Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d9d333f33a...8d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/11/2024, 14:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9d333f33a300152fe4721bd02b4ffa1be38478c1e1a38e95e6c8a01d885768d.exe

  • Size

    812KB

  • MD5

    c9879651160ba06b683ac7e2878d4489

  • SHA1

    0dd26591b1a935c23d75fff0f39f5958b0837e76

  • SHA256

    d9d333f33a300152fe4721bd02b4ffa1be38478c1e1a38e95e6c8a01d885768d

  • SHA512

    7939a225a17ef9f83567f18e16644ba2bbdf65fedb3fd871e5bc6601a70d66d4837fac494657798cf06bbfac9afc0eec0d06468997a96c8a1632d5f407a599cc

  • SSDEEP

    24576:IymEydqReSVzLaIDn59s3qw87CJ9tugvzvX:PFWqQcPp/XZgT

Score
10/10
healerredlinemangodiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mango

C2

193.233.20.28:4125

Attributes
  • auth_value

    ecf79d7f5227d998a3501c972d915d23

Signatures

  • Detects Healer an antivirus disabler dropper 19 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9d333f33a300152fe4721bd02b4ffa1be38478c1e1a38e95e6c8a01d885768d.exe
    "C:\Users\Admin\AppData\Local\Temp\d9d333f33a300152fe4721bd02b4ffa1be38478c1e1a38e95e6c8a01d885768d.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3292
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice0568.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice0568.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nice7954.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nice7954.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4052
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8039yB.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8039yB.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2052
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c52QK28.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c52QK28.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3632
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1088
            5⤵
            • Program crash
            PID:3952
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dQwro07.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dQwro07.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1604
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3632 -ip 3632
    1⤵
      PID:3124

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice0568.exe
      Filesize

      667KB

      MD5

      1bbfcc2fdf5af32457bdd0527015312b

      SHA1

      4906d495315407c16361a3608ac0e49214b801eb

      SHA256

      943ecf817d9fcce1ec4ad6517a9bfb20ac1af425ab3094cfb39e50b65508b13e

      SHA512

      8387e86d7d6f5932cfbb2f545cb9d77a368212ccc3144d046fdf0fffdf9ec26843cb3736472245e187b8104e9c9de61169be5257fda9c1ff0f082e424d2d0fa3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dQwro07.exe
      Filesize

      309KB

      MD5

      aa4bb4245cae5858bd5a497c4ac52fdf

      SHA1

      0ea7ca34ac364a53c9895d236540371662e4f19b

      SHA256

      8706dd37030d4f08b441439d010bf90ab8271acc784f3e4c895296da48e25215

      SHA512

      e0199e32a4bc749b87fe14f1350a765c7f6de104ed5171913588e39b94414d1d4023ad75e815f0ad190c1d47e1cd36a6a3799e8f95a1601008cebec0fbf9b79c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nice7954.exe
      Filesize

      333KB

      MD5

      e7bbda0f8ddad6f18feebf9413da93c9

      SHA1

      04ddae55475d14b84c3d32db7c4654957db33f31

      SHA256

      f509ec5147f7aa900c1fe57b1c4608acab46998bcc9622d94f4597e603c0858d

      SHA512

      6c2af8cb674760aa3fde1bc1d82beacd15882c91c7c1ac3241ac0b30d845dc03b5c67ad5d74325a23f94aa08eaeae62fad2b218af1221fb52fc57627cce7638d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8039yB.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c52QK28.exe
      Filesize

      250KB

      MD5

      7d8b757129965be10a76fc3a1e5da834

      SHA1

      5ddca9434b249404ad41eb3b1504fdbfae6790c2

      SHA256

      93fd398134ff78b118be29b0ae656391fd8da1eba4f7386061fa9c1549cb1376

      SHA512

      002e06c64df25f7931c8e5e247f6fe51419424e44b9c88c793dceca3f045e84cc1e555b708bf0dfbeea4dd5f221d41147f8858d4d8bfcc4f7462967e72617e43

      Download Submit

    • memory/1604-88-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1604-78-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1604-979-0x0000000005A50000-0x0000000005A9C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1604-978-0x0000000005900000-0x000000000593C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1604-977-0x00000000058E0000-0x00000000058F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1604-976-0x00000000057B0000-0x00000000058BA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1604-975-0x0000000005150000-0x0000000005768000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1604-69-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1604-102-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1604-70-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1604-72-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1604-100-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1604-74-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1604-80-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1604-83-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1604-84-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1604-86-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1604-90-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1604-92-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1604-94-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1604-96-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1604-98-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1604-76-0x0000000005110000-0x000000000514E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1604-67-0x0000000004A70000-0x0000000004AB6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1604-68-0x0000000005110000-0x0000000005154000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2052-21-0x00007FFF6FF33000-0x00007FFF6FF35000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2052-23-0x00007FFF6FF33000-0x00007FFF6FF35000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2052-22-0x0000000000F60000-0x0000000000F6A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3632-59-0x0000000002600000-0x0000000002612000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3632-62-0x0000000000400000-0x00000000004BF000-memory.dmp

      Filesize

      764KB

      Download

    • memory/3632-60-0x0000000000400000-0x00000000004BF000-memory.dmp

      Filesize

      764KB

      Download

    • memory/3632-33-0x0000000002600000-0x0000000002612000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3632-35-0x0000000002600000-0x0000000002612000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3632-39-0x0000000002600000-0x0000000002612000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3632-41-0x0000000002600000-0x0000000002612000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3632-43-0x0000000002600000-0x0000000002612000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3632-45-0x0000000002600000-0x0000000002612000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3632-47-0x0000000002600000-0x0000000002612000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3632-49-0x0000000002600000-0x0000000002612000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3632-53-0x0000000002600000-0x0000000002612000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3632-55-0x0000000002600000-0x0000000002612000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3632-57-0x0000000002600000-0x0000000002612000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3632-51-0x0000000002600000-0x0000000002612000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3632-37-0x0000000002600000-0x0000000002612000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3632-32-0x0000000002600000-0x0000000002612000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3632-31-0x0000000002600000-0x0000000002618000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3632-30-0x0000000004BB0000-0x0000000005154000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3632-29-0x0000000002350000-0x000000000236A000-memory.dmp

      Filesize

      104KB

      Download