Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:27
Static task
static1
Behavioral task
behavioral1
Sample
4cc059bdd240bac7d2eb64b7aebf8c4ce81ac100fa699352d6706308b1df8257.exe
Resource
win10v2004-20241007-en
General
-
Target
4cc059bdd240bac7d2eb64b7aebf8c4ce81ac100fa699352d6706308b1df8257.exe
-
Size
685KB
-
MD5
2e89edb5513ac823e69c023af7e2ad9e
-
SHA1
bed12b15e687f4873b840af32112bdf2423667b9
-
SHA256
4cc059bdd240bac7d2eb64b7aebf8c4ce81ac100fa699352d6706308b1df8257
-
SHA512
74580022765856abc37533e0b988958ffcdd1ef84c9fad42d65e611263b76360be73e0683ee40f713075f7dad92e7494f9296cdf135fa92343196f873765c46c
-
SSDEEP
12288:GMrMy908Muej/Y52o3wzSkU4We2JWHn3tlaE331wBBCIEnn3g2BpIZdZeL:2yVMuejPInWWnJWXJmLCIEn1BMfeL
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2908-19-0x00000000023E0000-0x00000000023FA000-memory.dmp healer behavioral1/memory/2908-21-0x0000000002990000-0x00000000029A8000-memory.dmp healer behavioral1/memory/2908-49-0x0000000002990000-0x00000000029A2000-memory.dmp healer behavioral1/memory/2908-47-0x0000000002990000-0x00000000029A2000-memory.dmp healer behavioral1/memory/2908-45-0x0000000002990000-0x00000000029A2000-memory.dmp healer behavioral1/memory/2908-44-0x0000000002990000-0x00000000029A2000-memory.dmp healer behavioral1/memory/2908-41-0x0000000002990000-0x00000000029A2000-memory.dmp healer behavioral1/memory/2908-39-0x0000000002990000-0x00000000029A2000-memory.dmp healer behavioral1/memory/2908-37-0x0000000002990000-0x00000000029A2000-memory.dmp healer behavioral1/memory/2908-35-0x0000000002990000-0x00000000029A2000-memory.dmp healer behavioral1/memory/2908-33-0x0000000002990000-0x00000000029A2000-memory.dmp healer behavioral1/memory/2908-31-0x0000000002990000-0x00000000029A2000-memory.dmp healer behavioral1/memory/2908-29-0x0000000002990000-0x00000000029A2000-memory.dmp healer behavioral1/memory/2908-27-0x0000000002990000-0x00000000029A2000-memory.dmp healer behavioral1/memory/2908-25-0x0000000002990000-0x00000000029A2000-memory.dmp healer behavioral1/memory/2908-24-0x0000000002990000-0x00000000029A2000-memory.dmp healer behavioral1/memory/2908-22-0x0000000002990000-0x00000000029A2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro6025.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro6025.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro6025.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro6025.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro6025.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro6025.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1208-60-0x00000000027C0000-0x0000000002806000-memory.dmp family_redline behavioral1/memory/1208-61-0x00000000052B0000-0x00000000052F4000-memory.dmp family_redline behavioral1/memory/1208-65-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/1208-71-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/1208-95-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/1208-93-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/1208-91-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/1208-89-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/1208-85-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/1208-84-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/1208-81-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/1208-79-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/1208-78-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/1208-75-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/1208-73-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/1208-69-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/1208-67-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/1208-87-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/1208-63-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/1208-62-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2964 un582699.exe 2908 pro6025.exe 1208 qu2123.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro6025.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro6025.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4cc059bdd240bac7d2eb64b7aebf8c4ce81ac100fa699352d6706308b1df8257.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un582699.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 968 2908 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro6025.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu2123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4cc059bdd240bac7d2eb64b7aebf8c4ce81ac100fa699352d6706308b1df8257.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un582699.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2908 pro6025.exe 2908 pro6025.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2908 pro6025.exe Token: SeDebugPrivilege 1208 qu2123.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3372 wrote to memory of 2964 3372 4cc059bdd240bac7d2eb64b7aebf8c4ce81ac100fa699352d6706308b1df8257.exe 83 PID 3372 wrote to memory of 2964 3372 4cc059bdd240bac7d2eb64b7aebf8c4ce81ac100fa699352d6706308b1df8257.exe 83 PID 3372 wrote to memory of 2964 3372 4cc059bdd240bac7d2eb64b7aebf8c4ce81ac100fa699352d6706308b1df8257.exe 83 PID 2964 wrote to memory of 2908 2964 un582699.exe 84 PID 2964 wrote to memory of 2908 2964 un582699.exe 84 PID 2964 wrote to memory of 2908 2964 un582699.exe 84 PID 2964 wrote to memory of 1208 2964 un582699.exe 98 PID 2964 wrote to memory of 1208 2964 un582699.exe 98 PID 2964 wrote to memory of 1208 2964 un582699.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cc059bdd240bac7d2eb64b7aebf8c4ce81ac100fa699352d6706308b1df8257.exe"C:\Users\Admin\AppData\Local\Temp\4cc059bdd240bac7d2eb64b7aebf8c4ce81ac100fa699352d6706308b1df8257.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un582699.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un582699.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6025.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6025.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 10884⤵
- Program crash
PID:968
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2123.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2123.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2908 -ip 29081⤵PID:4240
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
543KB
MD58c728d6903b85bf4409fb2f28b7872b8
SHA1db681aa8722596b2a852b44e4cafea256e619fe3
SHA256ff1fd4da02a5ae1590ccc15deba82237689af6effd4cb87dcbdacabb9ccf6c85
SHA5120b6e1982c88508eb26f8ec08f92bb0fd93729dd94587e86566fcb84d256d603096260a241aacbdbefc865ff9111219d3a9bce067c728dbafea247f95cc9dfad6
-
Filesize
292KB
MD5e6b1b2abd9b3e58ba2a4e974d5900b3f
SHA15768b4b06333556ad0bf2106a232317e16bcdd58
SHA256fe9f7234efbab2c0bc5c8de715f9dcc8ba4731f95675df57104ab22c5af674a0
SHA512f0dabf22340bba27b5a8bbe6ff87b8b1020d0666f9e7058f2a3c6375f694d1bb07ca1aa2d565e9d349dcacb39ac88f17ea264f1ece148f50864b1b6b3cabb592
-
Filesize
350KB
MD59fc53d88ff2982c5eb857a70d0505f88
SHA1e838ee332ae4253f2d9fa28943186e8ab4c6c456
SHA2561374f0b17d8424848dd8c661442df5b4d69a83a5a2f4cf0cd41c7eac86d32abf
SHA512497c5613d342ee40b52b041273fc9b20af0df06a81ae11185c11a14fcf1464325e1beb5635ab7434f87a6b7b2988c952c85287b39a9ebd8e4108b019e5d98165