Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 17:30
Static task
static1
Behavioral task
behavioral1
Sample
1b883351a4770aca0b1a7c0f2e16140cbcbe5cc56328ac27618b7da5f8594996.exe
Resource
win10v2004-20241007-en
General
-
Target
1b883351a4770aca0b1a7c0f2e16140cbcbe5cc56328ac27618b7da5f8594996.exe
-
Size
471KB
-
MD5
979198bef60d4e4ff211eb73f2d4d23b
-
SHA1
2336b6337d8a7205983af37fbfea0264935910cc
-
SHA256
1b883351a4770aca0b1a7c0f2e16140cbcbe5cc56328ac27618b7da5f8594996
-
SHA512
3d2a4ced5f3c5f02a8b25a1681467a2f9706dd2819b5d4d5828bf7e6c7b8268b184212c49310b5ea1f8cf68a845fc2f2299bbcbf5ed67d625eb1734b9814c451
-
SSDEEP
12288:2Mrty90eLCjGSkvP+UDhtweSI8XHE3t+dUjcpSw:byWkvmShtweSIyfCcf
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4472-19-0x0000000002730000-0x000000000274A000-memory.dmp healer behavioral1/memory/4472-21-0x0000000004D00000-0x0000000004D18000-memory.dmp healer behavioral1/memory/4472-47-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/4472-45-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/4472-43-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/4472-41-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/4472-39-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/4472-33-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/4472-49-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/4472-31-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/4472-29-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/4472-27-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/4472-25-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/4472-23-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/4472-22-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/4472-37-0x0000000004D00000-0x0000000004D12000-memory.dmp healer behavioral1/memory/4472-35-0x0000000004D00000-0x0000000004D12000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection bJY85BU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bJY85BU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bJY85BU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bJY85BU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bJY85BU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bJY85BU.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cae-58.dat family_redline behavioral1/memory/3284-60-0x0000000000CB0000-0x0000000000CE2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1436 nwd69Mw.exe 4472 bJY85BU.exe 3284 dfg00Pc.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features bJY85BU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" bJY85BU.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1b883351a4770aca0b1a7c0f2e16140cbcbe5cc56328ac27618b7da5f8594996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nwd69Mw.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1508 4472 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1b883351a4770aca0b1a7c0f2e16140cbcbe5cc56328ac27618b7da5f8594996.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nwd69Mw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bJY85BU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfg00Pc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4472 bJY85BU.exe 4472 bJY85BU.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4472 bJY85BU.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3512 wrote to memory of 1436 3512 1b883351a4770aca0b1a7c0f2e16140cbcbe5cc56328ac27618b7da5f8594996.exe 83 PID 3512 wrote to memory of 1436 3512 1b883351a4770aca0b1a7c0f2e16140cbcbe5cc56328ac27618b7da5f8594996.exe 83 PID 3512 wrote to memory of 1436 3512 1b883351a4770aca0b1a7c0f2e16140cbcbe5cc56328ac27618b7da5f8594996.exe 83 PID 1436 wrote to memory of 4472 1436 nwd69Mw.exe 84 PID 1436 wrote to memory of 4472 1436 nwd69Mw.exe 84 PID 1436 wrote to memory of 4472 1436 nwd69Mw.exe 84 PID 1436 wrote to memory of 3284 1436 nwd69Mw.exe 95 PID 1436 wrote to memory of 3284 1436 nwd69Mw.exe 95 PID 1436 wrote to memory of 3284 1436 nwd69Mw.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b883351a4770aca0b1a7c0f2e16140cbcbe5cc56328ac27618b7da5f8594996.exe"C:\Users\Admin\AppData\Local\Temp\1b883351a4770aca0b1a7c0f2e16140cbcbe5cc56328ac27618b7da5f8594996.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nwd69Mw.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nwd69Mw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bJY85BU.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bJY85BU.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 10844⤵
- Program crash
PID:1508
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dfg00Pc.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dfg00Pc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3284
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4472 -ip 44721⤵PID:1276
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
367KB
MD58ee574594b0cfc0401e6660f57a23183
SHA1eb17c9d3c29173ab2ebd6932c2cae19f2c21747e
SHA2564d712ab23ffa964bd6f749cb56b581eef1856db5e7bda997a65fda5d3806974c
SHA512f230c7043596d90aa3f5883f879990443868ed52fcefb64ff6c4013673f867fd527dc0906846adbafe85b4d8c49fa782670e8245b0b9f9c54600f58f30c379f0
-
Filesize
221KB
MD5650edc19b1aca3918cac9653356216eb
SHA1ef9a1f60652100833594be40d28f9ffe6a2055fd
SHA2560e711dbb0f5f93270c09a23732b1667c61f63a3eef25a7ef52a85ffa5423cf89
SHA512296fb1cf316e10f7392cee004e879ff8870b643378c2b8ad55346523eaea0863e7948a709c1aa693087cb18f6aa16e84dc5e0da13f0839275a649a1c9daece19
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2