Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
04/11/2024, 14:24
General
-
Target
7e78533e71f4af5018548f24422dbe50d160bc89b3a7610248542e00b3f484c2.exe
-
Size
687KB
-
MD5
965a1be617b63b502b36acf070e2c1d4
-
SHA1
c7c6a7a671565e630d1f765667f4961cffd21a0c
-
SHA256
7e78533e71f4af5018548f24422dbe50d160bc89b3a7610248542e00b3f484c2
-
SHA512
b73028cd7bf53e3c19828c3195b18ecf47562731a6aa054078506c8f51dcfd6d1f0198ac8b9f6eee264cc93ddbc8e2dcc5d6f7d5abdb7b9cce72ed5b142512b7
-
SSDEEP
12288:1Mrgy90MQNQXvURWQkGsWYyhnQt13R61S7XIVckr+GooSRhUQQIfe4DE:ByDa33oyhQ/3R61ScVckanr3bDNg
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Redline family
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e78533e71f4af5018548f24422dbe50d160bc89b3a7610248542e00b3f484c2.exe"C:\Users\Admin\AppData\Local\Temp\7e78533e71f4af5018548f24422dbe50d160bc89b3a7610248542e00b3f484c2.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un092574.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un092574.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6517.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6517.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 10124⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0936.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0936.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1488 -ip 14881⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
545KB
MD5aa73cd02f3b3b67a39124339e8b6f81c
SHA151e2dd6d6c56c6aa65e99d99696c18d2dab09555
SHA25678399206082cf7e6df270f857fe1aa21b4fbe98ff188e6d5f8b163fb39fb9f85
SHA51290b9280723edd2f40fd66e426d9889b85e7ccaf28f16367f56007d3b23fb8245a5ba83339e0276ece4d8fcf0b34fa7c79a48c400ef978e8fa0aada34110b5203
-
Filesize
325KB
MD5d28389769a71fc7c10b8c90e340c2789
SHA1638fc9aa1d5775382f767dd76dc81b284fb110fb
SHA256beb5d01f5eac6a1ac3e0b07f98d34beac0f9405c77bf964aad275a691e38a153
SHA5125f2611e9e74c7c6c43f319d87a6b1d7ad3a2843cf0b748fbd01ddfcfcfe2bf000eb738faa18b8e608cf4dace15710b296dc8a9a4b3a99c59b18d69043bae0f3f
-
Filesize
383KB
MD5dec92a2f1c30674e4c4bf0cae2a7b6a5
SHA1a06588ba7ee54518be8a372f307feeb91a16451f
SHA256f2abdfb99bb6e8e9c1835d69c0f6a54c7cbb7a6dc2a3e136fd09aa0904a00313
SHA512f3425dc190006ffa4e1cc86ba361ea4b4bc3747094c2a8626d1359b6fe7b9d0de144cb33b44da7f80d87acaafd1dacb9ed01cb05a583eb39fe81e0599dde8a4c
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
252KB
-
Filesize
72KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
272KB
-
Filesize
280KB
-
Filesize
72KB
-
Filesize
39.5MB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
180KB
-
Filesize
39.5MB
-
Filesize
1024KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
5.6MB
-
Filesize
104KB
-
Filesize
192KB
-
Filesize
180KB
-
Filesize
1024KB