Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d785bfc1f1...7f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/11/2024, 14:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d785bfc1f1ef04fd21c07262a5bac8fac072edcdc8150892df7ed5c67ef39b7f.exe

  • Size

    688KB

  • MD5

    ac9b29871b4a163063232fb5d439a092

  • SHA1

    b8de417234287b40053005cce253f20378a68155

  • SHA256

    d785bfc1f1ef04fd21c07262a5bac8fac072edcdc8150892df7ed5c67ef39b7f

  • SHA512

    7fa7282cb4d2ea87b67e0fe81e29fe7a408c05c4e878e5ef4a708013273fcd71eec1be0c42f716414db6bab5ec51274b0ee2f561e465a319c5e919b1dfb5b543

  • SSDEEP

    12288:BMrjy90M2PZHRqq54zCR55JBDApnuGVe69ubvYvfVmFjvBgsVUdAo8j2OjMu9X8i:GyT2hHwkiBuGVAbvYtmUSZ9Xl

Score
10/10
healerredlineborisdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

boris

C2

193.233.20.32:4125

Attributes
  • auth_value

    766b5bdf6dbefcf7ca223351952fc38f

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d785bfc1f1ef04fd21c07262a5bac8fac072edcdc8150892df7ed5c67ef39b7f.exe
    "C:\Users\Admin\AppData\Local\Temp\d785bfc1f1ef04fd21c07262a5bac8fac072edcdc8150892df7ed5c67ef39b7f.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0913.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0913.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1255.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1255.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3160
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1080
          4⤵
          • Program crash
          PID:3044
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3258.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3258.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1688
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3160 -ip 3160
    1⤵
      PID:3776

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0913.exe
      Filesize

      547KB

      MD5

      5edbb862fa69374211db942d1fc3ae28

      SHA1

      f7a3e615ff1e3b670be077789345968abe34ffac

      SHA256

      7f91a78523a3a0e64802f77bcd08f434d5934f9f9fb8e8bd1fee5741e60bce57

      SHA512

      0dd54bfed6709174318a218f720373a6ad8c2a80144808f9e2563a5118b9ee2dd1b919b41b603cbb95774d1a04a44b99e1b54f12cfb15ea4db501867fcd622d0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1255.exe
      Filesize

      328KB

      MD5

      a1a8b9d170f3d58e3a9383908c2182d1

      SHA1

      2bc453d376191c5c8e22d9e6f0ad320164cab0c0

      SHA256

      12ea8c302435771890e8af2bfbbe557c9a3b1c9c3e251cf0edae54b95ea844bd

      SHA512

      a1ac3655e6c393945a921812503db884bd956c9440536ecbed606ce4418c3e73d80b949485fb00af215fe6aa0147f837d2412ab163013b4622000939cf4fcf22

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3258.exe
      Filesize

      386KB

      MD5

      eb8fed61ceee1076fc2aa92cf8947807

      SHA1

      a93170b8645ac8925d43f5ecef04db50b02e9b2b

      SHA256

      73fa3d42b9c995e4b52cd686ed3aee6fe6387c8e4eef48a0b8c87640e86ab9a3

      SHA512

      6821a1fec104705c7d3937ed07ac15ad6aaced3b5e7b0e35040f35b2dd0ac59809b32e99dbc7e7deaa0857684a820b0788ed41b34b96f0a2c8a47784adcf7d52

      Download Submit

    • memory/1688-73-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1688-77-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1688-969-0x0000000007E60000-0x0000000007F6A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1688-968-0x00000000077E0000-0x0000000007DF8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1688-62-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1688-95-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1688-65-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1688-67-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1688-69-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1688-71-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1688-971-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1688-972-0x0000000008110000-0x000000000815C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1688-75-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1688-970-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1688-79-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1688-81-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1688-84-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1688-85-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1688-87-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1688-91-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1688-93-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1688-89-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1688-63-0x00000000071D0000-0x000000000720F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1688-61-0x00000000071D0000-0x0000000007214000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1688-60-0x0000000004DC0000-0x0000000004E06000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3160-40-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3160-54-0x0000000000400000-0x0000000002B7F000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/3160-55-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3160-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3160-50-0x0000000000400000-0x0000000002B7F000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/3160-51-0x0000000002B80000-0x0000000002BAD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3160-49-0x0000000002C40000-0x0000000002D40000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3160-36-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3160-21-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3160-24-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3160-26-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3160-28-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3160-30-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3160-32-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3160-34-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3160-38-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3160-46-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3160-42-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3160-44-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3160-48-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3160-22-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3160-20-0x0000000004CC0000-0x0000000004CD8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3160-19-0x0000000007220000-0x00000000077C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3160-18-0x00000000048C0000-0x00000000048DA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3160-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3160-16-0x0000000002B80000-0x0000000002BAD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3160-15-0x0000000002C40000-0x0000000002D40000-memory.dmp

      Filesize

      1024KB

      Download