Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 10:20
Static task
static1
Behavioral task
behavioral1
Sample
295df8f1fa39cc3b082d61ff0164582bea7b669fa45c54d82ff788a5dfe7f029.exe
Resource
win10v2004-20241007-en
General
-
Target
295df8f1fa39cc3b082d61ff0164582bea7b669fa45c54d82ff788a5dfe7f029.exe
-
Size
470KB
-
MD5
df95c994b48bc8ee6dc85f8d30d16544
-
SHA1
6175e21812eb40b18092420c727d065876c2d287
-
SHA256
295df8f1fa39cc3b082d61ff0164582bea7b669fa45c54d82ff788a5dfe7f029
-
SHA512
429cb1695f337d63a5a72585d199914be581d11b0ff1d0cc548d24a14ad2658ed1ad390b3e5e06cafe1ee9c391b32ee54b658a03016e809d8d2fad7f24f33d5c
-
SSDEEP
6144:Kny+bnr+hp0yN90QEYEmPHCqKpF3jPKNDj/WC/nHgrEELilBh0EHur9mwafmVV3w:ZMr5y90YHCqKpJ6PDFg91VV3gWc
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4160-19-0x00000000024F0000-0x000000000250A000-memory.dmp healer behavioral1/memory/4160-21-0x00000000028A0000-0x00000000028B8000-memory.dmp healer behavioral1/memory/4160-27-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/4160-49-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/4160-47-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/4160-45-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/4160-43-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/4160-41-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/4160-39-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/4160-37-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/4160-35-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/4160-33-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/4160-31-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/4160-29-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/4160-25-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/4160-23-0x00000000028A0000-0x00000000028B2000-memory.dmp healer behavioral1/memory/4160-22-0x00000000028A0000-0x00000000028B2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection bBe21Fw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bBe21Fw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bBe21Fw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bBe21Fw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bBe21Fw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bBe21Fw.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023caa-58.dat family_redline behavioral1/memory/348-60-0x0000000000ED0000-0x0000000000F02000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1632 nnH19Xv.exe 4160 bBe21Fw.exe 348 dRi04yN.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features bBe21Fw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" bBe21Fw.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 295df8f1fa39cc3b082d61ff0164582bea7b669fa45c54d82ff788a5dfe7f029.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nnH19Xv.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2308 4160 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 295df8f1fa39cc3b082d61ff0164582bea7b669fa45c54d82ff788a5dfe7f029.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnH19Xv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bBe21Fw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dRi04yN.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4160 bBe21Fw.exe 4160 bBe21Fw.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4160 bBe21Fw.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2452 wrote to memory of 1632 2452 295df8f1fa39cc3b082d61ff0164582bea7b669fa45c54d82ff788a5dfe7f029.exe 83 PID 2452 wrote to memory of 1632 2452 295df8f1fa39cc3b082d61ff0164582bea7b669fa45c54d82ff788a5dfe7f029.exe 83 PID 2452 wrote to memory of 1632 2452 295df8f1fa39cc3b082d61ff0164582bea7b669fa45c54d82ff788a5dfe7f029.exe 83 PID 1632 wrote to memory of 4160 1632 nnH19Xv.exe 84 PID 1632 wrote to memory of 4160 1632 nnH19Xv.exe 84 PID 1632 wrote to memory of 4160 1632 nnH19Xv.exe 84 PID 1632 wrote to memory of 348 1632 nnH19Xv.exe 99 PID 1632 wrote to memory of 348 1632 nnH19Xv.exe 99 PID 1632 wrote to memory of 348 1632 nnH19Xv.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\295df8f1fa39cc3b082d61ff0164582bea7b669fa45c54d82ff788a5dfe7f029.exe"C:\Users\Admin\AppData\Local\Temp\295df8f1fa39cc3b082d61ff0164582bea7b669fa45c54d82ff788a5dfe7f029.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nnH19Xv.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nnH19Xv.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bBe21Fw.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bBe21Fw.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4160 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 10804⤵
- Program crash
PID:2308
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dRi04yN.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dRi04yN.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:348
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4160 -ip 41601⤵PID:1228
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
366KB
MD5c49cee6b9af34350f91eb11cfa43bada
SHA12f913470e7332d1851322b537e12061e9b5d509a
SHA2562cae61b7af915afdef29918f2915c81b13450b85b0e3c6e8a1b1ab9b18d3a762
SHA512c74361de7173f7b76fe564ed12160cf6e70a0811a979f5f60f1b1586c4d674c8f4f45f3408bf7773d93d50533a2e755dd72c366c69dcd6660b5d99c799e43fcc
-
Filesize
220KB
MD5de42ca5e48e76be8fc7fd36752b6eb50
SHA1c594fea49882a1f0c4745c38de903c8f3e963acd
SHA2569be125a22fe4bbedcd63b46faf563f107bb54c1f6c894e45b4794c3e184aa0aa
SHA512b4dbe8b6ed6cf26a7225ef2a8af07629fdcc447920dd8bb5362cefdbbafe439ef92e5011c8c26716dba06646d161eca676470e484995173dd39dc42db454ff7b
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2