Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

b41eac15a2...a9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 02:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b41eac15a261446b8d6882d742836798ccd54729e5a7e5f63364b224bff85ea9.exe

  • Size

    694KB

  • MD5

    18f6b14e6924c4d658b6b7c7c915309d

  • SHA1

    dd4cdb247a94bb462adb7a92303be2b82ee564ab

  • SHA256

    b41eac15a261446b8d6882d742836798ccd54729e5a7e5f63364b224bff85ea9

  • SHA512

    f261caf269ba568e9043d5a00146169e8a923b140e2713339ad3afcd942c801a94d59445787cf4485b57e197eca8a5aad693e60a818167205076baea240e932f

  • SSDEEP

    12288:0y90SphN71O1DvpNr8r1MoZRsFADeP/oJcNU0ttHHVYEeZWtfd6/:0yDpn71OZvpZ8rlujPRbVGAlY

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b41eac15a261446b8d6882d742836798ccd54729e5a7e5f63364b224bff85ea9.exe
    "C:\Users\Admin\AppData\Local\Temp\b41eac15a261446b8d6882d742836798ccd54729e5a7e5f63364b224bff85ea9.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un730909.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un730909.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\67477644.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\67477644.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3800
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1080
          4⤵
          • Program crash
          PID:3416
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk705983.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk705983.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:404
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3800 -ip 3800
    1⤵
      PID:1316

    Network

    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      71.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      71.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.42.69.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.42.69.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      75.117.19.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      75.117.19.2.in-addr.arpa
      IN PTR
      Response
      75.117.19.2.in-addr.arpa
      IN PTR
      a2-19-117-75deploystaticakamaitechnologiescom
    • flag-us
      DNS
      88.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.210.23.2.in-addr.arpa
      IN PTR
      Response
      88.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-88deploystaticakamaitechnologiescom
    • flag-us
      DNS
      23.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.236.111.52.in-addr.arpa
      IN PTR
      Response
    • 185.161.248.143:38452
      rk705983.exe
      260 B
       5
    • 185.161.248.143:38452
      rk705983.exe
      260 B
       5
    • 185.161.248.143:38452
      rk705983.exe
      260 B
       5
    • 185.161.248.143:38452
      rk705983.exe
      260 B
       5
    • 185.161.248.143:38452
      rk705983.exe
      260 B
       5
    • 185.161.248.143:38452
      rk705983.exe
      260 B
       5
    • 185.161.248.143:38452
      rk705983.exe
      208 B
       4
    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      71.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      71.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      241.42.69.40.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      241.42.69.40.in-addr.arpa

    • 8.8.8.8:53
      75.117.19.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      75.117.19.2.in-addr.arpa

    • 8.8.8.8:53
      88.210.23.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      88.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      23.236.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      23.236.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un730909.exe
      Filesize

      540KB

      MD5

      d841bdb10fdd39c54d5da023f5e1b3bd

      SHA1

      07e91e33f867d290b01f5405aea4c2af1486adf2

      SHA256

      81a9b11529800c31410bdc9f4963608da5aa204f65de03e52fb4bbba27812aa9

      SHA512

      abe5f7e5605a8d8731f7ca472dbf883a86b9d8fb81b5bddeb7b835bef29d6f52a3e373c17346ccc4068cc8143dea1d4a2cfa0559692c9e0744c1e7540e3f87f8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\67477644.exe
      Filesize

      258KB

      MD5

      c91285b4611eeeb92274c43c323d1ad7

      SHA1

      baf0e0a55142ba34b3eec01703e4dfa682e6688b

      SHA256

      f3b2cbfd7e1e6adef58aa7d2227b1e899c060b45262f25410ffb9e88a2728b7c

      SHA512

      26e90cabecec4df51ee4fdbbccf54de6d1b7da6e988532ec4b5677ed12989166edd4fab9736a4aff64bb42de26fef1a1dbd3d53d5fde98391368767750d691fc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk705983.exe
      Filesize

      340KB

      MD5

      daa3eaea56d5ec05bab606a51d81c982

      SHA1

      a9884bad44d85fc7c98e3e815d947f6909e427c4

      SHA256

      0772838bc27fc01098d380ff478a03ab83e18a99fd9afec8f7acbd634d276e60

      SHA512

      06d398c8d0936d0e819b4aafeb1cc609633dc5dede34c5a4ffb3c2486b92833e5f60b4faaae283d86b5a393854ae54c4253d6bcff59d085f66a719ae374b88ee

      Download Submit

    • memory/404-75-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/404-79-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/404-62-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/404-63-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/404-67-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/404-69-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/404-71-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/404-854-0x0000000009C70000-0x000000000A288000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/404-855-0x000000000A330000-0x000000000A342000-memory.dmp

      Filesize

      72KB

      Download

    • memory/404-73-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/404-857-0x000000000A470000-0x000000000A4AC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/404-858-0x0000000004A80000-0x0000000004ACC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/404-77-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/404-856-0x000000000A350000-0x000000000A45A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/404-82-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/404-85-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/404-88-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/404-89-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/404-91-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/404-94-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/404-95-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/404-83-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/404-65-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/404-61-0x0000000007760000-0x000000000779A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/404-60-0x00000000070F0000-0x000000000712C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3800-40-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3800-54-0x0000000000400000-0x0000000002B9B000-memory.dmp

      Filesize

      39.6MB

      Download

    • memory/3800-55-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3800-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3800-50-0x0000000000400000-0x0000000002B9B000-memory.dmp

      Filesize

      39.6MB

      Download

    • memory/3800-51-0x0000000002C80000-0x0000000002CAD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3800-49-0x0000000002D50000-0x0000000002E50000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3800-21-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3800-22-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3800-24-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3800-26-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3800-28-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3800-30-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3800-32-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3800-34-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3800-36-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3800-42-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3800-44-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3800-46-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3800-48-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3800-38-0x0000000007130000-0x0000000007143000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3800-20-0x0000000007130000-0x0000000007148000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3800-19-0x00000000071E0000-0x0000000007784000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3800-18-0x00000000070D0000-0x00000000070EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3800-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3800-16-0x0000000002C80000-0x0000000002CAD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3800-15-0x0000000002D50000-0x0000000002E50000-memory.dmp

      Filesize

      1024KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.