Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 08:28
Static task
static1
Behavioral task
behavioral1
Sample
68912936b876b67d2681d82505b44676ce86f60774b9a7f571d63ae303e09f85.exe
Resource
win10v2004-20241007-en
General
-
Target
68912936b876b67d2681d82505b44676ce86f60774b9a7f571d63ae303e09f85.exe
-
Size
500KB
-
MD5
be39aaa60c56bbc637126cb16f143907
-
SHA1
8e77b3da5f5d3801816b6939fa554974e36eaf7f
-
SHA256
68912936b876b67d2681d82505b44676ce86f60774b9a7f571d63ae303e09f85
-
SHA512
a807fea73f1f2a7905c402a2576947266d9eda06d3b6d932cba21cd5d9a78d5202b76a2895a6ec5bac535f0b9a58f4690fc3b600cd01637f18e11895f4d84e55
-
SSDEEP
12288:eMr2y90y5u9j2+KKoZchgWlCdAyPSftSKaWQ4hGO8K:Iyn5Zc+UCdAt1zFYK
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x0008000000023ca9-12.dat healer behavioral1/memory/4040-15-0x00000000003F0000-0x00000000003FA000-memory.dmp healer behavioral1/memory/4352-22-0x00000000024D0000-0x00000000024EA000-memory.dmp healer behavioral1/memory/4352-24-0x0000000002680000-0x0000000002698000-memory.dmp healer behavioral1/memory/4352-28-0x0000000002680000-0x0000000002692000-memory.dmp healer behavioral1/memory/4352-26-0x0000000002680000-0x0000000002692000-memory.dmp healer behavioral1/memory/4352-52-0x0000000002680000-0x0000000002692000-memory.dmp healer behavioral1/memory/4352-51-0x0000000002680000-0x0000000002692000-memory.dmp healer behavioral1/memory/4352-48-0x0000000002680000-0x0000000002692000-memory.dmp healer behavioral1/memory/4352-46-0x0000000002680000-0x0000000002692000-memory.dmp healer behavioral1/memory/4352-44-0x0000000002680000-0x0000000002692000-memory.dmp healer behavioral1/memory/4352-42-0x0000000002680000-0x0000000002692000-memory.dmp healer behavioral1/memory/4352-40-0x0000000002680000-0x0000000002692000-memory.dmp healer behavioral1/memory/4352-38-0x0000000002680000-0x0000000002692000-memory.dmp healer behavioral1/memory/4352-37-0x0000000002680000-0x0000000002692000-memory.dmp healer behavioral1/memory/4352-34-0x0000000002680000-0x0000000002692000-memory.dmp healer behavioral1/memory/4352-33-0x0000000002680000-0x0000000002692000-memory.dmp healer behavioral1/memory/4352-30-0x0000000002680000-0x0000000002692000-memory.dmp healer behavioral1/memory/4352-25-0x0000000002680000-0x0000000002692000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" dxt98Ls.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" eNa65NN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection dxt98Ls.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" dxt98Ls.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" dxt98Ls.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" dxt98Ls.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" eNa65NN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" eNa65NN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" dxt98Ls.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection eNa65NN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" eNa65NN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" eNa65NN.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023ca7-57.dat family_redline behavioral1/memory/3996-59-0x0000000000970000-0x00000000009A2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 4424 nju23gV07.exe 4040 dxt98Ls.exe 4352 eNa65NN.exe 3996 fPG26hI.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" eNa65NN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" dxt98Ls.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features eNa65NN.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 68912936b876b67d2681d82505b44676ce86f60774b9a7f571d63ae303e09f85.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nju23gV07.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2736 4352 WerFault.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eNa65NN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fPG26hI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68912936b876b67d2681d82505b44676ce86f60774b9a7f571d63ae303e09f85.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nju23gV07.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4040 dxt98Ls.exe 4040 dxt98Ls.exe 4352 eNa65NN.exe 4352 eNa65NN.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4040 dxt98Ls.exe Token: SeDebugPrivilege 4352 eNa65NN.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 216 wrote to memory of 4424 216 68912936b876b67d2681d82505b44676ce86f60774b9a7f571d63ae303e09f85.exe 83 PID 216 wrote to memory of 4424 216 68912936b876b67d2681d82505b44676ce86f60774b9a7f571d63ae303e09f85.exe 83 PID 216 wrote to memory of 4424 216 68912936b876b67d2681d82505b44676ce86f60774b9a7f571d63ae303e09f85.exe 83 PID 4424 wrote to memory of 4040 4424 nju23gV07.exe 84 PID 4424 wrote to memory of 4040 4424 nju23gV07.exe 84 PID 4424 wrote to memory of 4352 4424 nju23gV07.exe 99 PID 4424 wrote to memory of 4352 4424 nju23gV07.exe 99 PID 4424 wrote to memory of 4352 4424 nju23gV07.exe 99 PID 216 wrote to memory of 3996 216 68912936b876b67d2681d82505b44676ce86f60774b9a7f571d63ae303e09f85.exe 108 PID 216 wrote to memory of 3996 216 68912936b876b67d2681d82505b44676ce86f60774b9a7f571d63ae303e09f85.exe 108 PID 216 wrote to memory of 3996 216 68912936b876b67d2681d82505b44676ce86f60774b9a7f571d63ae303e09f85.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\68912936b876b67d2681d82505b44676ce86f60774b9a7f571d63ae303e09f85.exe"C:\Users\Admin\AppData\Local\Temp\68912936b876b67d2681d82505b44676ce86f60774b9a7f571d63ae303e09f85.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nju23gV07.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nju23gV07.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dxt98Ls.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dxt98Ls.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eNa65NN.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eNa65NN.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 10804⤵
- Program crash
PID:2736
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fPG26hI.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fPG26hI.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3996
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4352 -ip 43521⤵PID:2196
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2
-
Filesize
355KB
MD5e28712fe45ae78f1bcde516e7123bebd
SHA1077fd51f3ecb0a731fb70415d8bdf6e12e8acb66
SHA256e9c68ad0784b69b2b127c5e19dc44d33d3a43fa7cc865949f9fcccc1af33bcc6
SHA5129c21c32b27c59e83372003e33ff9d0afc97b44e20022da6cc30f411ffd72af7aee1806bebe5e436533d81dd90bf00948c7818b33207095983065503b343a9e18
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
294KB
MD5da6ac6de1334418c6603e1475d65a83e
SHA11fe2b33532bb6a41c2d6b690d1c099f2a5594a81
SHA256284480cbc6152a055bd2a9adfa29ec2db08b461da476a8082fc73ebb3ff222c6
SHA512b0fefa313cdb9f6acc8de837a89468998b2f3b97186b964bdc9531a31bf9b6fd47cf97f699c39293d70c5ab6ce2752d4af25c8a869ae0119c682b34499ec1b9f