Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:24
Static task
static1
Behavioral task
behavioral1
Sample
575936441d7d9432997c1183df25e066db716c7d2298c502bde472d74d778852.exe
Resource
win10v2004-20241007-en
General
-
Target
575936441d7d9432997c1183df25e066db716c7d2298c502bde472d74d778852.exe
-
Size
1.1MB
-
MD5
0fd22b67b24da055e2a005fd82503957
-
SHA1
893d5d168451cf65a5ed07217be13ea5a5e0f973
-
SHA256
575936441d7d9432997c1183df25e066db716c7d2298c502bde472d74d778852
-
SHA512
fa34d7490d8ddf85a35993da4e7d7806d8084c5d40fecc5eb8ab50a9e2eb5f3408735e20c38fc1b946982b3c881a88293e97fd1c0b911e568e6979fcab5d2562
-
SSDEEP
24576:cyD0bdvXpjR5wdQHPpnJeCMYBXKPpELg6iMDxSs6AP/k9f:LW53JJRKu06iMDxSAX
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cb9-32.dat healer behavioral1/memory/4336-35-0x0000000000080000-0x000000000008A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buGd34hj10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buGd34hj10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buGd34hj10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buGd34hj10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buGd34hj10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buGd34hj10.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4504-41-0x00000000026B0000-0x00000000026F6000-memory.dmp family_redline behavioral1/memory/4504-43-0x0000000002870000-0x00000000028B4000-memory.dmp family_redline behavioral1/memory/4504-49-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-65-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-107-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-105-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-103-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-99-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-97-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-95-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-93-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-89-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-85-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-83-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-81-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-79-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-77-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-75-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-73-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-71-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-69-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-63-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-61-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-59-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-57-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-55-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-53-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-51-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-101-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-91-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-87-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-67-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-47-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-45-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline behavioral1/memory/4504-44-0x0000000002870000-0x00000000028AE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 4620 plZL04qZ70.exe 1872 plLZ62uw47.exe 3864 pllP43ru21.exe 4520 plrw25Zr78.exe 4336 buGd34hj10.exe 4504 caLV69PG83.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buGd34hj10.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plZL04qZ70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plLZ62uw47.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" pllP43ru21.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" plrw25Zr78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 575936441d7d9432997c1183df25e066db716c7d2298c502bde472d74d778852.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 6116 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 575936441d7d9432997c1183df25e066db716c7d2298c502bde472d74d778852.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plZL04qZ70.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plLZ62uw47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pllP43ru21.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plrw25Zr78.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caLV69PG83.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4336 buGd34hj10.exe 4336 buGd34hj10.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4336 buGd34hj10.exe Token: SeDebugPrivilege 4504 caLV69PG83.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2252 wrote to memory of 4620 2252 575936441d7d9432997c1183df25e066db716c7d2298c502bde472d74d778852.exe 83 PID 2252 wrote to memory of 4620 2252 575936441d7d9432997c1183df25e066db716c7d2298c502bde472d74d778852.exe 83 PID 2252 wrote to memory of 4620 2252 575936441d7d9432997c1183df25e066db716c7d2298c502bde472d74d778852.exe 83 PID 4620 wrote to memory of 1872 4620 plZL04qZ70.exe 86 PID 4620 wrote to memory of 1872 4620 plZL04qZ70.exe 86 PID 4620 wrote to memory of 1872 4620 plZL04qZ70.exe 86 PID 1872 wrote to memory of 3864 1872 plLZ62uw47.exe 87 PID 1872 wrote to memory of 3864 1872 plLZ62uw47.exe 87 PID 1872 wrote to memory of 3864 1872 plLZ62uw47.exe 87 PID 3864 wrote to memory of 4520 3864 pllP43ru21.exe 88 PID 3864 wrote to memory of 4520 3864 pllP43ru21.exe 88 PID 3864 wrote to memory of 4520 3864 pllP43ru21.exe 88 PID 4520 wrote to memory of 4336 4520 plrw25Zr78.exe 90 PID 4520 wrote to memory of 4336 4520 plrw25Zr78.exe 90 PID 4520 wrote to memory of 4504 4520 plrw25Zr78.exe 96 PID 4520 wrote to memory of 4504 4520 plrw25Zr78.exe 96 PID 4520 wrote to memory of 4504 4520 plrw25Zr78.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\575936441d7d9432997c1183df25e066db716c7d2298c502bde472d74d778852.exe"C:\Users\Admin\AppData\Local\Temp\575936441d7d9432997c1183df25e066db716c7d2298c502bde472d74d778852.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plZL04qZ70.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plZL04qZ70.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLZ62uw47.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLZ62uw47.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pllP43ru21.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pllP43ru21.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plrw25Zr78.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plrw25Zr78.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buGd34hj10.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buGd34hj10.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caLV69PG83.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caLV69PG83.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
-
-
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:6116
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
998KB
MD5c47f819295bf88f7d7bfe0c567e20a7a
SHA1846a1408ac26073b93f72dbd6189cfd05d5f6051
SHA2560aa1cfc8880c6aaf1a288dbe9c3d3a914b3fb02ef6291daa732793afed933b16
SHA51251d24aeeadc7b1684b4b372f1f51a58af31d9d207065a61fe313cdfe6fdaf5a97fefa61823814ab8f7b4e5497efd31278273c2ebdbe5e7aba9042c665114de8e
-
Filesize
894KB
MD5faa30d065f0ad00ef43fd67f9b31451f
SHA11ba581167f23aecf402eeb3ca73ba16cc4efa4b8
SHA256553ad5a1a4ebfc5786b9441d6039e7a4090544e194b18c9aec0bd7936565c6f3
SHA51204236e473ecf2ed0f05ee958a33cc631a1612a5f636ef0ea4bd7062e2f5f74f6a68a58a0b5ab4635644dd525ab76b8e16f7eae44e4157bf41d12448f5e5c007a
-
Filesize
667KB
MD5799ba79153c616b0b937619652d00dd6
SHA1cb0ae907fa2b8a7205d2da6adb138355d1d6484d
SHA2561434162eba816af917c39b57d685fda4a8ee6bb59bb095701dd0d5f7a0777023
SHA512fa9372ae32644aa32521481bbbc5b032cf51e23475c40356bb8f79bbf4e344c97625d3d0c9e2df44f91ce4989efaae85246a439da711f35d88564e4d3f5dad5a
-
Filesize
392KB
MD52157468a5eb31c852f3a0924d6eea165
SHA10ad01015beec40b2d1481946eb3a2f87ad945ebc
SHA256f9401babfb02ce1d55b397b15d2b1a43b78610933099a2bfd428ab9febda7ec2
SHA512ed8ae2ecec6b825284a6ab0e9cbcbfa895673c9f4f857b12957ac1856cfe84a10c03bd5ee7aa6a7652591339e44e1c2fb77dd77b67a3f05afea8bc60ff86af2f
-
Filesize
17KB
MD55ca6a8a3b3cebbc2e8d7b6e82ebda139
SHA1b1cef906e020163a4b14ff2adde49a75434bd603
SHA2569b2429f3979ad51a958893fff73f89ec35ac776727f5e049abc60b6450242439
SHA51203726d25510276c7a2c2845c37491e18065f35abaafb1d219d7078282b8d095edb69084001f5d6bb47ea7d04074592b00e9d7a10cd444cf0497b491dfecd7ee1
-
Filesize
304KB
MD5bc94778948460579a0739b42d8018118
SHA1f960e87471a354673dc63408a7cfd07052a18561
SHA256164e02a2c9318020d3b3db0e977aadf0890dd6ad139cfcd07195e62578f44d8b
SHA512ff267c27af132c2ce96ca075011a96596d045f771c3439d72b1ea1f567fe585f139b0e7dc8f5c97d340209f478d7e9cad374fc0497345998702f06e234ca657b