Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:22
Static task
static1
Behavioral task
behavioral1
Sample
2aea95d7b9293a521467cddb1f60d49dc0414ce5363b7474a3861967cfe26ec5.exe
Resource
win10v2004-20241007-en
General
-
Target
2aea95d7b9293a521467cddb1f60d49dc0414ce5363b7474a3861967cfe26ec5.exe
-
Size
1.0MB
-
MD5
6f2f60870f54677c8abc465951bfa97a
-
SHA1
04f5e7a323d9e9ae4cace6db5f77b407ef71a938
-
SHA256
2aea95d7b9293a521467cddb1f60d49dc0414ce5363b7474a3861967cfe26ec5
-
SHA512
3b94fc45c634133ccfca85553406c76b8195fe319b437c70dada905c9415bad321222763e003130dbb8e96db473fb27cf6a9e37281d984730d7b35d1aa67e5e5
-
SSDEEP
24576:hye19Mg4rpZ0j9tE78PLy+ravKruEdCpnEqxBc2:Ue1qTrv8y78z+HEcpEp
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2584-23-0x0000000002770000-0x000000000278A000-memory.dmp healer behavioral1/memory/2584-25-0x0000000002960000-0x0000000002978000-memory.dmp healer behavioral1/memory/2584-53-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/2584-51-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/2584-49-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/2584-47-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/2584-45-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/2584-43-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/2584-41-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/2584-39-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/2584-37-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/2584-35-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/2584-33-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/2584-31-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/2584-29-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/2584-27-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/2584-26-0x0000000002960000-0x0000000002972000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr633408.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr633408.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr633408.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr633408.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr633408.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr633408.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1516-62-0x0000000004D70000-0x0000000004DAC000-memory.dmp family_redline behavioral1/memory/1516-63-0x00000000053E0000-0x000000000541A000-memory.dmp family_redline behavioral1/memory/1516-67-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1516-65-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1516-64-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1516-79-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1516-97-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1516-95-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1516-93-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1516-91-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1516-87-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1516-85-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1516-83-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1516-82-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1516-77-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1516-75-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1516-73-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1516-71-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1516-69-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1516-89-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 964 un848345.exe 440 un064147.exe 2584 pr633408.exe 1516 qu357597.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr633408.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr633408.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2aea95d7b9293a521467cddb1f60d49dc0414ce5363b7474a3861967cfe26ec5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un848345.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un064147.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8 2584 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr633408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu357597.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2aea95d7b9293a521467cddb1f60d49dc0414ce5363b7474a3861967cfe26ec5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un848345.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un064147.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2584 pr633408.exe 2584 pr633408.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2584 pr633408.exe Token: SeDebugPrivilege 1516 qu357597.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3760 wrote to memory of 964 3760 2aea95d7b9293a521467cddb1f60d49dc0414ce5363b7474a3861967cfe26ec5.exe 83 PID 3760 wrote to memory of 964 3760 2aea95d7b9293a521467cddb1f60d49dc0414ce5363b7474a3861967cfe26ec5.exe 83 PID 3760 wrote to memory of 964 3760 2aea95d7b9293a521467cddb1f60d49dc0414ce5363b7474a3861967cfe26ec5.exe 83 PID 964 wrote to memory of 440 964 un848345.exe 84 PID 964 wrote to memory of 440 964 un848345.exe 84 PID 964 wrote to memory of 440 964 un848345.exe 84 PID 440 wrote to memory of 2584 440 un064147.exe 85 PID 440 wrote to memory of 2584 440 un064147.exe 85 PID 440 wrote to memory of 2584 440 un064147.exe 85 PID 440 wrote to memory of 1516 440 un064147.exe 100 PID 440 wrote to memory of 1516 440 un064147.exe 100 PID 440 wrote to memory of 1516 440 un064147.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\2aea95d7b9293a521467cddb1f60d49dc0414ce5363b7474a3861967cfe26ec5.exe"C:\Users\Admin\AppData\Local\Temp\2aea95d7b9293a521467cddb1f60d49dc0414ce5363b7474a3861967cfe26ec5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un848345.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un848345.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un064147.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un064147.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr633408.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr633408.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 10805⤵
- Program crash
PID:8
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu357597.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu357597.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2584 -ip 25841⤵PID:3460
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
749KB
MD5ad1b47760c1767cdee203d9387168014
SHA1e08ae550092aede2215478b9236e47b50f3e4091
SHA2562c002b9270b473c95aa94d5eaf1d5a24574e47e47499e4a377e84e68332d2e99
SHA512c4fcb8e23c5ac5d57751228a2adde5ad267e7b7bae34fca80f5e4a3d7f87ef229313f78db1f54c1c2a9ccf83dca49f01f855f59e9eb52f0e993b1366e09e8022
-
Filesize
595KB
MD5feca79e60fbf7c5d800006abbcfb3055
SHA13240ca3cf9a1dc6cd967585677024be3a28ea689
SHA25606188e0b5b4ef965e3fa2b114aec784829d024feaa24e7ab38a1306c62dcb209
SHA51252a4c32efbc0fb88a085e7e076d43f0bc16fd16060434b35c64ddccd79d5d4d3b0f39545d40b62bb86e233af6de40d03bce815b1f11d6afd6537fd972adf2fc9
-
Filesize
389KB
MD50bf1bb48112a0ccb3d9cffd7aae15efe
SHA1be55a1542138592f63fe276b410e57a1d79f0e3f
SHA2567ad13ce3102b99f1f66fb361d1764723d92a0d30c9052f3e4c47fb668b9336fb
SHA5126fb79fec680394e88b575687a89ffda66005c80d4794376482629d53b7005d103ed01a731a3ebdc28f4179cfa1af5f45b096cb9aa551297fdfd8e54ac2289a95
-
Filesize
472KB
MD5772d23d4142eed32934ae2b8bf6cbe4b
SHA151f754e444fb75012b1bc485dd4319433e6e93f8
SHA2561f5a41f1a249081747257a61af6f43c786ece3c880a96b472b327f86c63bd8e3
SHA512c5217e80f6b51f76008f130541112bb2af7875129bee08e48431685432b9c96d46842b1841796fd2b261a40e1c40d7f5320a49943a40d8efd4868cf3bd18cd9c