Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

99935c2be6...47.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/11/2024, 02:20 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    99935c2be64b4e1bde00ffe7ac2eb8350e24865388ed0b44d79655de3b4da147.exe

  • Size

    414KB

  • MD5

    1a37510b299df05f4c398e02cc04f421

  • SHA1

    05095d1ea727df289b7d789910215d975c5e2176

  • SHA256

    99935c2be64b4e1bde00ffe7ac2eb8350e24865388ed0b44d79655de3b4da147

  • SHA512

    3c0d4ec63e03e1fc7ddb87ae52dcd6d8c91bf23ef57e239c233228ad8912674f0372378d867224d4edb92d2acaefca55dfdc79e86f1c216999c90033019a4595

  • SSDEEP

    6144:Eip0yN90QE3lXwiutBRS615khcqtSvock/t04aN2ncXYHCAql5hFmkS1:0y90llkt5fkhcurXt0kncIiAz1

Score
10/10
healerredlinediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\99935c2be64b4e1bde00ffe7ac2eb8350e24865388ed0b44d79655de3b4da147.exe
    "C:\Users\Admin\AppData\Local\Temp\99935c2be64b4e1bde00ffe7ac2eb8350e24865388ed0b44d79655de3b4da147.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3276
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it308445.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it308445.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2300
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr902177.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr902177.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2188

Network

  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    136.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    136.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 185.161.248.152:38452
    jr902177.exe
    260 B
     5
  • 185.161.248.152:38452
    jr902177.exe
    260 B
     5
  • 185.161.248.152:38452
    jr902177.exe
    260 B
     5
  • 185.161.248.152:38452
    jr902177.exe
    260 B
     5
  • 185.161.248.152:38452
    jr902177.exe
    260 B
     5
  • 185.161.248.152:38452
    jr902177.exe
    260 B
     5
  • 185.161.248.152:38452
    jr902177.exe
    208 B
     4
  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    136.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    136.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it308445.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr902177.exe
    Filesize

    360KB

    MD5

    730a1c50db0ec386833f9dbceea95a6f

    SHA1

    35cb55fda9ebf7346dddcd03dba9a644a07f8747

    SHA256

    03c17899cfa043ed7d605e834c8563282643ed89f820c64ee2b23ddf75f8a3de

    SHA512

    cef70dfe2281339d1fe662bfaffe8a530cba1ba2906a1937516a7fdf859f2d539c6a58401fceabe96eea01a7a9d97216e174078176165f195768489e6f7cef34

    Download Submit

  • memory/2188-15-0x0000000002BD0000-0x0000000002CD0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2188-16-0x0000000002F60000-0x0000000002FA6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2188-17-0x0000000000400000-0x0000000000449000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2188-18-0x0000000004B10000-0x0000000004B4C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2188-19-0x0000000007330000-0x00000000078D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2188-20-0x00000000071C0000-0x00000000071FA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2188-22-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-30-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-82-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-80-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-78-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-76-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-74-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-72-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-70-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-68-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-66-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-64-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-60-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-58-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-56-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-54-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-52-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-50-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-48-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-46-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-44-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-42-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-38-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-36-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-35-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-32-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-28-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-26-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-24-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-84-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-62-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-40-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-21-0x00000000071C0000-0x00000000071F5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2188-813-0x0000000009D60000-0x000000000A378000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2188-814-0x00000000072E0000-0x00000000072F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2188-815-0x000000000A380000-0x000000000A48A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2188-816-0x000000000A490000-0x000000000A4CC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2188-817-0x0000000006CF0000-0x0000000006D3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2188-818-0x0000000002BD0000-0x0000000002CD0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2188-820-0x0000000002F60000-0x0000000002FA6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2188-821-0x0000000000400000-0x0000000000449000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2300-7-0x00007FFA20C23000-0x00007FFA20C25000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2300-8-0x0000000000A50000-0x0000000000A5A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2300-9-0x00007FFA20C23000-0x00007FFA20C25000-memory.dmp

    Filesize

    8KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.