Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d2a822f865...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/11/2024, 14:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d2a822f865a5fc4a0bd08c6bf79d6d1a91b878861e372497b1c6e9b8a113d4c3.exe

  • Size

    986KB

  • MD5

    c078f3c95f52aaa6b42d3a11f51c35be

  • SHA1

    4b25c07499eeec21b48e720a3995633af2eb3d9d

  • SHA256

    d2a822f865a5fc4a0bd08c6bf79d6d1a91b878861e372497b1c6e9b8a113d4c3

  • SHA512

    4fd7e01a651f0722525552adc3205f84f3e0c039a138b9c5d529d2f0f100b8d188d05fe76c6041b5a330b07fec2d1e46f9674687fde9608b8fe8c791ee2790f8

  • SSDEEP

    24576:PyHXuTWVrtQF63cFZkwZ4uVoSYSIgInDv0wDu6:a+TWuFWwOAoSYhdDD

Score
10/10
healerredlinerostodiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosto

C2

hueref.eu:4162

Attributes
  • auth_value

    07d81eba8cad42bbd0ae60042d48eac6

Signatures

  • Detects Healer an antivirus disabler dropper 19 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d2a822f865a5fc4a0bd08c6bf79d6d1a91b878861e372497b1c6e9b8a113d4c3.exe
    "C:\Users\Admin\AppData\Local\Temp\d2a822f865a5fc4a0bd08c6bf79d6d1a91b878861e372497b1c6e9b8a113d4c3.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptyj3972Pi.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptyj3972Pi.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptkI4879Zz.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptkI4879Zz.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:208
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptTe0771Tg.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptTe0771Tg.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beTZ89Vz92.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beTZ89Vz92.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2176
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 1080
              6⤵
              • Program crash
              PID:528
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ctTv58eD46.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ctTv58eD46.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4164
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\drjm56Mv45.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\drjm56Mv45.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3272
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2176 -ip 2176
    1⤵
      PID:1612

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptyj3972Pi.exe
      Filesize

      841KB

      MD5

      d2b7c37242ab9159999288b2cb11350c

      SHA1

      6f46bb6ab43e50e6d50fecf81ceb8a52eb798a89

      SHA256

      44c92de3a6e86b48f38f0b3f9771ee8c1217005ee12aca4a8d70d3fd631b8b8c

      SHA512

      543707b7a27e7c57cffa61b2d5863b135d378960633250a82d5ba82cdc88243845c0d7e6005ee484c500eaf7051e6e45923e6db835c97cdf18c68a502906039c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptkI4879Zz.exe
      Filesize

      654KB

      MD5

      b8f401faa751fc9d7981141e4419570a

      SHA1

      0b04e9e9bdf8b1ac096683aae4cd52b45f8316a6

      SHA256

      b314cfd993c9cabd63dd0076ca239f3478257598fe198b5d27cc80e717ccf3b4

      SHA512

      5e01cda2f03fcb4754f80d4f7a221139f65d46fca02811b0c4b617b6b4a73a18d5556ad99906d40b06f00360774b682a32a29e3576d14650a45f9f11d8defb0a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\drjm56Mv45.exe
      Filesize

      289KB

      MD5

      2f4cc1f23eb48e82efaebf3a1896f859

      SHA1

      4ab1e0c840ff9a17750eb2d04f83232e405ba4aa

      SHA256

      d8c6b8b67be7dff9b41a2698e9e243f50e9ad18cd93e72eef94364ff33af80c5

      SHA512

      62a32e76aaad71a247765270b993d8da7f6b8a4c9c1bd309c152cb7daaee208994cde3bda2d568882dc73d7a5ff8698deec22ca63344c721c8c096453aaf1520

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptTe0771Tg.exe
      Filesize

      327KB

      MD5

      bb9707f97eb5d056700a9a45b396749b

      SHA1

      22801f50f4ca8749db6abb119ebcd9d4dc08576b

      SHA256

      dbb42df2cfef3d46d82f6eb09d05c7f3290cf16be2f32a63e923d580e6d44c76

      SHA512

      ccb8da8ab267e731d088bd1f18d13202a3248e926b17119a0e0efe7a4cc12243832b51f5693af5e6fe14abc2328b55130a58e312188e67d722dedf711c0d5256

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beTZ89Vz92.exe
      Filesize

      232KB

      MD5

      f3485715fe2d80d33e70701bcd2cef21

      SHA1

      bff701ea0725c258d5b502dedd9ff1f7747ad837

      SHA256

      3fff6a5d12b2a38f9c1df1004dd8dcd1323c1e79e487f94497b78b021f27479a

      SHA512

      df92c03245e43b1c6f63895873247106f829676e83db6aca5aee8f46488b4c9c756ce42c04b3524d04ca60d0988e7d697ecf50ead1cf3f3f0f8f3be5bd3b215e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ctTv58eD46.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • memory/2176-51-0x0000000004B20000-0x0000000004B32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2176-45-0x0000000004B20000-0x0000000004B32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2176-59-0x0000000004B20000-0x0000000004B32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2176-57-0x0000000004B20000-0x0000000004B32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2176-55-0x0000000004B20000-0x0000000004B32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2176-53-0x0000000004B20000-0x0000000004B32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2176-31-0x0000000004B20000-0x0000000004B38000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2176-49-0x0000000004B20000-0x0000000004B32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2176-48-0x0000000004B20000-0x0000000004B32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2176-32-0x0000000004B20000-0x0000000004B32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2176-43-0x0000000004B20000-0x0000000004B32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2176-42-0x0000000004B20000-0x0000000004B32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2176-40-0x0000000004B20000-0x0000000004B32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2176-37-0x0000000004B20000-0x0000000004B32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2176-35-0x0000000004B20000-0x0000000004B32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2176-33-0x0000000004B20000-0x0000000004B32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2176-60-0x0000000000400000-0x000000000057E000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2176-62-0x0000000000400000-0x000000000057E000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2176-30-0x0000000004D20000-0x00000000052C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2176-29-0x0000000000920000-0x000000000093A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3272-72-0x0000000002440000-0x0000000002486000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3272-87-0x0000000005170000-0x00000000051AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3272-73-0x0000000005170000-0x00000000051B4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3272-75-0x0000000005170000-0x00000000051AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3272-83-0x0000000005170000-0x00000000051AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3272-107-0x0000000005170000-0x00000000051AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3272-105-0x0000000005170000-0x00000000051AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3272-103-0x0000000005170000-0x00000000051AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3272-99-0x0000000005170000-0x00000000051AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3272-97-0x0000000005170000-0x00000000051AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3272-96-0x0000000005170000-0x00000000051AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3272-91-0x0000000005170000-0x00000000051AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3272-89-0x0000000005170000-0x00000000051AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3272-984-0x0000000005B10000-0x0000000005B5C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3272-85-0x0000000005170000-0x00000000051AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3272-81-0x0000000005170000-0x00000000051AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3272-79-0x0000000005170000-0x00000000051AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3272-77-0x0000000005170000-0x00000000051AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3272-101-0x0000000005170000-0x00000000051AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3272-93-0x0000000005170000-0x00000000051AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3272-74-0x0000000005170000-0x00000000051AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3272-980-0x00000000051C0000-0x00000000057D8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3272-981-0x0000000005860000-0x000000000596A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3272-982-0x00000000059A0000-0x00000000059B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3272-983-0x00000000059C0000-0x00000000059FC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4164-66-0x0000000000C70000-0x0000000000C7A000-memory.dmp

      Filesize

      40KB

      Download