Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

e44a351109...a3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 01:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e44a3511096b324abaca97a4e3e3bdfaa838acc174315ca8175188d2137cfca3.exe

  • Size

    537KB

  • MD5

    cacad4e5230e2f23f4e343ff2eab9478

  • SHA1

    afe0d0fdefa4e1dd2b163f271fe99314a780dca3

  • SHA256

    e44a3511096b324abaca97a4e3e3bdfaa838acc174315ca8175188d2137cfca3

  • SHA512

    77f563f695866d1446faec19d9f1461b161416bbc497ec944ed7fdff6de24536c3f9854c804ca4320efd0ef4861743792a9afb981e277341c86968d5fcb47fed

  • SSDEEP

    12288:KMr+y90y/uqhfWA//98dLuDUsQHVwIT91CXQ41v7Y7xpeUPi+L:AycwWU98puDY1wO91QQsvs7xk8xL

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e44a3511096b324abaca97a4e3e3bdfaa838acc174315ca8175188d2137cfca3.exe
    "C:\Users\Admin\AppData\Local\Temp\e44a3511096b324abaca97a4e3e3bdfaa838acc174315ca8175188d2137cfca3.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3828
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziUB7317.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziUB7317.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr250057.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr250057.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2712
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425158.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425158.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziUB7317.exe
    Filesize

    395KB

    MD5

    e3cbd2c100cba4536e3a10ee825a112f

    SHA1

    5f75b44b5cbac04bc382347aecbeae648193c9af

    SHA256

    0932998dca11059c3d35c8f5147f92cd24a85d0446a8b3af7f442f6cdfe87f50

    SHA512

    495bd25dc2bfcea149c0a7747fe70d36ec9c43cd351a9e56872c5508592fd997784ec98c2ab2a7624dd894d36947bb491f8b7971e4287c442a4e62f2ec276e6e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr250057.exe
    Filesize

    13KB

    MD5

    ce79d92003032d72af265412d78fd580

    SHA1

    7e6b1d8774a11b49e0deb15bc58957099d11e0ce

    SHA256

    f241c84c5edaee59f48e523535a63960acc5f5a545ee4840d7587bdc98bcd22a

    SHA512

    f917091d4837f10a801b6da65a04243b791b7598642941f6da2b89e843660fe6b388249d6b71f4a45b6fdcdde583ff8f19a68b432f3ab59db6ae95b7c2d9cb91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425158.exe
    Filesize

    352KB

    MD5

    07c11341bc44bc2554fe6275a0106647

    SHA1

    d627e20f5f8ae589060d01e64b1274c22a8f740e

    SHA256

    b7c615b40a3d4fb4a72cc9ad2bbb6296ade914e6ef06bf933fdaceac0c54c8b8

    SHA512

    643d119757a7f95c3b11687c7800a5652a1e4f841920fabd40ea88b44d3970b042150cb30f4203cb857a8ecf90b3032aeb73fe9489f241b52813f324c4c43c21

    Download Submit

  • memory/2712-14-0x00007FFF65B43000-0x00007FFF65B45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2712-15-0x0000000000D80000-0x0000000000D8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2712-16-0x00007FFF65B43000-0x00007FFF65B45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2828-62-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-50-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-24-0x00000000053C0000-0x0000000005404000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2828-38-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-40-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-88-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-86-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-82-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-80-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-78-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-76-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-74-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-72-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-70-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-66-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-64-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-22-0x00000000029B0000-0x00000000029F6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2828-60-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-56-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-54-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-52-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-23-0x0000000004E10000-0x00000000053B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2828-48-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-47-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-45-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-42-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-36-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-34-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-32-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-30-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-84-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-68-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-58-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-28-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-26-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-25-0x00000000053C0000-0x00000000053FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2828-931-0x0000000005440000-0x0000000005A58000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2828-932-0x0000000005AE0000-0x0000000005BEA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2828-933-0x0000000005C20000-0x0000000005C32000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2828-934-0x0000000005C40000-0x0000000005C7C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2828-935-0x0000000005D90000-0x0000000005DDC000-memory.dmp

    Filesize

    304KB

    Download