Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

9d3e3e1ed2...96.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 02:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9d3e3e1ed28dba6a283ed5d0a64c780bb6f9b59b5fa7ccae8734e2c665d86c96.exe

  • Size

    1.5MB

  • MD5

    426cd7a828f1d5c78f56566eaafc464a

  • SHA1

    13774e4abdb2b7eab552115f4b8a7b21000aeb3a

  • SHA256

    9d3e3e1ed28dba6a283ed5d0a64c780bb6f9b59b5fa7ccae8734e2c665d86c96

  • SHA512

    f3b180d5015c1b9b2a0986a6bcc93bebe72ae79aaca74c73fade30a87650e8a3edceee2012c32477004966f12d740dfa9552a342bc62e59c6f6e7772656e452e

  • SSDEEP

    24576:tyba/LCuFViW7RESuBr4EMn2mVmdN9tREN+qgKi1aqSbMKebotchawH9juy1uk:IoLXF80ESwUE3mV6FbvOJogc8m9n

Score
10/10
healerredlinemazdadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes
  • auth_value

    3d2870537d84a4c6d7aeecd002871c51

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d3e3e1ed28dba6a283ed5d0a64c780bb6f9b59b5fa7ccae8734e2c665d86c96.exe
    "C:\Users\Admin\AppData\Local\Temp\9d3e3e1ed28dba6a283ed5d0a64c780bb6f9b59b5fa7ccae8734e2c665d86c96.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4820664.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4820664.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8282383.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8282383.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3796
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9907076.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9907076.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2804
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5444262.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5444262.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3384
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6783520.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6783520.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:464
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1088
                7⤵
                • Program crash
                PID:1648
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7530801.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7530801.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1084
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 464 -ip 464
    1⤵
      PID:4612

    Network

    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      83.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      83.210.23.2.in-addr.arpa
      IN PTR
      Response
      83.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-83deploystaticakamaitechnologiescom
    • flag-us
      DNS
      71.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      71.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      212.20.149.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      212.20.149.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.210.23.2.in-addr.arpa
      IN PTR
      Response
      88.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-88deploystaticakamaitechnologiescom
    • flag-us
      DNS
      31.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      31.243.111.52.in-addr.arpa
      IN PTR
      Response
    • 217.196.96.56:4138
      b7530801.exe
      260 B
       5
    • 217.196.96.56:4138
      b7530801.exe
      260 B
       5
    • 217.196.96.56:4138
      b7530801.exe
      260 B
       5
    • 217.196.96.56:4138
      b7530801.exe
      260 B
       5
    • 217.196.96.56:4138
      b7530801.exe
      260 B
       5
    • 217.196.96.56:4138
      b7530801.exe
      156 B
       3
    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      83.210.23.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      83.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      71.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      71.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      212.20.149.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      212.20.149.52.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      88.210.23.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      88.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      31.243.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      31.243.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4820664.exe
      Filesize

      1.3MB

      MD5

      e375d5d523e109a497744cb9c315b33a

      SHA1

      af8ee70218aa1ee1b15dd0c153412d4006220718

      SHA256

      cdc09ea7a73ce8ec0e4c2d67c730262da9f21ad5c919e78fd1514000df15542a

      SHA512

      4d395f5fee2e84fb3bb4eebad008dedb298c9177b0a3fbe80205a4345e709694740237fee08bae5c8e643416655138ade3b4757b279438c83f8a33e908b2da9d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8282383.exe
      Filesize

      867KB

      MD5

      9fb561677a3a3d80fd3c4e8e9a321483

      SHA1

      9edf61ac5ef54e9a747fac483161825afe70e17a

      SHA256

      3541a3fbe8c3f767394541e5e8d9d2bf85a4ffb6ec2727504e029a3c2906934f

      SHA512

      63b74e7b32ede228dcdf37f265a7ece45130c28e91a6e9c158df59641efc710f2cb569ab947427a3a1c11717585f4cc1cce44d2636661a182b927835ef43da28

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9907076.exe
      Filesize

      663KB

      MD5

      01151922166beda708a97b7b7918dc29

      SHA1

      c99daf86382e9c67d93ce6248112aef490b49ec3

      SHA256

      f5e82e333a47e7f88494d1eaa8a27a8fc1853e3e141eeac8ec5c9d20735e0e01

      SHA512

      7dec40e741a440ab70c149c3dced7bcf5abe87e418b05c75407fc5933aed71318ae70655de10e36b3571a646d9e0227056d265802cb6af3a8f9a4f8b76158e2a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5444262.exe
      Filesize

      393KB

      MD5

      895c96cad6cf38a90ba630a548e84291

      SHA1

      2ac58c450662818b0cb7290b6695644a2e304c41

      SHA256

      a25f9355c5155801aadab3b263913d873b832011f017252bdf309fd30c963471

      SHA512

      82955615b72a71306e2758c7628b7ae55cfb6486e94eb0998affedf9ff1b1b2c52bcc96cd8e331ca7ebf8fe5b702b3d8fe56e9d961dc0ce484bab70f25f690e1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6783520.exe
      Filesize

      315KB

      MD5

      a54f0a4c4d0579189aa482bb8cd8231c

      SHA1

      48dab2bf24fb29bcaaa9b36b2962dfe0d7eb6f0b

      SHA256

      7b13d2dff031a163e5fb8040fb9f3325b0c88c0c4e628a22acfb9bb1265fd79a

      SHA512

      f7a3c12a19e45f76bd4d549cf7dafc20ddef158a4edd6bfc64c01ff6cff26e39f6539423ba8848547d6bb3a3b9385f0a53ec43102f1783aa6b6524b9c2d39d00

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7530801.exe
      Filesize

      168KB

      MD5

      f6eaa099e245fe7623e81090b3e89e39

      SHA1

      a4f2dde0c04c98f786d2771ec03acfb23cf047b0

      SHA256

      322504e3e7c8cac9502f695c71b46ac30c67ffec5ae7812eab47e04fa9c6c205

      SHA512

      93ed7704103614fe8cd02cbd453f9ce7c09160215f1937c7487727b14d9fdc28d399191e417d7b8f40220f2eedb52ff074a85fef39ae3b0fa0e78085d5333afc

      Download Submit

    • memory/464-50-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-44-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-66-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-64-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-62-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-60-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-58-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-56-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-54-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-52-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-37-0x0000000004B40000-0x00000000050E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/464-48-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-46-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-38-0x0000000004A20000-0x0000000004A38000-memory.dmp

      Filesize

      96KB

      Download

    • memory/464-42-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-40-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-39-0x0000000004A20000-0x0000000004A32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/464-67-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/464-69-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/464-36-0x0000000004960000-0x000000000497A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1084-73-0x0000000000DF0000-0x0000000000E20000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1084-74-0x0000000002FD0000-0x0000000002FD6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1084-75-0x0000000005E00000-0x0000000006418000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1084-76-0x00000000058F0000-0x00000000059FA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1084-77-0x0000000005660000-0x0000000005672000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1084-78-0x00000000057E0000-0x000000000581C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1084-79-0x0000000005820000-0x000000000586C000-memory.dmp

      Filesize

      304KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.