Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 13:12
Static task
static1
Behavioral task
behavioral1
Sample
b1bdbdb98c5180c843a6b86cf010cd9429c72d52ec5562f0372236706a3ca7b8.exe
Resource
win10v2004-20241007-en
General
-
Target
b1bdbdb98c5180c843a6b86cf010cd9429c72d52ec5562f0372236706a3ca7b8.exe
-
Size
556KB
-
MD5
ee11d3f741fd44873960d23197268d55
-
SHA1
5783ad45fd6f6b5f64f71e5a5237444c15a49946
-
SHA256
b1bdbdb98c5180c843a6b86cf010cd9429c72d52ec5562f0372236706a3ca7b8
-
SHA512
4bd50841f03d77f23e8ca378b54e42a70fd8e335314325e2f2b96531dfc2fd9582d9388460857d06f9353743c56e7590694ac24eb878fa85314f5a344b047725
-
SSDEEP
12288:gMrYy902oxALycmoGwt4vTkdcBnuEn6tMhYH9ykZO5myJ4Shch:oyJoeLqo4rk+p7nIMhYHYms+
Malware Config
Extracted
redline
ruzhpe
pepunn.com:4162
-
auth_value
f735ced96ae8d01d0bd1d514240e54e0
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c8a-12.dat healer behavioral1/memory/2488-15-0x0000000000820000-0x000000000082A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sw47Rg74hb49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sw47Rg74hb49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sw47Rg74hb49.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sw47Rg74hb49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sw47Rg74hb49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sw47Rg74hb49.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1668-22-0x0000000004BC0000-0x0000000004C06000-memory.dmp family_redline behavioral1/memory/1668-24-0x0000000007780000-0x00000000077C4000-memory.dmp family_redline behavioral1/memory/1668-30-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-38-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-88-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-86-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-84-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-82-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-80-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-76-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-74-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-72-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-70-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-68-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-66-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-65-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-62-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-60-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-58-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-56-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-54-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-52-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-48-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-46-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-44-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-42-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-40-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-36-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-34-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-32-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-28-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-78-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-50-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-26-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline behavioral1/memory/1668-25-0x0000000007780000-0x00000000077BE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4984 vkGa7038gY.exe 2488 sw47Rg74hb49.exe 1668 tkQi63wI65IF.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sw47Rg74hb49.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b1bdbdb98c5180c843a6b86cf010cd9429c72d52ec5562f0372236706a3ca7b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vkGa7038gY.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vkGa7038gY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tkQi63wI65IF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1bdbdb98c5180c843a6b86cf010cd9429c72d52ec5562f0372236706a3ca7b8.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2488 sw47Rg74hb49.exe 2488 sw47Rg74hb49.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2488 sw47Rg74hb49.exe Token: SeDebugPrivilege 1668 tkQi63wI65IF.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3360 wrote to memory of 4984 3360 b1bdbdb98c5180c843a6b86cf010cd9429c72d52ec5562f0372236706a3ca7b8.exe 84 PID 3360 wrote to memory of 4984 3360 b1bdbdb98c5180c843a6b86cf010cd9429c72d52ec5562f0372236706a3ca7b8.exe 84 PID 3360 wrote to memory of 4984 3360 b1bdbdb98c5180c843a6b86cf010cd9429c72d52ec5562f0372236706a3ca7b8.exe 84 PID 4984 wrote to memory of 2488 4984 vkGa7038gY.exe 85 PID 4984 wrote to memory of 2488 4984 vkGa7038gY.exe 85 PID 4984 wrote to memory of 1668 4984 vkGa7038gY.exe 93 PID 4984 wrote to memory of 1668 4984 vkGa7038gY.exe 93 PID 4984 wrote to memory of 1668 4984 vkGa7038gY.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1bdbdb98c5180c843a6b86cf010cd9429c72d52ec5562f0372236706a3ca7b8.exe"C:\Users\Admin\AppData\Local\Temp\b1bdbdb98c5180c843a6b86cf010cd9429c72d52ec5562f0372236706a3ca7b8.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkGa7038gY.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkGa7038gY.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw47Rg74hb49.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw47Rg74hb49.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkQi63wI65IF.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkQi63wI65IF.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
411KB
MD50a83a77cbbf69f99e313b6146dd34bfe
SHA10c6df32053f988de15de00d74a6cf4c5f3a5f735
SHA256fa3fd343aff946e878cbbfa9436ddf66ed86278b718403c0d5601c1389c515a7
SHA5120223684d4151da38afa632306e23fd1a1dfc2e79178108b7e73a08848d721dcecf86fa19909892a9a7c1edf97be85913324af2ec2c0e514570a88282ae37a1e9
-
Filesize
17KB
MD59dfb85434850850dd0e2667b8be7eb56
SHA10500ec369a7dfc77046b1fc614654d9937a4a6a7
SHA25697a296eaa4c71c23677be105679c645960ec7e5ac9473dc291bff2a402c754d2
SHA5120e8fc6576c8f918582fbfa1193ca17a62d518952147157fd4f03d235b54d7a87c89467f0f9bcb4be0f3aa759b6bef06d2167151b7e68a609907557772ca9322f
-
Filesize
410KB
MD54a99afd6ed76b99078df204b18a8b896
SHA1f31f5bc1af96226972ccb4f09f31e951bf8c8c50
SHA256ef798a02a3eb5140e2cf2f4a5cc1baa245c94df5a355e26fb5e1371f7f832473
SHA51279d7fe86efd6624e78af1bdd89713ccf1a0de364ce87a1b1faa904643d5efe003e2083134cd99f78dde26c4587cee6fa8fa02153cbd24a452c49a1e95d94c6d4