x0000000002580000-0x0000000002592000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4908-51-0x0000000002580000-0x0000000002592000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4908-53-0x0000000002580000-0x0000000002592000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4908-55-0x0000000002580000-0x0000000002592000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4908-57-0x0000000002580000-0x0000000002592000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4908-59-0x0000000002580000-0x0000000002592000-memory.dmp

      Filesize

      72KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.