Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

449ad34486...d1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 01:57 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    449ad34486a648889f053c5b622b34bb2c5905c24cae6d52cb9eb86675c1d9d1.exe

  • Size

    566KB

  • MD5

    29f245ada0a5aefe3a2e457f411fcdb2

  • SHA1

    915e4bbd16bfa58015d64044db93d0b8d8529e95

  • SHA256

    449ad34486a648889f053c5b622b34bb2c5905c24cae6d52cb9eb86675c1d9d1

  • SHA512

    03a1a1c9493b7b69252586065ba6c074dc6744a5d5164747d30241a4cd97354efe7d6b85a9bf24c879c19a3edbceb72ee087431d4e55a4bb0f76a358b16d4672

  • SSDEEP

    12288:oy90fyknaY8IwWovhQ6jK7sxmnWjBR08lnen9:oy+5EhzjKoxmnWjBWOnU9

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\449ad34486a648889f053c5b622b34bb2c5905c24cae6d52cb9eb86675c1d9d1.exe
    "C:\Users\Admin\AppData\Local\Temp\449ad34486a648889f053c5b622b34bb2c5905c24cae6d52cb9eb86675c1d9d1.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3552
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwu2013.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwu2013.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4104
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it690395.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it690395.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3708
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp515321.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp515321.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2956

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    20.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 185.161.248.142:38452
    kp515321.exe
    260 B
     5
  • 185.161.248.142:38452
    kp515321.exe
    260 B
     5
  • 185.161.248.142:38452
    kp515321.exe
    260 B
     5
  • 185.161.248.142:38452
    kp515321.exe
    260 B
     5
  • 185.161.248.142:38452
    kp515321.exe
    260 B
     5
  • 185.161.248.142:38452
    kp515321.exe
    260 B
     5
  • 185.161.248.142:38452
    kp515321.exe
    208 B
     4
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    20.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    20.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwu2013.exe
    Filesize

    412KB

    MD5

    accb7e24d693d5082471905ef6e7b497

    SHA1

    e005c033b8ede361a260de39a439fc20ebd32499

    SHA256

    b15466244b894cc064bbf39dc3622615741401314940298b05d8ba66333f9096

    SHA512

    26fe795487d7d627f74a9872fb3f06d7c5646f3319f387fdc26b7a305a263ec51270da43c663da624504706417eb3f828f0490198b16779d0f2f1512ad8cabc3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it690395.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp515321.exe
    Filesize

    368KB

    MD5

    acf2bedeec7f870d18c5b62071d0eb16

    SHA1

    8c1548f1735c716e7c4e3794ddd2520c350e07b8

    SHA256

    e07f16f1dc5627cffb3782bd73e10d56066fc75210f687635875ce68d4e5551d

    SHA512

    fbd1329988fa754fd5521dc3e0dee9fbbb17a8ffd402ba78148c31b40dab1268bb7fe6b0b721fa9d2ef022fd589599572e9d42aa7f327f5f46b76bfe782a8a25

    Download Submit

  • memory/2956-62-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-34-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-821-0x00000000048B0000-0x00000000048FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2956-22-0x0000000004A70000-0x0000000004AAC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2956-23-0x0000000007370000-0x0000000007914000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2956-24-0x0000000004C40000-0x0000000004C7A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2956-42-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-88-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-86-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-84-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-82-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-80-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-78-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-76-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-74-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-70-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-68-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-66-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-64-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-820-0x0000000004EE0000-0x0000000004F1C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2956-56-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-819-0x000000000A3C0000-0x000000000A4CA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2956-58-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-54-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-50-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-48-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-46-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-44-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-40-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-38-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-36-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-60-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-32-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-30-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-28-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-72-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-53-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-26-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-25-0x0000000004C40000-0x0000000004C75000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2956-817-0x0000000009DA0000-0x000000000A3B8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2956-818-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3708-16-0x00007FFB40B63000-0x00007FFB40B65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3708-14-0x00007FFB40B63000-0x00007FFB40B65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3708-15-0x0000000000660000-0x000000000066A000-memory.dmp

    Filesize

    40KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.