Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:36
Static task
static1
Behavioral task
behavioral1
Sample
3a0fc6dd6e2741cb83090fb54f47b47b989900269c5e1933df9ba39e197639a3.exe
Resource
win10v2004-20241007-en
General
-
Target
3a0fc6dd6e2741cb83090fb54f47b47b989900269c5e1933df9ba39e197639a3.exe
-
Size
686KB
-
MD5
e8697c91384559e1405d7a58ad55b90c
-
SHA1
5fdb12ae3e23080f07a37a2c7302944c0d267047
-
SHA256
3a0fc6dd6e2741cb83090fb54f47b47b989900269c5e1933df9ba39e197639a3
-
SHA512
2328cc2d7900887942ab51bbbffb30a80943a00c42140c44fe21378fb7011b4fba6076ac8cdb429c95d56cc0af425edc7aecec249712d189dd386a71a579d354
-
SSDEEP
12288:3Mr0y90gl1X7qlX0U/s1NxjwQ5+FTA+tyCByMK896SuSt0zxOUt7PYUQ:Pyxl1X7HQKN5+mn2T/YBt7PYT
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3484-18-0x0000000004720000-0x000000000473A000-memory.dmp healer behavioral1/memory/3484-20-0x0000000004910000-0x0000000004928000-memory.dmp healer behavioral1/memory/3484-22-0x0000000004910000-0x0000000004922000-memory.dmp healer behavioral1/memory/3484-48-0x0000000004910000-0x0000000004922000-memory.dmp healer behavioral1/memory/3484-46-0x0000000004910000-0x0000000004922000-memory.dmp healer behavioral1/memory/3484-44-0x0000000004910000-0x0000000004922000-memory.dmp healer behavioral1/memory/3484-42-0x0000000004910000-0x0000000004922000-memory.dmp healer behavioral1/memory/3484-40-0x0000000004910000-0x0000000004922000-memory.dmp healer behavioral1/memory/3484-38-0x0000000004910000-0x0000000004922000-memory.dmp healer behavioral1/memory/3484-37-0x0000000004910000-0x0000000004922000-memory.dmp healer behavioral1/memory/3484-34-0x0000000004910000-0x0000000004922000-memory.dmp healer behavioral1/memory/3484-33-0x0000000004910000-0x0000000004922000-memory.dmp healer behavioral1/memory/3484-30-0x0000000004910000-0x0000000004922000-memory.dmp healer behavioral1/memory/3484-28-0x0000000004910000-0x0000000004922000-memory.dmp healer behavioral1/memory/3484-26-0x0000000004910000-0x0000000004922000-memory.dmp healer behavioral1/memory/3484-24-0x0000000004910000-0x0000000004922000-memory.dmp healer behavioral1/memory/3484-21-0x0000000004910000-0x0000000004922000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro4172.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro4172.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro4172.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro4172.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro4172.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro4172.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1076-59-0x00000000048B0000-0x00000000048F6000-memory.dmp family_redline behavioral1/memory/1076-60-0x00000000071D0000-0x0000000007214000-memory.dmp family_redline behavioral1/memory/1076-64-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/1076-62-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/1076-61-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/1076-82-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/1076-94-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/1076-92-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/1076-88-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/1076-86-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/1076-85-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/1076-80-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/1076-78-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/1076-76-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/1076-75-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/1076-72-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/1076-70-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/1076-69-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/1076-66-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/1076-90-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2480 un992268.exe 3484 pro4172.exe 1076 qu9616.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro4172.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro4172.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3a0fc6dd6e2741cb83090fb54f47b47b989900269c5e1933df9ba39e197639a3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un992268.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4700 3484 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro4172.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu9616.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3a0fc6dd6e2741cb83090fb54f47b47b989900269c5e1933df9ba39e197639a3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un992268.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3484 pro4172.exe 3484 pro4172.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3484 pro4172.exe Token: SeDebugPrivilege 1076 qu9616.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4672 wrote to memory of 2480 4672 3a0fc6dd6e2741cb83090fb54f47b47b989900269c5e1933df9ba39e197639a3.exe 83 PID 4672 wrote to memory of 2480 4672 3a0fc6dd6e2741cb83090fb54f47b47b989900269c5e1933df9ba39e197639a3.exe 83 PID 4672 wrote to memory of 2480 4672 3a0fc6dd6e2741cb83090fb54f47b47b989900269c5e1933df9ba39e197639a3.exe 83 PID 2480 wrote to memory of 3484 2480 un992268.exe 84 PID 2480 wrote to memory of 3484 2480 un992268.exe 84 PID 2480 wrote to memory of 3484 2480 un992268.exe 84 PID 2480 wrote to memory of 1076 2480 un992268.exe 98 PID 2480 wrote to memory of 1076 2480 un992268.exe 98 PID 2480 wrote to memory of 1076 2480 un992268.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a0fc6dd6e2741cb83090fb54f47b47b989900269c5e1933df9ba39e197639a3.exe"C:\Users\Admin\AppData\Local\Temp\3a0fc6dd6e2741cb83090fb54f47b47b989900269c5e1933df9ba39e197639a3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un992268.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un992268.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4172.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4172.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 10804⤵
- Program crash
PID:4700
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9616.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9616.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3484 -ip 34841⤵PID:3840
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
544KB
MD5eae2f6a26c3b641ba8931edd30daebea
SHA1f4c1e265c06f5fe1624f2939c71eb71a2640795a
SHA256c299a382390f2fcd0fd64f960983bf5a6085b04357d74a5d34edaa02b283a4da
SHA51220b89110ba136a1c6db5e0076b52d47aecb6c0414a2c1f16d1bd13260ea4b974d5b7fc3d124fd980856894da1e94ad39997daacbbf176e0d17502e426fd6c49f
-
Filesize
326KB
MD59b403f2eb2015f5788d7510a60cbc9b4
SHA1915a7034a91a4e4dbb67bf85b13d59a83b2ee938
SHA256b2969fff3d9c1227fd0b4864c9c950b36947d812ff95e1ccada9fc00fdbf47f3
SHA512b19d1288415574c276f70d9b0ff5932cf7fe1f894fa12f68206412777161b07dddaa0be62bf3444ba427808226e53e04c2b3a29f6026d693ed9d70504f32bd22
-
Filesize
384KB
MD5de1c9d277aaba5ec5ed27cf047904453
SHA1f87e1526e8c6609dd5bac6c648d0ae2de8114dc8
SHA2564d7ca5a2e3c42b721394d80c103934e33ca5b2f25971ad9f62ac19cf9fe40dbc
SHA512bb6af0e80e58f6d0cd40b3850aeb508cf617516a156b7df29d491f9e605db615627552cf2cb6e84d97ff1e8ac79f5f7c72a8b5c7239ea92e6ce0864a60b0a9f5