Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

53f7f7904d...4N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2024, 03:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    53f7f7904d9c3a3eb6f0fe630fcfc05c4ad1b4a610591d650e7b6e3042ce7c24N.exe

  • Size

    681KB

  • MD5

    40dbb55541543ce16686cc79d7d76b60

  • SHA1

    679204ec7b0e24e287d77bf6cc30f21ebc00fbd7

  • SHA256

    53f7f7904d9c3a3eb6f0fe630fcfc05c4ad1b4a610591d650e7b6e3042ce7c24

  • SHA512

    43e702c5455c58cacfdbd71a7d17692197f4a002f42366470ed61b45feb3166d017b86e1e4109c132b4d1581a7d526ba12efa1693186ad41281adb4cbaab5b67

  • SSDEEP

    12288:lMrLy90eqeG1m1uw8z7GyhO2KYyOJI8fTCOMi51duX17kbxy9w/9NsiXF:qyPx8zbhOsJZB1duKbA9wVii1

Score
10/10
healerredlineronurdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

ronur

C2

193.233.20.20:4134

Attributes
  • auth_value

    f88f86755a528d4b25f6f3628c460965

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53f7f7904d9c3a3eb6f0fe630fcfc05c4ad1b4a610591d650e7b6e3042ce7c24N.exe
    "C:\Users\Admin\AppData\Local\Temp\53f7f7904d9c3a3eb6f0fe630fcfc05c4ad1b4a610591d650e7b6e3042ce7c24N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3956
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nIL29iR.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nIL29iR.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3680
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aMJ32As.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aMJ32As.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2040
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1080
          4⤵
          • Program crash
          PID:2840
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\boJ53er.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\boJ53er.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:932
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2040 -ip 2040
    1⤵
      PID:1092

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nIL29iR.exe
      Filesize

      537KB

      MD5

      542261fa0279078b1e833bff923d985d

      SHA1

      cf1a55da55798a8a232a248e52276f52f481b4de

      SHA256

      6b3d8b793cd4fcdabf0dc730bc4a336fde9ffc2e12a0c629ff994be171dc9455

      SHA512

      e12280c553ab8b18e99c01455c36065cc5cc4b0880c4db238b77ab8dcae9dffedd29ca642fb871723cf7d60066963113ce278747dfb6634494f28e583236309d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aMJ32As.exe
      Filesize

      256KB

      MD5

      b4b2f9219c0886fdf0df98b3f565e6eb

      SHA1

      2f408478d1c6c0e3ef00186edc643cd4f67fec5b

      SHA256

      419a4f1cb376a7f26527c5a28458217bb167285d73d48d67fb9ef30c3d32cfb6

      SHA512

      ae86d48e606bef2d46a75206e7041f4217ff72736cf9144f9861cc3d5d24ac630cc65b75b527690c5adb991a24aac4a88ec078d30826f50521c1957668b68c79

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\boJ53er.exe
      Filesize

      313KB

      MD5

      47a425090c56d643cc2911208bdeb5ff

      SHA1

      8c1972d7fea07fed4c5aab5ea6da778fecf882f4

      SHA256

      182546aa1bafd3b66a1c52f9d02f40f370f56dd143afdaab2ad2301e71c11d05

      SHA512

      d1d7831d6243ef41c2b8c1cef9630c33eadccb715fe835a5de7ad60e227d4694eae765787c0d802cbb4e54cbf298cab82732136d941b43013c7de3267b8ec595

      Download Submit

    • memory/932-74-0x0000000002820000-0x000000000285E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/932-78-0x0000000002820000-0x000000000285E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/932-970-0x00000000059C0000-0x0000000005ACA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/932-969-0x00000000053A0000-0x00000000059B8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/932-63-0x0000000002820000-0x000000000285E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/932-64-0x0000000002820000-0x000000000285E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/932-66-0x0000000002820000-0x000000000285E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/932-68-0x0000000002820000-0x000000000285E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/932-70-0x0000000002820000-0x000000000285E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/932-72-0x0000000002820000-0x000000000285E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/932-972-0x0000000005C00000-0x0000000005C3C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/932-973-0x0000000005C50000-0x0000000005C9C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/932-76-0x0000000002820000-0x000000000285E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/932-971-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/932-80-0x0000000002820000-0x000000000285E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/932-84-0x0000000002820000-0x000000000285E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/932-86-0x0000000002820000-0x000000000285E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/932-88-0x0000000002820000-0x000000000285E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/932-90-0x0000000002820000-0x000000000285E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/932-94-0x0000000002820000-0x000000000285E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/932-96-0x0000000002820000-0x000000000285E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/932-82-0x0000000002820000-0x000000000285E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/932-92-0x0000000002820000-0x000000000285E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/932-62-0x0000000002820000-0x0000000002864000-memory.dmp

      Filesize

      272KB

      Download

    • memory/932-61-0x0000000002450000-0x0000000002496000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2040-43-0x00000000026F0000-0x0000000002702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2040-55-0x0000000000400000-0x0000000000576000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2040-56-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2040-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2040-51-0x0000000000580000-0x00000000005AD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2040-50-0x00000000006F0000-0x00000000007F0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2040-22-0x00000000026F0000-0x0000000002702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2040-23-0x00000000026F0000-0x0000000002702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2040-25-0x00000000026F0000-0x0000000002702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2040-27-0x00000000026F0000-0x0000000002702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2040-29-0x00000000026F0000-0x0000000002702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2040-33-0x00000000026F0000-0x0000000002702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2040-35-0x00000000026F0000-0x0000000002702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2040-37-0x00000000026F0000-0x0000000002702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2040-39-0x00000000026F0000-0x0000000002702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2040-42-0x00000000026F0000-0x0000000002702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2040-45-0x00000000026F0000-0x0000000002702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2040-47-0x00000000026F0000-0x0000000002702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2040-49-0x00000000026F0000-0x0000000002702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2040-31-0x00000000026F0000-0x0000000002702000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2040-21-0x00000000026F0000-0x0000000002708000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2040-20-0x0000000004EB0000-0x0000000005454000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2040-19-0x0000000002290000-0x00000000022AA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2040-18-0x0000000000400000-0x0000000000576000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2040-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2040-16-0x0000000000580000-0x00000000005AD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2040-15-0x00000000006F0000-0x00000000007F0000-memory.dmp

      Filesize

      1024KB

      Download