Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d165158649...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 02:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d165158649333abea45457732b7bf33f815ce8d7f94fc52a948754a2148d13c3.exe

  • Size

    1.0MB

  • MD5

    78c8ad8987f7e923fb0fdb1234564bc5

  • SHA1

    bf4db3f5c58cd64cbb5cca4e8d3fc8773c25a467

  • SHA256

    d165158649333abea45457732b7bf33f815ce8d7f94fc52a948754a2148d13c3

  • SHA512

    7b27c81b25f2c943208c8ecb0e1013140fa0729d529420e847a3d4472fcc249ff02daa32638ad95125f99298b6b1a96854e6dbb9ca982a2dadcacb499415c9eb

  • SSDEEP

    24576:oyrBO8BKOIx+81pDmlClnrykAV+pPk3ywoHrXCf6HhXBpw0on:vNO8BIqlCxVuOLXZh

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d165158649333abea45457732b7bf33f815ce8d7f94fc52a948754a2148d13c3.exe
    "C:\Users\Admin\AppData\Local\Temp\d165158649333abea45457732b7bf33f815ce8d7f94fc52a948754a2148d13c3.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3108
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un402962.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un402962.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4648
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un852778.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un852778.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2292
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr529090.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr529090.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:808
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 1092
            5⤵
            • Program crash
            PID:456
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu249529.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu249529.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4304
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 808 -ip 808
    1⤵
      PID:1612

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un402962.exe
      Filesize

      761KB

      MD5

      41b54ef692b3b91422c5ff79a3aebb88

      SHA1

      a28fb37e7f18b0dcff9b072744c83e1ae67e6823

      SHA256

      7291ae1d892eb204d470ca275cb4eee861a39cd5d763de988f67ea1b8acf370e

      SHA512

      aad03db450ab6d231dfae59949fa1401cc813a700e15078bea2bb0b25a5cafeac298d215a20e09dfd683559c42edace3fc57b7e6804a31078b6f56a8db3539ef

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un852778.exe
      Filesize

      607KB

      MD5

      1fda92fc1c057387a5eea7e8322c0d2a

      SHA1

      d6ea0bbf4d53ba97e2363fc3fc38a0636b4c8743

      SHA256

      6adc4bda890cbb7ad30d9326088b5f57d552033861117d038321b738e0c40618

      SHA512

      f8b1c23e4224f8450f432effdcc3234f53d94df26133305ffa4d678e91b3a94f9e07b930d34d0554e79d51651b6c68e20d45ce3a773ac7da8be4b3cef6faf8b7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr529090.exe
      Filesize

      400KB

      MD5

      6b4a147ad515aaf13db13968f581a060

      SHA1

      5b92d93a621c3d643865eb2c3ec2d3908f83b838

      SHA256

      78e6d2e2e6fe813826136f4e18daee201de5b4820772f45c4cb735a0eaf01b7a

      SHA512

      7c4a563a22cc75a7f7be7e9d4e24ff0596e354b72da0b66d1de69e203e786d87becdf648d817b826daac8bbe4279ea0fa15726eb13678283811cc9e41b65647d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu249529.exe
      Filesize

      482KB

      MD5

      bb0695c80227b2e818faee2583f4a161

      SHA1

      e697447c1804a49e60cd19a310ffdbfdfbaa3a9a

      SHA256

      1841d04d3154d431ddfb67db796a7ef8118d0b562ca0c7801c951e45b5935b43

      SHA512

      4959e85669eacdcb9cb85535355a06d7308642427ab5686fa8677253b723a05aa588e910912340cc59d8ba5ffbf9f30388b7474122e70fb9ff05497a1cf8dec5

      Download Submit

    • memory/808-54-0x0000000000400000-0x0000000000809000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/808-24-0x0000000004EE0000-0x0000000005484000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/808-25-0x00000000027A0000-0x00000000027B8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/808-39-0x00000000027A0000-0x00000000027B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/808-53-0x00000000027A0000-0x00000000027B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/808-51-0x00000000027A0000-0x00000000027B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/808-50-0x00000000027A0000-0x00000000027B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/808-47-0x00000000027A0000-0x00000000027B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/808-45-0x00000000027A0000-0x00000000027B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/808-43-0x00000000027A0000-0x00000000027B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/808-42-0x00000000027A0000-0x00000000027B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/808-37-0x00000000027A0000-0x00000000027B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/808-35-0x00000000027A0000-0x00000000027B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/808-33-0x00000000027A0000-0x00000000027B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/808-31-0x00000000027A0000-0x00000000027B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/808-29-0x00000000027A0000-0x00000000027B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/808-27-0x00000000027A0000-0x00000000027B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/808-26-0x00000000027A0000-0x00000000027B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/808-55-0x0000000000B80000-0x0000000000C80000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/808-23-0x0000000002560000-0x000000000257A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/808-22-0x0000000000B80000-0x0000000000C80000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/808-57-0x0000000000400000-0x0000000000809000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4304-63-0x0000000002AC0000-0x0000000002AFA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/4304-75-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4304-85-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4304-97-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4304-95-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4304-93-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4304-91-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4304-89-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4304-87-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4304-77-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4304-83-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4304-81-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4304-79-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4304-62-0x0000000002790000-0x00000000027CC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4304-73-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4304-71-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4304-69-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4304-67-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4304-65-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4304-64-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4304-856-0x0000000007920000-0x0000000007F38000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4304-857-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4304-858-0x0000000007FC0000-0x00000000080CA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4304-859-0x00000000080E0000-0x000000000811C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4304-860-0x0000000002700000-0x000000000274C000-memory.dmp

      Filesize

      304KB

      Download