Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:19
Static task
static1
Behavioral task
behavioral1
Sample
054b539eaa23fb708c46765d22d4c68b290723aab607cda23107758addfa3e22.exe
Resource
win10v2004-20241007-en
General
-
Target
054b539eaa23fb708c46765d22d4c68b290723aab607cda23107758addfa3e22.exe
-
Size
650KB
-
MD5
b774b345fa4c493fafe69ab23553af36
-
SHA1
9c5cce40cc53601803868c3ab6d57b46b8cb7b78
-
SHA256
054b539eaa23fb708c46765d22d4c68b290723aab607cda23107758addfa3e22
-
SHA512
93e4cc2399a55b93fcc6d212e469874cccbeaef38fe33f2d1e721f12e4d8c2c1cc3d1fd0617c78ab206cd312a5bae7d4bd1aba972ba75ef6b0341e50d7d2a668
-
SSDEEP
12288:0MrLy90g+KZkqMzMAhLeLu91KxbzZa3iUNSuNouivzy5VOe:HysqMIALeLu91Kxbda3iceuivzyGe
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c74-12.dat healer behavioral1/memory/4796-15-0x00000000009F0000-0x00000000009FA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr722613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr722613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr722613.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr722613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr722613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr722613.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2476-2105-0x0000000005400000-0x0000000005432000-memory.dmp family_redline behavioral1/files/0x000d000000023b40-2110.dat family_redline behavioral1/memory/5928-2118-0x0000000000E10000-0x0000000000E40000-memory.dmp family_redline behavioral1/files/0x0007000000023c72-2127.dat family_redline behavioral1/memory/4428-2129-0x0000000000040000-0x000000000006E000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation ku189241.exe -
Executes dropped EXE 5 IoCs
pid Process 4516 ziCt1076.exe 4796 jr722613.exe 2476 ku189241.exe 5928 1.exe 4428 lr329239.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr722613.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 054b539eaa23fb708c46765d22d4c68b290723aab607cda23107758addfa3e22.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziCt1076.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2060 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 6072 2476 WerFault.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lr329239.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 054b539eaa23fb708c46765d22d4c68b290723aab607cda23107758addfa3e22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziCt1076.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku189241.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4796 jr722613.exe 4796 jr722613.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4796 jr722613.exe Token: SeDebugPrivilege 2476 ku189241.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1732 wrote to memory of 4516 1732 054b539eaa23fb708c46765d22d4c68b290723aab607cda23107758addfa3e22.exe 83 PID 1732 wrote to memory of 4516 1732 054b539eaa23fb708c46765d22d4c68b290723aab607cda23107758addfa3e22.exe 83 PID 1732 wrote to memory of 4516 1732 054b539eaa23fb708c46765d22d4c68b290723aab607cda23107758addfa3e22.exe 83 PID 4516 wrote to memory of 4796 4516 ziCt1076.exe 84 PID 4516 wrote to memory of 4796 4516 ziCt1076.exe 84 PID 4516 wrote to memory of 2476 4516 ziCt1076.exe 96 PID 4516 wrote to memory of 2476 4516 ziCt1076.exe 96 PID 4516 wrote to memory of 2476 4516 ziCt1076.exe 96 PID 2476 wrote to memory of 5928 2476 ku189241.exe 97 PID 2476 wrote to memory of 5928 2476 ku189241.exe 97 PID 2476 wrote to memory of 5928 2476 ku189241.exe 97 PID 1732 wrote to memory of 4428 1732 054b539eaa23fb708c46765d22d4c68b290723aab607cda23107758addfa3e22.exe 102 PID 1732 wrote to memory of 4428 1732 054b539eaa23fb708c46765d22d4c68b290723aab607cda23107758addfa3e22.exe 102 PID 1732 wrote to memory of 4428 1732 054b539eaa23fb708c46765d22d4c68b290723aab607cda23107758addfa3e22.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\054b539eaa23fb708c46765d22d4c68b290723aab607cda23107758addfa3e22.exe"C:\Users\Admin\AppData\Local\Temp\054b539eaa23fb708c46765d22d4c68b290723aab607cda23107758addfa3e22.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCt1076.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCt1076.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr722613.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr722613.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku189241.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku189241.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 13764⤵
- Program crash
PID:6072
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr329239.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr329239.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4428
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2476 -ip 24761⤵PID:6024
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2060
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD543f6268c18ce5501850147b049faffe9
SHA1faa1868333a12520267a8c698e94b9283a0f470e
SHA256f881227a4550edcb80c1ce02001164da3df9215ba2fd9109bfffbf9e66c1bc19
SHA5122b875273daf722fcc93c6103fb3531801f2d122dc8e9a401412e25f6594db9c1081e3473295fb4ee4f9458b99aeafe00f844ee6e341a7a717e219568a3c9fb0c
-
Filesize
496KB
MD537c64e612daaba4ede9b51442d02510e
SHA1dd79aaf199db5bbd846e40467bd32226a36220a4
SHA25612ae90fc9d098d816f3e594d4e8a11834200f7096770a693d3df3e4face0675a
SHA5124ca8a66d7fe9cfc8f5e3d3f1ea62302926525c65fb90d688baebcfdbbbf2da4aad40af2f77db59dbbc2141693ae3740b37dcc8dc987b9dbaa8294e3e19a51ff4
-
Filesize
11KB
MD547db0ec2b979ed9fc1927b783fffc4f0
SHA19d64fd262e84bf22e1f64790445c11975223275c
SHA25664995464f1ccd062407079e0142fab4edb3ebbac15d111f5d41e6c7892f0283d
SHA51211f302ac74fca7dba02ecc43b448608b46b8d0bef452d04f62494117b1b9aed85e3b17b765982c0317b1d59c144bb60120ed67023cfd6236bc6d625454a44b9a
-
Filesize
414KB
MD597cb1de5f6d3beff57bd2fa7dcaf4881
SHA1b3f0f7ce21ecabcf6fdaa5d6740bedac4b134362
SHA256c6cad0f12260119c5709647fd0459efec1552bfbfbbd021e960465f9660f5762
SHA5128033c69ce1db26a364e3ac9d5c75b74b50f227443bbb11d3ab527434ef9c44ccba2274de473ae553dc74240268ad9d4573f91f12f8f756937fbdb92ffdafe711
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0