Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 13:21
Static task
static1
Behavioral task
behavioral1
Sample
7a50167dd257923cd4b88f63d7a1d2623ae1b97d1ccbd2e2b34a7059456ee143.exe
Resource
win10v2004-20241007-en
General
-
Target
7a50167dd257923cd4b88f63d7a1d2623ae1b97d1ccbd2e2b34a7059456ee143.exe
-
Size
696KB
-
MD5
91d8c5b323bcaee03e5e575f6eb114ca
-
SHA1
97c5e6e5d3d6da6bec2a25b41cc1333b99ffde12
-
SHA256
7a50167dd257923cd4b88f63d7a1d2623ae1b97d1ccbd2e2b34a7059456ee143
-
SHA512
f84eb8e23382bc57004c862c3491af864324c40e77cb72a277f8739ff5d2dbb7c50f929b77d1e382399d98823dddedc05fd1904f603d18d4254f118b609364d8
-
SSDEEP
12288:lMrdy90XbHDekjNg0w3NBJ9S9W3r69/vOMusv/Ft6eKeWcEvObQuOsUH/Nq:syQpgt9BJ9d3r6tOMVSjOlZsU
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/764-18-0x0000000002E80000-0x0000000002E9A000-memory.dmp healer behavioral1/memory/764-20-0x0000000004920000-0x0000000004938000-memory.dmp healer behavioral1/memory/764-21-0x0000000004920000-0x0000000004932000-memory.dmp healer behavioral1/memory/764-48-0x0000000004920000-0x0000000004932000-memory.dmp healer behavioral1/memory/764-46-0x0000000004920000-0x0000000004932000-memory.dmp healer behavioral1/memory/764-44-0x0000000004920000-0x0000000004932000-memory.dmp healer behavioral1/memory/764-42-0x0000000004920000-0x0000000004932000-memory.dmp healer behavioral1/memory/764-41-0x0000000004920000-0x0000000004932000-memory.dmp healer behavioral1/memory/764-38-0x0000000004920000-0x0000000004932000-memory.dmp healer behavioral1/memory/764-36-0x0000000004920000-0x0000000004932000-memory.dmp healer behavioral1/memory/764-34-0x0000000004920000-0x0000000004932000-memory.dmp healer behavioral1/memory/764-32-0x0000000004920000-0x0000000004932000-memory.dmp healer behavioral1/memory/764-30-0x0000000004920000-0x0000000004932000-memory.dmp healer behavioral1/memory/764-28-0x0000000004920000-0x0000000004932000-memory.dmp healer behavioral1/memory/764-26-0x0000000004920000-0x0000000004932000-memory.dmp healer behavioral1/memory/764-24-0x0000000004920000-0x0000000004932000-memory.dmp healer behavioral1/memory/764-22-0x0000000004920000-0x0000000004932000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro9727.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9727.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9727.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9727.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9727.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9727.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/912-60-0x0000000004B10000-0x0000000004B56000-memory.dmp family_redline behavioral1/memory/912-61-0x00000000071E0000-0x0000000007224000-memory.dmp family_redline behavioral1/memory/912-87-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/912-95-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/912-93-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/912-91-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/912-89-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/912-85-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/912-83-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/912-81-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/912-80-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/912-77-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/912-75-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/912-73-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/912-71-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/912-67-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/912-65-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/912-63-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/912-69-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/912-62-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4848 un329366.exe 764 pro9727.exe 912 qu1123.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9727.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9727.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7a50167dd257923cd4b88f63d7a1d2623ae1b97d1ccbd2e2b34a7059456ee143.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un329366.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1280 764 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7a50167dd257923cd4b88f63d7a1d2623ae1b97d1ccbd2e2b34a7059456ee143.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un329366.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro9727.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu1123.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 764 pro9727.exe 764 pro9727.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 764 pro9727.exe Token: SeDebugPrivilege 912 qu1123.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4032 wrote to memory of 4848 4032 7a50167dd257923cd4b88f63d7a1d2623ae1b97d1ccbd2e2b34a7059456ee143.exe 84 PID 4032 wrote to memory of 4848 4032 7a50167dd257923cd4b88f63d7a1d2623ae1b97d1ccbd2e2b34a7059456ee143.exe 84 PID 4032 wrote to memory of 4848 4032 7a50167dd257923cd4b88f63d7a1d2623ae1b97d1ccbd2e2b34a7059456ee143.exe 84 PID 4848 wrote to memory of 764 4848 un329366.exe 85 PID 4848 wrote to memory of 764 4848 un329366.exe 85 PID 4848 wrote to memory of 764 4848 un329366.exe 85 PID 4848 wrote to memory of 912 4848 un329366.exe 98 PID 4848 wrote to memory of 912 4848 un329366.exe 98 PID 4848 wrote to memory of 912 4848 un329366.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a50167dd257923cd4b88f63d7a1d2623ae1b97d1ccbd2e2b34a7059456ee143.exe"C:\Users\Admin\AppData\Local\Temp\7a50167dd257923cd4b88f63d7a1d2623ae1b97d1ccbd2e2b34a7059456ee143.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un329366.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un329366.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9727.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9727.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 10524⤵
- Program crash
PID:1280
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1123.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1123.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:912
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 764 -ip 7641⤵PID:1068
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
554KB
MD5d9f59a256909b65502e3c8d8d3a37c2b
SHA1f34a7147ade495e4562a697286bd8ac814d6ecbb
SHA2567b21250f51de8d7cd03d1d45f123e7e76b200a2469d39824b61c099de8c58a43
SHA512ddc52916ff885cc4edf41796e140b30c9df0e57caafbd5232a34870901454563543430cd0ef65a937dfe62813e9e3363e539384d913fb074b869abc7027ea11f
-
Filesize
345KB
MD5c363c42796d3defc50f4d32b356f23ac
SHA153c6d0c66007cc87f1e85d2e1e80be69daa906fa
SHA256032309abe41db2b3fd818261e505ac26022a624bf7136784e04286990934161d
SHA512604a3f6549392da7b112ed34ebd90e9e68b85f8f5c4e547509393d04f82ce45f7aad689fafa630588951d528525ad6df407293e414feba936c175ddb529efccb
-
Filesize
403KB
MD5abf486f0cc662fb50e14abcb70cc3933
SHA19d89771c8d0d991df01d21575e681b9a2172e786
SHA25631453a4bddf64b2d0637713a33e0fb103cae418096e1c34981c0e064ee4513f1
SHA512b310a5c0080b1d59be04f09c9bfd95d0fe80c1341a149f592f65234a3198e87c37c984e6d13753ece6b0a3aef3e4d0df9e89f2e22a8845509ffdec58b473483e