Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

f128ec6b82...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f128ec6b826d03c5d01f329763522ea394b7e94d1a153627448d497de7b490df.exe

  • Size

    542KB

  • MD5

    73e37518780946ddf321291030990222

  • SHA1

    5abfa43dd1afb7bfa77d6d64203a86c50c2ba88f

  • SHA256

    f128ec6b826d03c5d01f329763522ea394b7e94d1a153627448d497de7b490df

  • SHA512

    cbce5df33f4c25d173d6858567f87166ef6ca848f739a1c8d7732833adddfd154535f33109743d8174b4277a1169e4d70902a3e69324c50c1de7e7cd277e7f38

  • SSDEEP

    12288:TMrEy90oyasgYXeItV1ogGGwZ6qcW4RIkUZf+kdewDbl2:Hybsg45tHogGuW4qUkdrDbg

Score
10/10
healerredlinerumfadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

C2

193.233.20.24:4123

Attributes
  • auth_value

    749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f128ec6b826d03c5d01f329763522ea394b7e94d1a153627448d497de7b490df.exe
    "C:\Users\Admin\AppData\Local\Temp\f128ec6b826d03c5d01f329763522ea394b7e94d1a153627448d497de7b490df.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vuU7315Jc.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vuU7315Jc.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3664
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58Wk98sP70.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58Wk98sP70.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1224
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tQC49In19.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tQC49In19.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vuU7315Jc.exe
    Filesize

    398KB

    MD5

    09cb4e90689489b91d2b61bac87cd57a

    SHA1

    0ced54bab4e51dd682cffb1bb2c8b7e92c697163

    SHA256

    e9468e0964f249c32e3517df484ff6170ebef8d9c334ac57abe0cd101c130b5e

    SHA512

    d2b076cb6e8d45703b31823059075b5761d7003f555b34ba879b5e3204a9ec9cd5cb33f939b93f283b4f8be242768f3411343791e9fdee4e17ef7af85c4d8ea7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58Wk98sP70.exe
    Filesize

    14KB

    MD5

    eb48040d0b89a690e35859d3c0d20f43

    SHA1

    bf764323a9abe836c12ced51f6fc441488fd3566

    SHA256

    cb207a7c78f9265a4d3d843a3b767ca08e728c57a2de42450af7de79eb8b5d66

    SHA512

    d1051868bb94dac7da8ef1c43b1a7599d05aed9bbd4d007ebdab5129cec11ba51741beb3933ef1bef339ea630e4b818143567b36f7423bf4a12888264bf6e8ce

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tQC49In19.exe
    Filesize

    367KB

    MD5

    1d723ff94958004611f8d9036d32a484

    SHA1

    494b2b1df04dd00bd4a6582ca026b45ed1e26f5e

    SHA256

    ce58c79e2d8396ebc000387ba86ec87273d28bd7dfa8310c49c59b22c7de42af

    SHA512

    9738bf0e92ad9b1f526a48a4262410186a961e0aa9e04ef1ecc4769b29d92339f46e331a65810ce72b27df319260ac8aba0636742690e95bc34f6d59fbf2ff61

    Download Submit

  • memory/112-62-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-34-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-935-0x0000000008150000-0x000000000819C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/112-22-0x0000000004A00000-0x0000000004A46000-memory.dmp

    Filesize

    280KB

    Download

  • memory/112-23-0x00000000072E0000-0x0000000007884000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/112-24-0x00000000071C0000-0x0000000007204000-memory.dmp

    Filesize

    272KB

    Download

  • memory/112-32-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-38-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-86-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-84-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-82-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-80-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-78-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-76-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-74-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-72-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-68-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-66-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-64-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-934-0x0000000008000000-0x000000000803C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/112-56-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-933-0x0000000007FE0000-0x0000000007FF2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/112-58-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-54-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-52-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-48-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-46-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-44-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-43-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-40-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-36-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-61-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-88-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-70-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-50-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-30-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-28-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-26-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-25-0x00000000071C0000-0x00000000071FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/112-931-0x0000000007890000-0x0000000007EA8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/112-932-0x0000000007EB0000-0x0000000007FBA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1224-16-0x00007FFFFB8D3000-0x00007FFFFB8D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1224-14-0x00007FFFFB8D3000-0x00007FFFFB8D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1224-15-0x0000000000620000-0x000000000062A000-memory.dmp

    Filesize

    40KB

    Download