Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

158692a7c2...71.exe

windows7-x64

10

158692a7c2...71.exe

windows10-2004-x64

10

158692a7c2...71.exe

windows10-ltsc 2021-x64

10

158692a7c2...71.exe

windows11-21h2-x64

10

Resubmissions

29/10/2024, 12:12 UTC

241029-pdnz6swngp 10

02/04/2023, 23:18 UTC

230402-3anrwsbe84 10

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29/10/2024, 12:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    158692a7c2bd29a8bda1a166b8a0cf66a0f84d587c696b940de63cb63a848e71.exe

  • Size

    666KB

  • MD5

    79c42acfef4f418e432e9e9b6a31da51

  • SHA1

    bb7537c905b5eedd84951dc2ce2bc11cbe2185ad

  • SHA256

    158692a7c2bd29a8bda1a166b8a0cf66a0f84d587c696b940de63cb63a848e71

  • SHA512

    d851e28e22a4ab6d4e41c6a404a9e16f4dae6d5f409c16a640c382eeb1c108cef01a052bdd9f844a7d00b5ec367f73204517c4946b55e40e997144cf9e738e70

  • SSDEEP

    12288:YMrqy90Jhv0JVYrjHPfQx7mq74n7DdPxCo27rU0/L/wLFk5+IR3SSc:yyANv3QxCW47DdpCZ7rFTwxkwy3nc

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\158692a7c2bd29a8bda1a166b8a0cf66a0f84d587c696b940de63cb63a848e71.exe
    "C:\Users\Admin\AppData\Local\Temp\158692a7c2bd29a8bda1a166b8a0cf66a0f84d587c696b940de63cb63a848e71.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un215760.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un215760.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6248.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6248.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2308
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7671.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7671.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1904

Network

    No results found
  • 176.113.115.145:4125
    qu7671.exe
    152 B
     3
  • 176.113.115.145:4125
    qu7671.exe
    152 B
     3
  • 176.113.115.145:4125
    qu7671.exe
    152 B
     3
  • 176.113.115.145:4125
    qu7671.exe
    152 B
     3
  • 176.113.115.145:4125
    qu7671.exe
    152 B
     3
  • 176.113.115.145:4125
    qu7671.exe
    104 B
     2
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un215760.exe
    Filesize

    524KB

    MD5

    6755745bb38839fdf65af281bd969f00

    SHA1

    2f30b2583e3d93a8e314fb6b226c5f52b0364908

    SHA256

    09166615f7e43b8a529089d6a4206421a431a7079635574a3aecefc25b316787

    SHA512

    8cf1e61d159c0ddc3621d452275d512d84585115fe15c7d440fefe7980c9b52aadb6a0fd8b106abfb69dac3b4aadb5ea1384c9234f47a80b162f39d3ffa28751

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6248.exe
    Filesize

    294KB

    MD5

    9f4a43f973f56c272b93f3467e932ed0

    SHA1

    d0e6057849e49e23196cf7f2fa09fb84862e8b8e

    SHA256

    5c0129a963a3b4ff5857aff4ed1b732eb0cab3d9448049cca2bd2afad4ddee1f

    SHA512

    eda601937fc2ff739fbeaa8219c0b9077ec73bdc2ca698116ac5a46e127167aadbd025e9ce8fe83c47078f33caf39774caca91a6669ac1e0750add650531f465

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7671.exe
    Filesize

    352KB

    MD5

    618f6727e66ea87de6664ed6a989f81b

    SHA1

    e746378f2de3712225f2845834317d093085708f

    SHA256

    7880157d41d14177ee0e91874d91de189acac98ffbd0c8fb05ca1919ae233247

    SHA512

    93b0ca94f646b0650245e980a46d7b3aff643b4221150ecfdc9ed95471db445a6f0f503f106461b39ef83f607e665833c8ac24cf29063b8f6a0a0e807554b27c

    Download Submit

  • memory/1904-88-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-90-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-76-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-78-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-80-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-82-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-84-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-104-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-102-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-74-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-92-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-94-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-96-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-98-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-100-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-86-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-72-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-71-0x00000000051C0000-0x00000000051FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1904-70-0x00000000051C0000-0x0000000005204000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1904-69-0x0000000005180000-0x00000000051C6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2308-49-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2308-58-0x0000000000400000-0x00000000007FE000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2308-57-0x0000000000400000-0x00000000007FE000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2308-56-0x0000000000960000-0x0000000000A60000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2308-47-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2308-29-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2308-33-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2308-35-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2308-37-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2308-39-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2308-41-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2308-44-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2308-45-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2308-51-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2308-53-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2308-55-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2308-31-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2308-28-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2308-27-0x0000000000FC0000-0x0000000000FD8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2308-26-0x0000000000E60000-0x0000000000E7A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2308-24-0x0000000000960000-0x0000000000A60000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2308-25-0x0000000000260000-0x000000000028D000-memory.dmp

    Filesize

    180KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.