Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:24
Static task
static1
Behavioral task
behavioral1
Sample
903bf0e6c779503b8de39bf3791967dbd9dad7dbb339fc178d5f34733882fa05.exe
Resource
win10v2004-20241007-en
General
-
Target
903bf0e6c779503b8de39bf3791967dbd9dad7dbb339fc178d5f34733882fa05.exe
-
Size
531KB
-
MD5
fb9045cfdb863c373287ebb09f997e4e
-
SHA1
f590ce43f4b81ca2c662c2ccb891903a9cfaee12
-
SHA256
903bf0e6c779503b8de39bf3791967dbd9dad7dbb339fc178d5f34733882fa05
-
SHA512
39ae9bc35d75371368c3a49604d4c8a1ea63d29d0141f48201eb7d825e45102dc3ca3f25e1f3e5eed69253f4afcb8c05a60c1028b7af2c497192188421841468
-
SSDEEP
12288:PMr+y90V/ACE/ytCxh4gs7Js38AXkAxj1QpqBSyREsYt:pyak/14g1/ZQYbasYt
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b88-12.dat healer behavioral1/memory/1412-15-0x0000000000960000-0x000000000096A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr766986.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr766986.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr766986.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr766986.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr766986.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr766986.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3648-22-0x0000000004A00000-0x0000000004A46000-memory.dmp family_redline behavioral1/memory/3648-24-0x0000000004E40000-0x0000000004E84000-memory.dmp family_redline behavioral1/memory/3648-64-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-88-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-86-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-84-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-82-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-80-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-78-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-76-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-74-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-72-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-70-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-68-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-66-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-62-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-60-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-59-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-56-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-54-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-52-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-50-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-49-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-44-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-42-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-40-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-38-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-36-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-34-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-32-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-30-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-28-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-46-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-26-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline behavioral1/memory/3648-25-0x0000000004E40000-0x0000000004E7F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3616 ziHJ5411.exe 1412 jr766986.exe 3648 ku515574.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr766986.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 903bf0e6c779503b8de39bf3791967dbd9dad7dbb339fc178d5f34733882fa05.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziHJ5411.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziHJ5411.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku515574.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 903bf0e6c779503b8de39bf3791967dbd9dad7dbb339fc178d5f34733882fa05.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1412 jr766986.exe 1412 jr766986.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1412 jr766986.exe Token: SeDebugPrivilege 3648 ku515574.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1408 wrote to memory of 3616 1408 903bf0e6c779503b8de39bf3791967dbd9dad7dbb339fc178d5f34733882fa05.exe 83 PID 1408 wrote to memory of 3616 1408 903bf0e6c779503b8de39bf3791967dbd9dad7dbb339fc178d5f34733882fa05.exe 83 PID 1408 wrote to memory of 3616 1408 903bf0e6c779503b8de39bf3791967dbd9dad7dbb339fc178d5f34733882fa05.exe 83 PID 3616 wrote to memory of 1412 3616 ziHJ5411.exe 84 PID 3616 wrote to memory of 1412 3616 ziHJ5411.exe 84 PID 3616 wrote to memory of 3648 3616 ziHJ5411.exe 94 PID 3616 wrote to memory of 3648 3616 ziHJ5411.exe 94 PID 3616 wrote to memory of 3648 3616 ziHJ5411.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\903bf0e6c779503b8de39bf3791967dbd9dad7dbb339fc178d5f34733882fa05.exe"C:\Users\Admin\AppData\Local\Temp\903bf0e6c779503b8de39bf3791967dbd9dad7dbb339fc178d5f34733882fa05.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHJ5411.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHJ5411.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr766986.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr766986.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku515574.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku515574.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3648
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD54f634e9bcd02b6c4c634ca4eb7fa7513
SHA1c9f98db8db07d32552c463913f65087bed61f27f
SHA25624bbf748d51cf8326abd3f196f639fa794b68f0da18efa9266fb624cd7e3e462
SHA5129f0d4545144d6b884dd887a4d2e7facb5f9d283e6d1f7c691fccea13dde0a9d14853c49730a038fccd0284e1870d9f44f64597d6ab53c0b3d730ef9049d21045
-
Filesize
11KB
MD537be693b30eaebd1dc08819f896caffe
SHA1d35875ef6811dc2d268dc6bb9f93b2d60e59d0e6
SHA2568cb0b7499bb75d1c9472c965ae7f9040b0ec8a614f2f6208cb751db2865143c4
SHA5126f986998155b618b1c97d65ce4966b84ce2dad7a57cb17df559c417e8b45c466cc8b2a3f9124cc84b0c5165623f9e523f5adac067b6ff095de8bec1805dd4827
-
Filesize
354KB
MD58aab6a7e286f16e33ae97adf5bf419fe
SHA100eeb75fedda74ba74dc5dcb5b8b710238c55cf3
SHA2561e16d893a04ae0a8e60cd9d17ed6ab48dd4f0140520090ce968bff07352fdffe
SHA5122e749824b82fcd05ae5a102867d103dec8ba2f8abe8ffbe83b9b9c2a6832bcf8bedcae048db8de2166a71b3e35f0a913fc5cbb1c6632507b13e4f4e004abc579