Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

86753a048e...9N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/11/2024, 00:26 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    86753a048e711d2b05158742370584cd90688e271e81ab9fe831451f62e06169N.exe

  • Size

    414KB

  • MD5

    bb8bf422a47e5272a4196371b2b5c4b0

  • SHA1

    285c47da150f1b7f6736c50e7636ff659175bc32

  • SHA256

    86753a048e711d2b05158742370584cd90688e271e81ab9fe831451f62e06169

  • SHA512

    7156df5ad28a40aaa61da071ae1c55e7a2f907de868478ba9d5fb12d08904fb9d60533bbcb333ea46198bbb29bf0d99bab5e6eabdabcd390854479c8d2336049

  • SSDEEP

    6144:K4y+bnr+Ip0yN90QE45rZAliGvIxoBNc8bMicCHsA/26HwtLim2QJktdRJVxGifW:UMr0y90MqvIxabDHX/2cNMOdRJVluj

Score
10/10
healerredlinefuddiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86753a048e711d2b05158742370584cd90688e271e81ab9fe831451f62e06169N.exe
    "C:\Users\Admin\AppData\Local\Temp\86753a048e711d2b05158742370584cd90688e271e81ab9fe831451f62e06169N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4732
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1635fu.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1635fu.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2348
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t38pF21.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t38pF21.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2176

Network

  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 193.233.20.27:4123
    t38pF21.exe
    260 B
     5
  • 193.233.20.27:4123
    t38pF21.exe
    260 B
     5
  • 193.233.20.27:4123
    t38pF21.exe
    260 B
     5
  • 193.233.20.27:4123
    t38pF21.exe
    260 B
     5
  • 193.233.20.27:4123
    t38pF21.exe
    104 B
     2
  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1635fu.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t38pF21.exe
    Filesize

    392KB

    MD5

    c043039d011fe79d35f7b0bca0e4b9ac

    SHA1

    d9f8d058327a1e2232685832b9785c831b5465dd

    SHA256

    9dee345f969dda3f5c2ba41b9852030043a3c0e03ccea25983c18170a9a1b51c

    SHA512

    032401a08b4f2baf654c0c84d69b9c24821d6497c51f32816920606c458f603188cb3cd0400ce8814d937523765b0e6483a519abb44433bb4af1d6b391839365

    Download Submit

  • memory/2176-15-0x0000000000790000-0x0000000000890000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2176-16-0x00000000005C0000-0x000000000060B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2176-17-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2176-18-0x0000000004B70000-0x0000000004BB6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2176-19-0x0000000004C60000-0x0000000005204000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2176-20-0x0000000004C00000-0x0000000004C44000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2176-22-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-32-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-84-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-82-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-80-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-78-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-76-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-74-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-72-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-68-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-66-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-64-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-62-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-60-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-58-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-56-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-54-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-52-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-50-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-48-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-44-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-42-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-40-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-38-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-36-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-34-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-30-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-28-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-26-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-24-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-70-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-46-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-21-0x0000000004C00000-0x0000000004C3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2176-927-0x0000000005260000-0x0000000005878000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2176-928-0x0000000005900000-0x0000000005A0A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2176-929-0x0000000005A40000-0x0000000005A52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2176-930-0x0000000005A60000-0x0000000005A9C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2176-931-0x0000000005BB0000-0x0000000005BFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2176-932-0x0000000000790000-0x0000000000890000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2176-934-0x00000000005C0000-0x000000000060B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2176-935-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2348-7-0x00007FFD0A813000-0x00007FFD0A815000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2348-8-0x0000000000840000-0x000000000084A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2348-9-0x00007FFD0A813000-0x00007FFD0A815000-memory.dmp

    Filesize

    8KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.