Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 23:32
Static task
static1
Behavioral task
behavioral1
Sample
5cb43f9cb01a33a2483e2164259f2f4877e10091900b2e11a299aaad8ed2d69f.exe
Resource
win10v2004-20241007-en
General
-
Target
5cb43f9cb01a33a2483e2164259f2f4877e10091900b2e11a299aaad8ed2d69f.exe
-
Size
471KB
-
MD5
148e2f6a10fd3c33b01b03d33f053d24
-
SHA1
9af3fe2244c39c99c56359ab7fdb1e30234e3311
-
SHA256
5cb43f9cb01a33a2483e2164259f2f4877e10091900b2e11a299aaad8ed2d69f
-
SHA512
48037c9366905dcf58d5649f52948d1440136f3d1e99830dc33ae0272b26818d433ea2d600ca890d787847ae05b6dea9d6cc3b775ce5b8ff8a5a272131fa617c
-
SSDEEP
12288:ZMr7y90trC6NOrFCppweGI8XHEotddUjc3Si:eyYnNsCppweGIyxCcX
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3620-19-0x00000000025B0000-0x00000000025CA000-memory.dmp healer behavioral1/memory/3620-21-0x00000000028A0000-0x00000000028B8000-memory.dmp healer behavioral1/memory/3620-49-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/3620-48-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/3620-45-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/3620-44-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/3620-41-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/3620-39-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/3620-38-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/3620-35-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/3620-33-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/3620-31-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/3620-29-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/3620-27-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/3620-25-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/3620-23-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/3620-22-0x00000000028A0000-0x00000000028B2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection bYX99BT.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bYX99BT.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bYX99BT.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bYX99BT.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bYX99BT.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bYX99BT.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cb9-58.dat family_redline behavioral1/memory/1264-60-0x0000000000620000-0x0000000000652000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4008 nbA51Cr.exe 3620 bYX99BT.exe 1264 dCM82ec.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features bYX99BT.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" bYX99BT.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5cb43f9cb01a33a2483e2164259f2f4877e10091900b2e11a299aaad8ed2d69f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nbA51Cr.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3064 3620 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bYX99BT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dCM82ec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5cb43f9cb01a33a2483e2164259f2f4877e10091900b2e11a299aaad8ed2d69f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbA51Cr.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3620 bYX99BT.exe 3620 bYX99BT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3620 bYX99BT.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4468 wrote to memory of 4008 4468 5cb43f9cb01a33a2483e2164259f2f4877e10091900b2e11a299aaad8ed2d69f.exe 83 PID 4468 wrote to memory of 4008 4468 5cb43f9cb01a33a2483e2164259f2f4877e10091900b2e11a299aaad8ed2d69f.exe 83 PID 4468 wrote to memory of 4008 4468 5cb43f9cb01a33a2483e2164259f2f4877e10091900b2e11a299aaad8ed2d69f.exe 83 PID 4008 wrote to memory of 3620 4008 nbA51Cr.exe 84 PID 4008 wrote to memory of 3620 4008 nbA51Cr.exe 84 PID 4008 wrote to memory of 3620 4008 nbA51Cr.exe 84 PID 4008 wrote to memory of 1264 4008 nbA51Cr.exe 99 PID 4008 wrote to memory of 1264 4008 nbA51Cr.exe 99 PID 4008 wrote to memory of 1264 4008 nbA51Cr.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cb43f9cb01a33a2483e2164259f2f4877e10091900b2e11a299aaad8ed2d69f.exe"C:\Users\Admin\AppData\Local\Temp\5cb43f9cb01a33a2483e2164259f2f4877e10091900b2e11a299aaad8ed2d69f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nbA51Cr.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nbA51Cr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bYX99BT.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bYX99BT.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3620 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 10804⤵
- Program crash
PID:3064
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dCM82ec.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dCM82ec.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1264
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3620 -ip 36201⤵PID:4796
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
367KB
MD559085b726b55b39fefb8c303d626f59d
SHA12fd8208b76ee9db177124e367c4e9ebb20442f7f
SHA2561d5fbaad84a756f971e7b35e79388872be4c02787a2d5501a34576ed933f8840
SHA512d8f2a4c7b14e73b841394b9fa0c84b1f80f11fbb9f5403af6d2fae7b0322462cd71d5c99f3922ebc5bcd81b688075ffed541feba2c185d5666ff695f840802f7
-
Filesize
221KB
MD5650edc19b1aca3918cac9653356216eb
SHA1ef9a1f60652100833594be40d28f9ffe6a2055fd
SHA2560e711dbb0f5f93270c09a23732b1667c61f63a3eef25a7ef52a85ffa5423cf89
SHA512296fb1cf316e10f7392cee004e879ff8870b643378c2b8ad55346523eaea0863e7948a709c1aa693087cb18f6aa16e84dc5e0da13f0839275a649a1c9daece19
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2