Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

f466928f67...ae.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 01:53 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f466928f67d7a69dee3b8804af32a3097a375e8d0abddd01f725e48dd41094ae.exe

  • Size

    1.0MB

  • MD5

    85e2f92ebf28922761a78f55eda03ba4

  • SHA1

    04a67a0c8caa13fe0e2593a40fa7829a10e7beed

  • SHA256

    f466928f67d7a69dee3b8804af32a3097a375e8d0abddd01f725e48dd41094ae

  • SHA512

    26a70301af9d4eb3032f4b3459ddc61d2ccc28a57aaf5cde36fae490d09f3bb5688ac94d8cec0a5bbe66547cffe6e81ce352772902a538cf4e78822dbea6d971

  • SSDEEP

    24576:HyfRsXEzMxJ7Jd31awPvYz2gsYo7C+StpZDmAT3kEAu3B:SAEI77JdLYz2gym+StLB3

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f466928f67d7a69dee3b8804af32a3097a375e8d0abddd01f725e48dd41094ae.exe
    "C:\Users\Admin\AppData\Local\Temp\f466928f67d7a69dee3b8804af32a3097a375e8d0abddd01f725e48dd41094ae.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3140
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un620763.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un620763.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4344
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un503876.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un503876.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:512
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr429898.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr429898.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3796
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1080
            5⤵
            • Program crash
            PID:3704
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu770099.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu770099.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4320
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3796 -ip 3796
    1⤵
      PID:2624

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      154.239.44.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.239.44.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      67.209.201.84.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      67.209.201.84.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      23.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      197.87.175.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      197.87.175.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      75.117.19.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      75.117.19.2.in-addr.arpa
      IN PTR
      Response
      75.117.19.2.in-addr.arpa
      IN PTR
      a2-19-117-75deploystaticakamaitechnologiescom
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      23.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.236.111.52.in-addr.arpa
      IN PTR
      Response
    • 185.161.248.152:38452
      qu770099.exe
      260 B
       5
    • 185.161.248.152:38452
      qu770099.exe
      260 B
       5
    • 185.161.248.152:38452
      qu770099.exe
      260 B
       5
    • 185.161.248.152:38452
      qu770099.exe
      260 B
       5
    • 185.161.248.152:38452
      qu770099.exe
      260 B
       5
    • 185.161.248.152:38452
      qu770099.exe
      260 B
       5
    • 185.161.248.152:38452
      qu770099.exe
      208 B
       4
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      154.239.44.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      154.239.44.20.in-addr.arpa

    • 8.8.8.8:53
      67.209.201.84.in-addr.arpa
      dns
      72 B
       132 B
       1
      1

      DNS Request

      67.209.201.84.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      23.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      23.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      197.87.175.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      197.87.175.4.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      75.117.19.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      75.117.19.2.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      23.236.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      23.236.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un620763.exe
      Filesize

      751KB

      MD5

      18aed745a55ca5c3b1ffbc547a8b2e5a

      SHA1

      23c34fe5a04be07a723d9e69d27802eceb4d2c3f

      SHA256

      b8bae87744f953afa711e7679d0c0b25a2716f96841176fc1be87714d77d87c6

      SHA512

      ce996c54dedeeec15490a216b68e90fe01aea5c7b94f26f59b81745d5685f454e9d5112f3b6018a90507c34d87de1e26077a3411764f54e595854fb79123b48e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un503876.exe
      Filesize

      597KB

      MD5

      8b62a01fe4cb8404215d14ad626d67b8

      SHA1

      1f19bd315132e6c062e85e9c23152bedfecbdcbc

      SHA256

      8f25c37e18cae99c6cd03f833c9b20fec7570f0548920ac95c2fc0dea8eaaf3a

      SHA512

      dcb737299fff027a284caba50e1809833b7fa859cccaddcb0b6077e7eb991a834e0a8cf77740d0c762ae9a8389f54b586b5e26e16933b974144661e6de4d4f01

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr429898.exe
      Filesize

      391KB

      MD5

      fd238a8f45d744e8ff4645753965af45

      SHA1

      c6973d53c15ee021c96bb89ab98f4e4d4f38f505

      SHA256

      ee09238596e64a9311e94795f8699fbda99512c3452758506d2bb034fd98f5f2

      SHA512

      aea6a7b0c65e7caf09e81baddfc8d05f6a8db863793bd5a975fb7227f4c265a67643f18a92efe7a58c4c5599f7f1406f2555c90292282a3e9411dca566775b3c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu770099.exe
      Filesize

      474KB

      MD5

      888afd8e210a0f3c731485f8424a6adf

      SHA1

      738cde276eb95173521890b0a5e7c78ee018a210

      SHA256

      4500762850fed43cb49788fbeb50839b4cb971b1956d1f149f2f21e21db9b02b

      SHA512

      9d0a6a72f9458c0a6029772d150b0dc9da21c7b36d8eaec6190b9db4b4f195af1711bb98e5a3621cf7adde0bb0677aa6dc91d4b8a4eeee5c83b5e9e6b3ad5277

      Download Submit

    • memory/3796-54-0x0000000000400000-0x0000000000807000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3796-24-0x0000000004E60000-0x0000000005404000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3796-25-0x0000000002840000-0x0000000002858000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3796-43-0x0000000002840000-0x0000000002852000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3796-51-0x0000000002840000-0x0000000002852000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3796-49-0x0000000002840000-0x0000000002852000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3796-47-0x0000000002840000-0x0000000002852000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3796-45-0x0000000002840000-0x0000000002852000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3796-53-0x0000000002840000-0x0000000002852000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3796-31-0x0000000002840000-0x0000000002852000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3796-29-0x0000000002840000-0x0000000002852000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3796-27-0x0000000002840000-0x0000000002852000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3796-26-0x0000000002840000-0x0000000002852000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3796-41-0x0000000002840000-0x0000000002852000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3796-39-0x0000000002840000-0x0000000002852000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3796-37-0x0000000002840000-0x0000000002852000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3796-35-0x0000000002840000-0x0000000002852000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3796-33-0x0000000002840000-0x0000000002852000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3796-55-0x0000000000820000-0x0000000000920000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3796-23-0x00000000025C0000-0x00000000025DA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3796-22-0x0000000000820000-0x0000000000920000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3796-57-0x0000000000400000-0x0000000000807000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4320-63-0x0000000002B20000-0x0000000002B5A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/4320-75-0x0000000002B20000-0x0000000002B55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4320-87-0x0000000002B20000-0x0000000002B55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4320-83-0x0000000002B20000-0x0000000002B55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4320-97-0x0000000002B20000-0x0000000002B55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4320-95-0x0000000002B20000-0x0000000002B55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4320-93-0x0000000002B20000-0x0000000002B55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4320-91-0x0000000002B20000-0x0000000002B55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4320-89-0x0000000002B20000-0x0000000002B55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4320-79-0x0000000002B20000-0x0000000002B55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4320-85-0x0000000002B20000-0x0000000002B55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4320-81-0x0000000002B20000-0x0000000002B55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4320-77-0x0000000002B20000-0x0000000002B55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4320-62-0x00000000026B0000-0x00000000026EC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4320-73-0x0000000002B20000-0x0000000002B55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4320-71-0x0000000002B20000-0x0000000002B55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4320-69-0x0000000002B20000-0x0000000002B55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4320-67-0x0000000002B20000-0x0000000002B55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4320-65-0x0000000002B20000-0x0000000002B55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4320-64-0x0000000002B20000-0x0000000002B55000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4320-856-0x0000000007990000-0x0000000007FA8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4320-857-0x0000000007FB0000-0x0000000007FC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4320-858-0x0000000007FD0000-0x00000000080DA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4320-859-0x00000000080E0000-0x000000000811C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4320-860-0x00000000025A0000-0x00000000025EC000-memory.dmp

      Filesize

      304KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.