Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 01:53
Static task
static1
Behavioral task
behavioral1
Sample
b181e8afd4822f75f69f62c09ee9194631a6669ca9283b575e855119316ba6c1.exe
Resource
win10v2004-20241007-en
General
-
Target
b181e8afd4822f75f69f62c09ee9194631a6669ca9283b575e855119316ba6c1.exe
-
Size
927KB
-
MD5
d671a43cc433dbff920e45965f5810f4
-
SHA1
40180f91329335c841fd8d081e832e95af8ac826
-
SHA256
b181e8afd4822f75f69f62c09ee9194631a6669ca9283b575e855119316ba6c1
-
SHA512
41c8f2e1320435966201a0084b47b94cb9cf5b469c4a174aee0fa65f9a8708d427c27a3e9f2012be5071a87257e99f74624f113c2978e9855d1639bd5cdf1720
-
SSDEEP
12288:RMrry90NAWuTHqbZRztu/KbFv1d+bWlUFoWK4IkpixJMPATx4cSSkxu3+uORf/bz:Gya8SWeFNd+6lUbK4IVVASYymbuy
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
droz
77.91.124.145:4125
-
auth_value
d099adf6dbf6ccb8e16967104280634a
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b98-19.dat healer behavioral1/memory/2124-22-0x00000000001E0000-0x00000000001EA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it513356.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it513356.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it513356.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it513356.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it513356.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it513356.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/1448-2112-0x0000000005400000-0x0000000005432000-memory.dmp family_redline behavioral1/files/0x000f000000023aee-2117.dat family_redline behavioral1/memory/6092-2125-0x0000000000230000-0x0000000000260000-memory.dmp family_redline behavioral1/files/0x000a000000023b96-2134.dat family_redline behavioral1/memory/944-2136-0x0000000000AE0000-0x0000000000B0E000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation jr316860.exe -
Executes dropped EXE 6 IoCs
pid Process 4876 ziQa9310.exe 212 ziIF7287.exe 2124 it513356.exe 1448 jr316860.exe 6092 1.exe 944 kp153550.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it513356.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b181e8afd4822f75f69f62c09ee9194631a6669ca9283b575e855119316ba6c1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziQa9310.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ziIF7287.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1828 1448 WerFault.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b181e8afd4822f75f69f62c09ee9194631a6669ca9283b575e855119316ba6c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziQa9310.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziIF7287.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jr316860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp153550.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2124 it513356.exe 2124 it513356.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2124 it513356.exe Token: SeDebugPrivilege 1448 jr316860.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 372 wrote to memory of 4876 372 b181e8afd4822f75f69f62c09ee9194631a6669ca9283b575e855119316ba6c1.exe 83 PID 372 wrote to memory of 4876 372 b181e8afd4822f75f69f62c09ee9194631a6669ca9283b575e855119316ba6c1.exe 83 PID 372 wrote to memory of 4876 372 b181e8afd4822f75f69f62c09ee9194631a6669ca9283b575e855119316ba6c1.exe 83 PID 4876 wrote to memory of 212 4876 ziQa9310.exe 85 PID 4876 wrote to memory of 212 4876 ziQa9310.exe 85 PID 4876 wrote to memory of 212 4876 ziQa9310.exe 85 PID 212 wrote to memory of 2124 212 ziIF7287.exe 87 PID 212 wrote to memory of 2124 212 ziIF7287.exe 87 PID 212 wrote to memory of 1448 212 ziIF7287.exe 96 PID 212 wrote to memory of 1448 212 ziIF7287.exe 96 PID 212 wrote to memory of 1448 212 ziIF7287.exe 96 PID 1448 wrote to memory of 6092 1448 jr316860.exe 97 PID 1448 wrote to memory of 6092 1448 jr316860.exe 97 PID 1448 wrote to memory of 6092 1448 jr316860.exe 97 PID 4876 wrote to memory of 944 4876 ziQa9310.exe 102 PID 4876 wrote to memory of 944 4876 ziQa9310.exe 102 PID 4876 wrote to memory of 944 4876 ziQa9310.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\b181e8afd4822f75f69f62c09ee9194631a6669ca9283b575e855119316ba6c1.exe"C:\Users\Admin\AppData\Local\Temp\b181e8afd4822f75f69f62c09ee9194631a6669ca9283b575e855119316ba6c1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQa9310.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQa9310.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziIF7287.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziIF7287.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it513356.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it513356.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr316860.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr316860.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 15525⤵
- Program crash
PID:1828
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp153550.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp153550.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:944
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1448 -ip 14481⤵PID:636
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
661KB
MD5c42d3306b6f41279d7c7ea452f1d5d58
SHA17bce7ddf63b7a31e4d458e3197cfcb29c4137f6c
SHA25649cdf73501b36dec57ea6cc731d80292b62a2f33818389707f5130f9060d5eee
SHA51217ee69bbadcb40204aa4569d489aa67f3690501d9f7eb3d440320299ff1b91f74e39b3e113f95dea3a7cc5662e6931454c9a50061c81ac1a08b9a0e383bed9dc
-
Filesize
168KB
MD501e8b748de3920959cb99cabc270603e
SHA17a8088974d277b900de2a8738df8d0cb83970693
SHA2564b0d0a419688cb34a825c63b933bfd37e145c2e65d88ff2d1631b61944aa1c90
SHA512984d56d9d3a48901d8d42c7028a5ec9ab9f556822152dcff33e873ad452ff26be8ddaca2e2f2cf3052e116275ebccd44f1fb59ce56cdc197ffa01bc60c3999ea
-
Filesize
507KB
MD522d144ceb15971d704e373d1f7090d16
SHA1005ff1875257790241902fecba9b84d4ccb93adb
SHA25658462ddb5271718aa4b62480324039be3b6ad43e299bad9afd55ba8d33c506e6
SHA51297df513b53f389ffc49150e92522ec6b23efc76636ddbdb46e2edbdf6dd444226745890d5c920ba5f0264e3cf6eafc65149a30694d7e826ed774ca005eb4184a
-
Filesize
15KB
MD5e2e6fe9a49351846b3dfa3874333f5d3
SHA1fcfa1279252ef9ba19e382e178cc1b54a9b59531
SHA2569c1b44bfee7356fac9984eb55a57795cbaf6af8c0c3e3c78f8a54d912dbf3637
SHA5126b493ecf1e967980ac2f4b816deb5a74e8c5a6ce99503944f8aaa93f1fdff669889a63645f812e0401adf2664bb9923745330e8bc03e19e37bc58c45727d2a01
-
Filesize
426KB
MD5259de95abacce166bd7c584f3e2497a7
SHA17159ddb4e9f44adc2395d941d781dd26ba7cb8d0
SHA256fa8f5a8a17d7fd1f0017229a2d6f241abd64b9ddba23641e638c028de35c8cb7
SHA51214cb47991113a132f10e2c5f058e088816022f0a50a3e99ef3870d25ec5a13f2643ce7f8e8a06ef6cf8f0d4574c0c3f65c073ac3bc27801af37ee5d9b5d05f96
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0