Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:37
Static task
static1
Behavioral task
behavioral1
Sample
4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe
Resource
win10v2004-20241007-en
General
-
Target
4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe
-
Size
814KB
-
MD5
225465b1e5ee6c2929d395ee103b042e
-
SHA1
eefb6b913b5f34a4f774e99aa260f498cc8eb082
-
SHA256
4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2
-
SHA512
00d98dc05f0b4a716f8c763fd565f86f733982dfcee13585c0eab7bc407749efafc70eba6ab4edc95eac2f05f099a3545c026589daadf773455605b2ca7a923b
-
SSDEEP
12288:9Mrsy900ED+a8nh9MqS46efwDXPnqMjK7GcjmPDoPy2iqGS29fkrSo7OqWSA2l3R:dy2+FheC6ef0fOpSbo62WRGZlAi33h
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1832-19-0x00000000025A0000-0x00000000025BA000-memory.dmp healer behavioral1/memory/1832-21-0x0000000002970000-0x0000000002988000-memory.dmp healer behavioral1/memory/1832-47-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/1832-49-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/1832-45-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/1832-43-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/1832-41-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/1832-39-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/1832-37-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/1832-35-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/1832-33-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/1832-31-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/1832-29-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/1832-27-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/1832-25-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/1832-23-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/1832-22-0x0000000002970000-0x0000000002982000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro8635.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8635.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8635.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8635.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8635.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8635.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/1304-2143-0x0000000005760000-0x0000000005792000-memory.dmp family_redline behavioral1/files/0x000f000000023b3d-2148.dat family_redline behavioral1/memory/5272-2156-0x0000000000370000-0x00000000003A0000-memory.dmp family_redline behavioral1/files/0x000a000000023b40-2164.dat family_redline behavioral1/memory/5472-2167-0x0000000000620000-0x000000000064E000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation qu6839.exe -
Executes dropped EXE 5 IoCs
pid Process 3016 un629555.exe 1832 pro8635.exe 1304 qu6839.exe 5272 1.exe 5472 si673921.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8635.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8635.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un629555.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1344 1832 WerFault.exe 84 5376 1304 WerFault.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un629555.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro8635.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu6839.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language si673921.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1832 pro8635.exe 1832 pro8635.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1832 pro8635.exe Token: SeDebugPrivilege 1304 qu6839.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1192 wrote to memory of 3016 1192 4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe 83 PID 1192 wrote to memory of 3016 1192 4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe 83 PID 1192 wrote to memory of 3016 1192 4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe 83 PID 3016 wrote to memory of 1832 3016 un629555.exe 84 PID 3016 wrote to memory of 1832 3016 un629555.exe 84 PID 3016 wrote to memory of 1832 3016 un629555.exe 84 PID 3016 wrote to memory of 1304 3016 un629555.exe 97 PID 3016 wrote to memory of 1304 3016 un629555.exe 97 PID 3016 wrote to memory of 1304 3016 un629555.exe 97 PID 1304 wrote to memory of 5272 1304 qu6839.exe 98 PID 1304 wrote to memory of 5272 1304 qu6839.exe 98 PID 1304 wrote to memory of 5272 1304 qu6839.exe 98 PID 1192 wrote to memory of 5472 1192 4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe 101 PID 1192 wrote to memory of 5472 1192 4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe 101 PID 1192 wrote to memory of 5472 1192 4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe"C:\Users\Admin\AppData\Local\Temp\4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un629555.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un629555.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8635.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8635.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 10884⤵
- Program crash
PID:1344
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6839.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6839.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5272
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 15324⤵
- Program crash
PID:5376
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si673921.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si673921.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5472
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1832 -ip 18321⤵PID:748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1304 -ip 13041⤵PID:5312
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD5ae4a306dd730ae302996854f3b754e7f
SHA1fd8cf2d3496fc54494d86eb73fa5260c3d35a49c
SHA256c65cabb8db793631707c3069147eb046175923adfa5ff03636c0abe0aeffb992
SHA512113ef93af0038620ebc8a3f9ec7d4c12ff84d230ad90acf6582f8a8ac7527c48819a8e8959666ad6e265e630cdf1afaf309cee6510ce978415c6f7d94aa10d0d
-
Filesize
660KB
MD58b9f810e33f5e8200f6d37e43ce82281
SHA17b8b3ad9fcf5a1d208a03155a0ba3d4818ad4bc6
SHA256d7b66da07e51f6edf06c7379f7aaa3452a4b32d04f323773914b9213dd178aac
SHA512e3547ad6b3293d5290d15d750b8e6553492f4b2d7615cdec0129476fb91e7a6c5ab3d79926c1740ea88e6d5365add735f53ce1ccafb2b7dd9c6bc19b7eb841cf
-
Filesize
332KB
MD5eddea95bc16deeccc55b95a664cb2301
SHA1aac770e87772edf5f1817b365a0677adbf6019a3
SHA256e0f245acda2e939da367f0e90ca337b06341ea36fb67ee693d523d6b003ad72f
SHA512354f68afe35901bc0082d70ebd50a804c02505b77074348c27f2b07e245b42fcc29a9c81c443f896b73d22cc28f5eec766ba6aa7b86d6ec9a7d5384562d28d9c
-
Filesize
495KB
MD5e7260a946cf2a959f1db5f32d2ac2e73
SHA15959157428111844e8dd895dd1ca23d95b1ef63c
SHA2569ba38864475ad08db8b2dae016e6284d0e7551e5736ed05e4160d28b2ca744bb
SHA5125c6aef0477047a032fdb88966fab526359c94f1c7df698f5ba6f11848e578a0eb7651eb18ac0d07a1185a017879a0a04e9f3e44f9c57698c4a8b43198c184aed
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0