Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

fa2937c0e9...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2024, 05:09 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa2937c0e9375bbfa91e08fabe90eeeedeeb51514633f396b544118f271025d0N.exe

  • Size

    1.0MB

  • MD5

    35e0a09c1a2609fdf2f2a861b00a6820

  • SHA1

    a7e032118a1f53f3aa7ab0af4444b29a47cc2b5c

  • SHA256

    fa2937c0e9375bbfa91e08fabe90eeeedeeb51514633f396b544118f271025d0

  • SHA512

    8052c12e28eebb2b605de7874ad8378eb724fb2a93d2e302a04c09f814ad23263d907d9248714e69b4690e9a15089464cbf7b773daa996cba0f13803203402b3

  • SSDEEP

    24576:xyLRl3ifIiZHq8NUoW5SK7HmzV/5J20voxlFmY9kA:kLRFifIAHqEUF7HmzV/+opYO

Score
10/10
healerredlinerumfadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

C2

193.233.20.24:4123

Attributes
  • auth_value

    749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa2937c0e9375bbfa91e08fabe90eeeedeeb51514633f396b544118f271025d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\fa2937c0e9375bbfa91e08fabe90eeeedeeb51514633f396b544118f271025d0N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmMv21Ck09.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmMv21Ck09.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmTV25bD98.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmTV25bD98.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4724
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmCC45UR45.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmCC45UR45.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3852
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iZr18Zw94.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iZr18Zw94.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4248
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kCL70Eg97.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kCL70Eg97.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4788

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 193.233.20.24:4123
    kCL70Eg97.exe
    260 B
     5
  • 193.233.20.24:4123
    kCL70Eg97.exe
    260 B
     5
  • 193.233.20.24:4123
    kCL70Eg97.exe
    260 B
     5
  • 193.233.20.24:4123
    kCL70Eg97.exe
    260 B
     5
  • 193.233.20.24:4123
    kCL70Eg97.exe
    104 B
     2
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    71.209.201.84.in-addr.arpa
    dns
    72 B
     132 B
     1
    1

    DNS Request

    71.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    133.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    133.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmMv21Ck09.exe
    Filesize

    958KB

    MD5

    ea7d43c7cb4ac10ec9c172bff16252e3

    SHA1

    ff5853768cced1af53a3d827cc2479476ec60773

    SHA256

    23a4536793a8aec31b1267e9d50a0fd7047baea1fa0f74b41c8e1fa2cb530713

    SHA512

    91a18fd3d0a9bc19a00e30453a53acd838ded5b00a552a74bc0043d8ea3e15ea02f975398d912a715d33d9e5fe6a31fd91d7c3930f9b6299f7a27e6a7651788a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmTV25bD98.exe
    Filesize

    681KB

    MD5

    bfdb236953fd6f20a30d2e48fc060e71

    SHA1

    75d92febad298484a37cfcf853ba415a2e2a2082

    SHA256

    20232973088bb43f1a2796586923337fed6c422fb6ef7154697e202ae8b1234c

    SHA512

    38175baa7e5748d5691a99d084890340bc9867c16d620ca34313c6ded73f247e5aa424ae5f581d78712eaa1ffd2f5e259768e3ec01f58dfd9a6cc25c8887c882

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmCC45UR45.exe
    Filesize

    399KB

    MD5

    e32a2da1573afe3929d763dfacffec50

    SHA1

    3759c499b0ae90872a7a243332deab57c621721a

    SHA256

    9fd3e9335e9d7401c8278d4f285afc7889df425acff94e0d1ae87eb9ba417c59

    SHA512

    96a04c87093c3838190eed7d79b24c1558e34f25efa2bbb572ecd1b24ca56cc09da1a6e9921065850ee9b43d90426418655f9e265ed9b01289457ecb8be68750

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iZr18Zw94.exe
    Filesize

    13KB

    MD5

    265e5658d37fc90b5f582894c46825c4

    SHA1

    a74362e2c8f379636a974a88b7bdb99698782483

    SHA256

    676d54e9b461599d8389edf0731dd0ec10c02d1a0f1dd94bed77fa07a876cb02

    SHA512

    7caf7e5a3a828a5a845eff72b87d20deacbd891bb322a0b74d85d018c9fa9ec6a9b1f9b85e631539472f5052aa2cc7dc421f2d5397e27db63a6eb8989e147f9c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kCL70Eg97.exe
    Filesize

    374KB

    MD5

    534196314ab3a6ddde9383161e04bb1c

    SHA1

    1aada3e9ec093f011c9e1c4c557f2e9da73861cd

    SHA256

    d4eb393c9ee03f90888b37f01abdb6bb09d44416bacdfd5216c29f2739993c7e

    SHA512

    4d134be97ff5f2af6d2b9f8dadff10ace57447cf3a51f13a1d69b933de3a94673bf5c3c3899ff68036a2c4ec579248c015b974c5bdb51488ed8819227950ff8b

    Download Submit

  • memory/4248-28-0x0000000000EF0000-0x0000000000EFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4788-78-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-67-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-36-0x00000000071D0000-0x0000000007214000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4788-37-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-60-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-100-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-98-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-96-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-94-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-92-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-90-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-88-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-86-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-84-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-82-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-80-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-34-0x0000000004C10000-0x0000000004C56000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4788-74-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-73-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-70-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-68-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-35-0x00000000073C0000-0x0000000007964000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4788-64-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-62-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-58-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-56-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-55-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-52-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-50-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-48-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-46-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-44-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-42-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-40-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-38-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-76-0x00000000071D0000-0x000000000720E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4788-943-0x0000000007970000-0x0000000007F88000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4788-944-0x0000000007F90000-0x000000000809A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4788-945-0x00000000072F0000-0x0000000007302000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4788-946-0x0000000007310000-0x000000000734C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4788-947-0x0000000007360000-0x00000000073AC000-memory.dmp

    Filesize

    304KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.