Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 21:37
Static task
static1
Behavioral task
behavioral1
Sample
8376a393beba9b4b400bed03258165e4d7d345c5c37d327b9589d7e279317a67.exe
Resource
win10v2004-20241007-en
General
-
Target
8376a393beba9b4b400bed03258165e4d7d345c5c37d327b9589d7e279317a67.exe
-
Size
660KB
-
MD5
4af2075f09533c96439e472c41216a35
-
SHA1
648435d4c9cf161b30113d9dce725342abef4a31
-
SHA256
8376a393beba9b4b400bed03258165e4d7d345c5c37d327b9589d7e279317a67
-
SHA512
82ab4d80fcd3a5b1ea2d352aa3516dbd8a1dafeae2fa10936f9aff8706f4c5afac9493d563e0011a57ef326d64c6badc370ca67ba95a2e4a0df33156a356eaff
-
SSDEEP
12288:MMriy90ZXcSJAx7w0ugW9MqJ5zW7VmM9OXeCa4QOoJRAbcjSNX4rshpds8r7xlK:OyCA9wNNiqJJgv2H1wfAbcj+Vpdpr7xL
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
droz
77.91.124.145:4125
-
auth_value
d099adf6dbf6ccb8e16967104280634a
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c98-12.dat healer behavioral1/memory/2484-15-0x0000000000A50000-0x0000000000A5A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr902953.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr902953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr902953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr902953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr902953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr902953.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/4424-2105-0x0000000005530000-0x0000000005562000-memory.dmp family_redline behavioral1/files/0x0010000000023b5e-2110.dat family_redline behavioral1/memory/5784-2118-0x00000000007D0000-0x0000000000800000-memory.dmp family_redline behavioral1/files/0x0007000000023c96-2127.dat family_redline behavioral1/memory/2092-2129-0x00000000001E0000-0x000000000020E000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation ku086375.exe -
Executes dropped EXE 5 IoCs
pid Process 1288 ziPa0396.exe 2484 jr902953.exe 4424 ku086375.exe 5784 1.exe 2092 lr177237.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr902953.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8376a393beba9b4b400bed03258165e4d7d345c5c37d327b9589d7e279317a67.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziPa0396.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 6036 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3200 4424 WerFault.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8376a393beba9b4b400bed03258165e4d7d345c5c37d327b9589d7e279317a67.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziPa0396.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku086375.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lr177237.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2484 jr902953.exe 2484 jr902953.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2484 jr902953.exe Token: SeDebugPrivilege 4424 ku086375.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3936 wrote to memory of 1288 3936 8376a393beba9b4b400bed03258165e4d7d345c5c37d327b9589d7e279317a67.exe 85 PID 3936 wrote to memory of 1288 3936 8376a393beba9b4b400bed03258165e4d7d345c5c37d327b9589d7e279317a67.exe 85 PID 3936 wrote to memory of 1288 3936 8376a393beba9b4b400bed03258165e4d7d345c5c37d327b9589d7e279317a67.exe 85 PID 1288 wrote to memory of 2484 1288 ziPa0396.exe 86 PID 1288 wrote to memory of 2484 1288 ziPa0396.exe 86 PID 1288 wrote to memory of 4424 1288 ziPa0396.exe 93 PID 1288 wrote to memory of 4424 1288 ziPa0396.exe 93 PID 1288 wrote to memory of 4424 1288 ziPa0396.exe 93 PID 4424 wrote to memory of 5784 4424 ku086375.exe 94 PID 4424 wrote to memory of 5784 4424 ku086375.exe 94 PID 4424 wrote to memory of 5784 4424 ku086375.exe 94 PID 3936 wrote to memory of 2092 3936 8376a393beba9b4b400bed03258165e4d7d345c5c37d327b9589d7e279317a67.exe 98 PID 3936 wrote to memory of 2092 3936 8376a393beba9b4b400bed03258165e4d7d345c5c37d327b9589d7e279317a67.exe 98 PID 3936 wrote to memory of 2092 3936 8376a393beba9b4b400bed03258165e4d7d345c5c37d327b9589d7e279317a67.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\8376a393beba9b4b400bed03258165e4d7d345c5c37d327b9589d7e279317a67.exe"C:\Users\Admin\AppData\Local\Temp\8376a393beba9b4b400bed03258165e4d7d345c5c37d327b9589d7e279317a67.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPa0396.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPa0396.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr902953.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr902953.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku086375.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku086375.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5784
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 13764⤵
- Program crash
PID:3200
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr177237.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr177237.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4424 -ip 44241⤵PID:3512
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:6036
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5e3be1f6f574df32d467810a391f9eb72
SHA1679fa5c6ca6c9c9cc322f4989feb05ed9ebd7bca
SHA256f6e282bb93271802a242944bec9df89759e85a00c90fca7e4a95f9068b6c9312
SHA512530f3c7478ef44b9b627d5f3683611eaaebd0da85e41483d1f9a6c6d88fc0a5b146ac5e0fd2d6b4a418adb4526a4c55f14f6c9ea218ac36bc72e36b14ce22450
-
Filesize
507KB
MD55145772cf0f81da893f44d4f7c8486b4
SHA1ab7b570baa15e5f12aea643266e7c07a47171134
SHA256736f7aa6f9483bc2f4995966184b2c096f0303d5e116af06152935033a5b94ad
SHA5121ff7de658b715a779d65c790eb478c3b3b70a9448b510abc7088487dac8c9cfe92c7085039684222055102a1a7f49453234694f09f9585832fcd1d96cb61a4fe
-
Filesize
14KB
MD5157f569de6729fa9d47859a0907c8253
SHA170e34ee629b7cdac5e253f534bb45ce9b551c2bc
SHA2565f3a0909f5d93a9f2b2d95b219b87140f44e02004f956947696db6a3a7501ef3
SHA512bd7d9c0e9958c6b967a0fd16aa8317521b776ca7d59f867c8ad3085b0d44c0e19f4309e64915900133ab6b1e0930a989de22d3874bc28db5c2b7a51cb4125f79
-
Filesize
426KB
MD5e63cf4a525220f3dae4740893456890c
SHA1610d4fe76cdab9aca54caddbf9fb6fd155b2ec76
SHA25614f04321b8f20c19c64da36cca2aa7f5f43aef66db4eb3263bf5ea482ef806e5
SHA5127c01ad33a8fd08e718776ae8dc318dfda10f4c1c36f95835f3e482b74fd34d403fafbf2a0482eca357fc7475f1d300b0dfec73bf43bdca61d477288373f1e2d4
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0