Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

169290f535...4e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 02:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    169290f535eaec8227ea74642c6805f725d485186174007bde95cfdd4475c84e.exe

  • Size

    964KB

  • MD5

    e69d61ab0e370bd156b42f119a56ab21

  • SHA1

    cc89fac6b399df87b0a63b0b9581cb135596989b

  • SHA256

    169290f535eaec8227ea74642c6805f725d485186174007bde95cfdd4475c84e

  • SHA512

    f16faffc78c5396b8de26ef6e2c29eda7f8eca241892c71ff1cececd81d1de18bc793e49af2dc652a686753d913d7fe9d59323b2cd25b7a9ca9332df699d7979

  • SSDEEP

    24576:Ly/T5TgXxtsod32EbxI5k3JUbixyh/LZ9S:+75Oxtso42xULZLX

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\169290f535eaec8227ea74642c6805f725d485186174007bde95cfdd4475c84e.exe
    "C:\Users\Admin\AppData\Local\Temp\169290f535eaec8227ea74642c6805f725d485186174007bde95cfdd4475c84e.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3464
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880574.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880574.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un088053.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un088053.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3400
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr923593.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr923593.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:832
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 1064
            5⤵
            • Program crash
            PID:3544
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu716641.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu716641.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2472
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 832 -ip 832
    1⤵
      PID:4740

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880574.exe
      Filesize

      705KB

      MD5

      4fc5c95256ae32d07e590b084a1bef6e

      SHA1

      c5c8d6e5383aafdc971fc87afc50f2dabf162286

      SHA256

      ca3b50c90494060c24eabb377fb1cecca0c1defad091a1fd3af0b74446b756cb

      SHA512

      4c10df02d32034aa2f02baa94b14b46a554392d787acc7215bcd28d58b78b18a86f92a2da4c7dab50792dd211978c98fa885f99e128fe815fede35dd2e2ecec7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un088053.exe
      Filesize

      552KB

      MD5

      f1def6f3602648609e3063614080a326

      SHA1

      fc969dd2e5c8504968b1480467263c7eadd515b3

      SHA256

      c50af19f6ba8c7f05e6b0dd5651751a68c28362a6f578f6c78ca19a2b4454048

      SHA512

      75412ff4cd96fd8bc4a071dd167ed43cf6346a389c96ffec3ade14cf72ab124868161996145e5cef4e60889c97d87b36af77cd7177c2e8d4b748aaf814eb3e72

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr923593.exe
      Filesize

      299KB

      MD5

      7da9683d7044dde27c772996e4231a59

      SHA1

      52af43350a3ca6c1cc44f737e85e03fdcb00193d

      SHA256

      e1a9644f21c150381ad22596daa0e8ec9fd4ef8596481cab07e32e42500fb074

      SHA512

      29c94af2c7f478969165d5b78520ecbd6291a4ace38698118a6a758aeaa88a2618d1ad06bfb2708dd424bf242b19361a7464be45cc67afbae712317b1216d4cd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu716641.exe
      Filesize

      381KB

      MD5

      5b034a59bf771837c376e7ce376bfcfd

      SHA1

      8671fbb3cd75e59c99df8b6a946f39d60e1b6c80

      SHA256

      9f6d937154b9c1ba2520dcf2637662466b813f81aa358976eb3997d407253ed6

      SHA512

      e984a52e9f86fbcd7494d055df7395eb16dd96572ea6411a0058d7a4bc4e8b01f78aa7c059583004369a1cd72623b68b1d57656b35448a7cc585e6d08f0f8d78

      Download Submit

    • memory/832-40-0x0000000004C80000-0x0000000004C92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/832-38-0x0000000004C80000-0x0000000004C92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/832-32-0x0000000004C80000-0x0000000004C92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/832-50-0x0000000004C80000-0x0000000004C92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/832-48-0x0000000004C80000-0x0000000004C92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/832-46-0x0000000004C80000-0x0000000004C92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/832-44-0x0000000004C80000-0x0000000004C92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/832-42-0x0000000004C80000-0x0000000004C92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/832-23-0x00000000071C0000-0x0000000007764000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/832-24-0x0000000004C80000-0x0000000004C98000-memory.dmp

      Filesize

      96KB

      Download

    • memory/832-36-0x0000000004C80000-0x0000000004C92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/832-34-0x0000000004C80000-0x0000000004C92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/832-30-0x0000000004C80000-0x0000000004C92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/832-52-0x0000000004C80000-0x0000000004C92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/832-26-0x0000000004C80000-0x0000000004C92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/832-28-0x0000000004C80000-0x0000000004C92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/832-25-0x0000000004C80000-0x0000000004C92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/832-53-0x0000000000400000-0x0000000002BB4000-memory.dmp

      Filesize

      39.7MB

      Download

    • memory/832-22-0x0000000004AE0000-0x0000000004AFA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/832-55-0x0000000000400000-0x0000000002BB4000-memory.dmp

      Filesize

      39.7MB

      Download

    • memory/2472-60-0x00000000047D0000-0x000000000480C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2472-61-0x00000000071B0000-0x00000000071EA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2472-75-0x00000000071B0000-0x00000000071E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2472-89-0x00000000071B0000-0x00000000071E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2472-95-0x00000000071B0000-0x00000000071E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2472-93-0x00000000071B0000-0x00000000071E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2472-92-0x00000000071B0000-0x00000000071E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2472-87-0x00000000071B0000-0x00000000071E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2472-85-0x00000000071B0000-0x00000000071E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2472-83-0x00000000071B0000-0x00000000071E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2472-81-0x00000000071B0000-0x00000000071E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2472-79-0x00000000071B0000-0x00000000071E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2472-77-0x00000000071B0000-0x00000000071E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2472-73-0x00000000071B0000-0x00000000071E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2472-71-0x00000000071B0000-0x00000000071E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2472-69-0x00000000071B0000-0x00000000071E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2472-67-0x00000000071B0000-0x00000000071E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2472-65-0x00000000071B0000-0x00000000071E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2472-63-0x00000000071B0000-0x00000000071E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2472-62-0x00000000071B0000-0x00000000071E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2472-856-0x000000000A370000-0x000000000A47A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2472-855-0x000000000A350000-0x000000000A362000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2472-857-0x000000000A4A0000-0x000000000A4DC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2472-854-0x0000000009CA0000-0x000000000A2B8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2472-858-0x0000000004A90000-0x0000000004ADC000-memory.dmp

      Filesize

      304KB

      Download