Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

8f459a981c...31.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 02:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f459a981c0f81b0b54dd4c001d62f490fd70b2125f86338db7cc75a7dd5fb31.exe

  • Size

    534KB

  • MD5

    52101467c256fd2b66bb9cfcf231f937

  • SHA1

    225c516212ac747b6463a90344d241d24fa01c4c

  • SHA256

    8f459a981c0f81b0b54dd4c001d62f490fd70b2125f86338db7cc75a7dd5fb31

  • SHA512

    5c7fb09d815bcfceaec95ec6cd84f235cd8e5f8ad23154a582d30bc648fccf0df3083bd9db26b4a91eb81b340f1fae37df7f77a9b01b05a5b4234ee498afc7c9

  • SSDEEP

    12288:WMrIy90k6NnJwUwDIbNotTbUWpXVqHpDi9CFHlOwH5npM:qyQi0bNEU8FqJD19a

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f459a981c0f81b0b54dd4c001d62f490fd70b2125f86338db7cc75a7dd5fb31.exe
    "C:\Users\Admin\AppData\Local\Temp\8f459a981c0f81b0b54dd4c001d62f490fd70b2125f86338db7cc75a7dd5fb31.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMX5652.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMX5652.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4000
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr279689.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr279689.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1268
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku308104.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku308104.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2260

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 176.113.115.145:4125
    ku308104.exe
    260 B
     5
  • 176.113.115.145:4125
    ku308104.exe
    260 B
     5
  • 176.113.115.145:4125
    ku308104.exe
    260 B
     5
  • 176.113.115.145:4125
    ku308104.exe
    260 B
     5
  • 176.113.115.145:4125
    ku308104.exe
    260 B
     5
  • 176.113.115.145:4125
    ku308104.exe
    156 B
     3
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMX5652.exe
    Filesize

    392KB

    MD5

    87ee96932f4facc2a94fbc5e1b3d7aee

    SHA1

    0ea218b1c20483f1b628f099475c18d2f053fd34

    SHA256

    bdef3c05b48ca6383d1073ddaaecf8529ab3f0ab08746c45e78960554aff1076

    SHA512

    8d1bd8b67e73afcd4a4db73b79c72079a8a1d3f34e81312969b890e06c4c7fa45fcd5c821fd3bee253520a093da04a952779d30b6c359f3415dc81976ec8f679

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr279689.exe
    Filesize

    11KB

    MD5

    b78b5dc0c84dc01601e6c148f8630fbd

    SHA1

    a60b5a7c82be01561245f1c7d4f3fb5db3b0d0df

    SHA256

    ae8d23ea29924ba92b9bff0a42c084d7a9099b3a3a7323f0452f88faa210ef7b

    SHA512

    7d3189336a486852068fb968ede4c90e0dd6006f341c28ea1a26b5f299d354d0dd1612ff5d88340f802da613188186b14da0a0b0ba76cfc40645ca201d56e12f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku308104.exe
    Filesize

    319KB

    MD5

    710d18b9ca784978d102b358cb17cbe3

    SHA1

    75999952a90eba791d85f046738643a03825cffa

    SHA256

    db15f047ed08f5acef4cb816c748f0714d355ab51bcb62d028ad305aa01f8a64

    SHA512

    cebc7eab37db6772def3431992c23a6937ad313929742e5dd5f648161804dbf38768fe4c300cebd2ec81fe8a7a641bb2dc76ddaf9e66a9eed4237c950b13b510

    Download Submit

  • memory/1268-14-0x00007FFE2FE03000-0x00007FFE2FE05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1268-15-0x0000000000B60000-0x0000000000B6A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1268-16-0x00007FFE2FE03000-0x00007FFE2FE05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2260-62-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-52-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-24-0x0000000004AD0000-0x0000000004B14000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2260-26-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-40-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-88-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-87-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-84-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-80-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-78-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-76-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-74-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-72-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-70-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-68-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-64-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-22-0x0000000002700000-0x0000000002746000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2260-60-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-58-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-56-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-54-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-23-0x0000000004C80000-0x0000000005224000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2260-50-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-48-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-44-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-43-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-38-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-36-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-34-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-33-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-30-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-28-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-82-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-66-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-46-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-25-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2260-931-0x0000000005230000-0x0000000005848000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2260-932-0x0000000005850000-0x000000000595A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2260-933-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2260-934-0x0000000004C00000-0x0000000004C3C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2260-935-0x0000000005A60000-0x0000000005AAC000-memory.dmp

    Filesize

    304KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.