Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

e44a351109...a3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 01:33 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e44a3511096b324abaca97a4e3e3bdfaa838acc174315ca8175188d2137cfca3.exe

  • Size

    537KB

  • MD5

    cacad4e5230e2f23f4e343ff2eab9478

  • SHA1

    afe0d0fdefa4e1dd2b163f271fe99314a780dca3

  • SHA256

    e44a3511096b324abaca97a4e3e3bdfaa838acc174315ca8175188d2137cfca3

  • SHA512

    77f563f695866d1446faec19d9f1461b161416bbc497ec944ed7fdff6de24536c3f9854c804ca4320efd0ef4861743792a9afb981e277341c86968d5fcb47fed

  • SSDEEP

    12288:KMr+y90y/uqhfWA//98dLuDUsQHVwIT91CXQ41v7Y7xpeUPi+L:AycwWU98puDY1wO91QQsvs7xk8xL

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e44a3511096b324abaca97a4e3e3bdfaa838acc174315ca8175188d2137cfca3.exe
    "C:\Users\Admin\AppData\Local\Temp\e44a3511096b324abaca97a4e3e3bdfaa838acc174315ca8175188d2137cfca3.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3828
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziUB7317.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziUB7317.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr250057.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr250057.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2712
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425158.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425158.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2828

Network

  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    72.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 176.113.115.145:4125
    ku425158.exe
    260 B
     5
  • 176.113.115.145:4125
    ku425158.exe
    260 B
     5
  • 176.113.115.145:4125
    ku425158.exe
    260 B
     5
  • 176.113.115.145:4125
    ku425158.exe
    260 B
     5
  • 176.113.115.145:4125
    ku425158.exe
    260 B
     5
  • 176.113.115.145:4125
    ku425158.exe
    156 B
     3
  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    72.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    72.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziUB7317.exe
    Filesize

    395KB

    MD5

    e3cbd2c100cba4536e3a10ee825a112f

    SHA1

    5f75b44b5cbac04bc382347aecbeae648193c9af

    SHA256

    0932998dca11059c3d35c8f5147f92cd24a85d0446a8b3af7f442f6cdfe87f50

    SHA512

    495bd25dc2bfcea149c0a7747fe70d36ec9c43cd351a9e56872c5508592fd997784ec98c2ab2a7624dd894d36947bb491f8b7971e4287c442a4e62f2ec276e6e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr250057.exe
    Filesize

    13KB

    MD5

    ce79d92003032d72af265412d78fd580

    SHA1

    7e6b1d8774a11b49e0deb15bc58957099d11e0ce

    SHA256

    f241c84c5edaee59f48e523535a63960acc5f5a545ee4840d7587bdc98bcd22a

    SHA512

    f917091d4837f10a801b6da65a04243b791b7598642941f6da2b89e843660fe6b388249d6b71f4a45b6fdcdde583ff8f19a68b432f3ab59db6ae95b7c2d9cb91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425158.exe
    Filesize

    352KB

    MD5

    07c11341bc44bc2554fe6275a0106647

    SHA1

    d627e20f5f8ae589060d01e64b1274c22a8f740e

    SHA256

    b7c615b40a3d4fb4a72cc9ad2bbb6296ade914e6ef06bf933fdaceac0c54c8b8

    SHA512

    643d119757a7f95c3b11687c7800a5652a1e4f841920fabd40ea88b44d3970b042150cb30f4203cb857a8ecf90b3032aeb73fe9489f241b52813f324c4c43c21

    Download Submit

  • memory/2712-14-0x00007FFF65B43000-0x00007FFF65B45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2712-15-0x0000000000D80000-0x0000000000D8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2712-16-0x00007FFF65B43000-0x00007FFF65B45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2828-62-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-50-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-24-0x00000000053C0000-0x0000000005404000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2828-38-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-40-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-88-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-86-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-82-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-80-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-78-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-76-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-74-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-72-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-70-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-66-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-64-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-22-0x00000000029B0000-0x00000000029F6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2828-60-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-56-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-54-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-52-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-23-0x0000000004E10000-0x00000000053B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2828-48-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-47-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-45-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-42-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-36-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-34-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-32-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-30-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-84-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-68-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-58-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-28-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-26-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-25-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-931-0x0000000005440000-0x0000000005A58000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2828-932-0x0000000005AE0000-0x0000000005BEA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2828-933-0x0000000005C20000-0x0000000005C32000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2828-934-0x0000000005C40000-0x0000000005C7C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2828-935-0x0000000005D90000-0x0000000005DDC000-memory.dmp

    Filesize

    304KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.