Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:17
Static task
static1
Behavioral task
behavioral1
Sample
ed75d761135df1f00119df867a5558c582eafbd9078023e581691ecbd940cd4b.exe
Resource
win10v2004-20241007-en
General
-
Target
ed75d761135df1f00119df867a5558c582eafbd9078023e581691ecbd940cd4b.exe
-
Size
549KB
-
MD5
e0483418ab2793e61ef36c4f009abb45
-
SHA1
dffc0b54ea1bef41728694fb3404ed2549942d3b
-
SHA256
ed75d761135df1f00119df867a5558c582eafbd9078023e581691ecbd940cd4b
-
SHA512
99cd12795c1d6dc5792e7cfeb4e9fae651b28443d67976ee1fbcd26fa5317bd15af3c9fca0eb4160bb2169a72ff334a588a01c858d4ed3fa9b939914272b6c7b
-
SSDEEP
12288:OMrCy90Vq9No+qm9p6UHofGf16yxwNjEMpXu8Xl1ipHRPFnS8F:YySwNo+v9UUHofK1HIjZuqKdS8F
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/memory/8-15-0x0000000000760000-0x000000000076A000-memory.dmp healer behavioral1/files/0x000b000000023b86-13.dat healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr367891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr367891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr367891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr367891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr367891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr367891.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/916-22-0x00000000027E0000-0x0000000002826000-memory.dmp family_redline behavioral1/memory/916-24-0x0000000005460000-0x00000000054A4000-memory.dmp family_redline behavioral1/memory/916-25-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-40-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-88-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-84-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-82-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-80-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-79-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-76-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-74-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-70-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-69-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-66-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-64-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-62-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-60-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-58-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-56-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-54-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-52-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-50-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-48-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-46-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-44-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-42-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-38-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-36-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-34-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-32-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-30-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-28-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-26-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-86-0x0000000005460000-0x000000000549F000-memory.dmp family_redline behavioral1/memory/916-72-0x0000000005460000-0x000000000549F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 5096 zieq7821.exe 8 jr367891.exe 916 ku309784.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr367891.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ed75d761135df1f00119df867a5558c582eafbd9078023e581691ecbd940cd4b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zieq7821.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed75d761135df1f00119df867a5558c582eafbd9078023e581691ecbd940cd4b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zieq7821.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku309784.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 8 jr367891.exe 8 jr367891.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 8 jr367891.exe Token: SeDebugPrivilege 916 ku309784.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4704 wrote to memory of 5096 4704 ed75d761135df1f00119df867a5558c582eafbd9078023e581691ecbd940cd4b.exe 83 PID 4704 wrote to memory of 5096 4704 ed75d761135df1f00119df867a5558c582eafbd9078023e581691ecbd940cd4b.exe 83 PID 4704 wrote to memory of 5096 4704 ed75d761135df1f00119df867a5558c582eafbd9078023e581691ecbd940cd4b.exe 83 PID 5096 wrote to memory of 8 5096 zieq7821.exe 85 PID 5096 wrote to memory of 8 5096 zieq7821.exe 85 PID 5096 wrote to memory of 916 5096 zieq7821.exe 96 PID 5096 wrote to memory of 916 5096 zieq7821.exe 96 PID 5096 wrote to memory of 916 5096 zieq7821.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed75d761135df1f00119df867a5558c582eafbd9078023e581691ecbd940cd4b.exe"C:\Users\Admin\AppData\Local\Temp\ed75d761135df1f00119df867a5558c582eafbd9078023e581691ecbd940cd4b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieq7821.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieq7821.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr367891.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr367891.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku309784.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku309784.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
395KB
MD5db3427709d0b73d7e174850fd3ca72dd
SHA191a234f800b67a8d9c6e484bd519888955223416
SHA25682e09a27bbd9ec402d75ab22feab8e0bfcc4716d5f43516c629fc9e94a7e99f0
SHA5128276e7420cb72a17e9f64d7107bd3ace9589647afcbfcb728d45c8d3f24e8d2d45a18a3a6b45bd761a382111898b9350f44ce17e4fe273b88fffebe07bc91bee
-
Filesize
11KB
MD571247cc60cb8b083a9985807bba1c33a
SHA1988823f9ea54294a9dc3735dacf75882a02ed9e3
SHA256a050c022bbd324d0f215cd8994eb48e9f791ed69025fb9b11a17b33b005a9846
SHA5121f0a96893206bf5a779c3bb5e97c93145ee5644815e0b7671f6e7a4e13fa1737ca4c8a88047cdecb319137a52d87bbe801fa52ce61f910e21cd969ef7cc85ce1
-
Filesize
348KB
MD598d468660eb1a5b71faba54739ce0425
SHA11454a070d59284ef9838a0e15b9eaf63134a311b
SHA256c909166dca8bce6587ed9c9ce20c6ac7df77ea2e8bb91eae45277270b2473357
SHA5121106be72d32346faff32ad8acce8e330fc2ad2b435da1a6e721105d31aadbb8860b30b75a61af9c0dbf90029c75b6342c2c8ba4bf7ef014b5425ec684a3f8e4e