Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 14:25
Static task
static1
Behavioral task
behavioral1
Sample
8fbf9ab43e60d35de20b0a75e1597945684b7a792d15c58833f3e937a9773619.exe
Resource
win10v2004-20241007-en
General
-
Target
8fbf9ab43e60d35de20b0a75e1597945684b7a792d15c58833f3e937a9773619.exe
-
Size
659KB
-
MD5
2903defec419d597baa73340f1864cb0
-
SHA1
64347f07bcf9832b9da4253ddd5e4aa5b4c761b1
-
SHA256
8fbf9ab43e60d35de20b0a75e1597945684b7a792d15c58833f3e937a9773619
-
SHA512
4d1102e1356f4d1aa7e408c9f8214d009c670f0ef206f839a180baeeda61b932e2e8800efe17ccb6c493e04f8b560932d2d5cb46bcfa5662190547cece452cbb
-
SSDEEP
12288:3Mr7y90NEKcT0TFv8LREE/+HEGFgfew94I9Z1W4F8pn:8yCEPgGREE/+HheeDYT+pn
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3896-18-0x0000000002E20000-0x0000000002E3A000-memory.dmp healer behavioral1/memory/3896-20-0x00000000049F0000-0x0000000004A08000-memory.dmp healer behavioral1/memory/3896-34-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/3896-48-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/3896-46-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/3896-44-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/3896-42-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/3896-40-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/3896-38-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/3896-36-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/3896-32-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/3896-30-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/3896-28-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/3896-26-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/3896-25-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/3896-22-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/3896-21-0x00000000049F0000-0x0000000004A02000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro1632.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro1632.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro1632.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro1632.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro1632.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro1632.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2372-60-0x0000000004BE0000-0x0000000004C26000-memory.dmp family_redline behavioral1/memory/2372-61-0x0000000007750000-0x0000000007794000-memory.dmp family_redline behavioral1/memory/2372-69-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/2372-67-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/2372-71-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/2372-62-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/2372-65-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/2372-63-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/2372-95-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/2372-93-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/2372-91-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/2372-89-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/2372-87-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/2372-85-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/2372-83-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/2372-82-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/2372-79-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/2372-77-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/2372-75-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/2372-73-0x0000000007750000-0x000000000778F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2440 un912895.exe 3896 pro1632.exe 2372 qu5765.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro1632.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro1632.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8fbf9ab43e60d35de20b0a75e1597945684b7a792d15c58833f3e937a9773619.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un912895.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2140 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2216 3896 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fbf9ab43e60d35de20b0a75e1597945684b7a792d15c58833f3e937a9773619.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un912895.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro1632.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu5765.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3896 pro1632.exe 3896 pro1632.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3896 pro1632.exe Token: SeDebugPrivilege 2372 qu5765.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3932 wrote to memory of 2440 3932 8fbf9ab43e60d35de20b0a75e1597945684b7a792d15c58833f3e937a9773619.exe 87 PID 3932 wrote to memory of 2440 3932 8fbf9ab43e60d35de20b0a75e1597945684b7a792d15c58833f3e937a9773619.exe 87 PID 3932 wrote to memory of 2440 3932 8fbf9ab43e60d35de20b0a75e1597945684b7a792d15c58833f3e937a9773619.exe 87 PID 2440 wrote to memory of 3896 2440 un912895.exe 88 PID 2440 wrote to memory of 3896 2440 un912895.exe 88 PID 2440 wrote to memory of 3896 2440 un912895.exe 88 PID 2440 wrote to memory of 2372 2440 un912895.exe 96 PID 2440 wrote to memory of 2372 2440 un912895.exe 96 PID 2440 wrote to memory of 2372 2440 un912895.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fbf9ab43e60d35de20b0a75e1597945684b7a792d15c58833f3e937a9773619.exe"C:\Users\Admin\AppData\Local\Temp\8fbf9ab43e60d35de20b0a75e1597945684b7a792d15c58833f3e937a9773619.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un912895.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un912895.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1632.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1632.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 10804⤵
- Program crash
PID:2216
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5765.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5765.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3896 -ip 38961⤵PID:3004
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2140
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
516KB
MD5f70ee3af0078e1f02d6349cebf02f462
SHA13134e024968f0b7fcd0fa8710b527a9b701d9dbd
SHA256d819af0b80086a42bc9b10f17605e8dc07ba81e1315cf10b0a40f2ffb6e14dc3
SHA512ac5968e1f10a2ded3eb12b3b2a3ae59de8f0a3920de67f820bd2acafc81426216f44d10bbcd85c696829278d1b383aecf2bd1b5a13857ec1fc0d6ffe09b36113
-
Filesize
284KB
MD50863b399921dffc506d41c63857345a8
SHA1b1d87e6e232c3113faf79ac0018211c73468c211
SHA256b66806fb8762526c2792cf0b9e955f77dba231a852bddeed3eb7d73289751717
SHA512f14e9df1fce62dd1609333db41c458e8cc7d34ca41766114576fda291210dfaef46478c9f894ecf78f830dfce8292989703e61dcb188a307fc4c6dfb8d92e057
-
Filesize
342KB
MD5172bb1199f4fe4688f1c969bd4aae973
SHA12339e3496a17913e0b2a268201e53dc3dd322778
SHA2565e7b19853fc6c6077eef46f001c5f2a678b57ad100639d09a8aecbc63dc7626e
SHA51250eacf041a6a4aac0d77d2f118b6ccc91e4df042630fad4b9049619ed25b0c841c9d9e9123eab791c54df2add5b21755edbcf07e68145c00ffc6f1bf8a2ab139