Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:26
Static task
static1
Behavioral task
behavioral1
Sample
6bf4271e2e9a6ef24bce45813591be60d24da49dddd3141b9c6d97dda071ed74.exe
Resource
win10v2004-20241007-en
General
-
Target
6bf4271e2e9a6ef24bce45813591be60d24da49dddd3141b9c6d97dda071ed74.exe
-
Size
560KB
-
MD5
b55fa82983433480ffe7aedb1529bef0
-
SHA1
a9331f76ae666d1e07fb241f7dac16f959c51ae7
-
SHA256
6bf4271e2e9a6ef24bce45813591be60d24da49dddd3141b9c6d97dda071ed74
-
SHA512
d76af76093c113e2be40dd496c58a311d3efe64daac0236392ed59e6995b2d06ec7e2534e1c78d3a17ae04533ba19ed29973467bebe6172f6b510248389d3a78
-
SSDEEP
12288:Jy9003w+iI2gq0EsH6e333S09SB+zaoQcAv5:Jyxw+iI2g3Ean3S0OGY
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0010000000023aa7-12.dat healer behavioral1/memory/4484-15-0x0000000000910000-0x000000000091A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it841372.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it841372.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it841372.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it841372.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it841372.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it841372.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3860-21-0x0000000007120000-0x000000000715C000-memory.dmp family_redline behavioral1/memory/3860-23-0x00000000071A0000-0x00000000071DA000-memory.dmp family_redline behavioral1/memory/3860-27-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-35-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-87-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-85-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-83-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-81-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-79-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-77-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-75-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-73-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-71-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-67-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-65-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-64-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-61-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-60-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-57-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-56-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-53-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-51-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-50-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-47-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-46-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-43-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-41-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-39-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-37-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-33-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-31-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-29-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-69-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-25-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline behavioral1/memory/3860-24-0x00000000071A0000-0x00000000071D5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2316 ziPY5879.exe 4484 it841372.exe 3860 kp585354.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it841372.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6bf4271e2e9a6ef24bce45813591be60d24da49dddd3141b9c6d97dda071ed74.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziPY5879.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6bf4271e2e9a6ef24bce45813591be60d24da49dddd3141b9c6d97dda071ed74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziPY5879.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp585354.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4484 it841372.exe 4484 it841372.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4484 it841372.exe Token: SeDebugPrivilege 3860 kp585354.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 844 wrote to memory of 2316 844 6bf4271e2e9a6ef24bce45813591be60d24da49dddd3141b9c6d97dda071ed74.exe 84 PID 844 wrote to memory of 2316 844 6bf4271e2e9a6ef24bce45813591be60d24da49dddd3141b9c6d97dda071ed74.exe 84 PID 844 wrote to memory of 2316 844 6bf4271e2e9a6ef24bce45813591be60d24da49dddd3141b9c6d97dda071ed74.exe 84 PID 2316 wrote to memory of 4484 2316 ziPY5879.exe 85 PID 2316 wrote to memory of 4484 2316 ziPY5879.exe 85 PID 2316 wrote to memory of 3860 2316 ziPY5879.exe 96 PID 2316 wrote to memory of 3860 2316 ziPY5879.exe 96 PID 2316 wrote to memory of 3860 2316 ziPY5879.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bf4271e2e9a6ef24bce45813591be60d24da49dddd3141b9c6d97dda071ed74.exe"C:\Users\Admin\AppData\Local\Temp\6bf4271e2e9a6ef24bce45813591be60d24da49dddd3141b9c6d97dda071ed74.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPY5879.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPY5879.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it841372.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it841372.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp585354.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp585354.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
406KB
MD53da021e03249734a4a2f6008e1a343c0
SHA181aef62e617c7f185b712bb464fdf9562d716bb5
SHA25650937c650ff9d5c5f70f49f578fc8faf83dee25815cfb36c0015eec7a46bcc56
SHA5122fad742d227904e1c9c193fc23d479ea19c2a55ebaca8ac63f5fafb78000ff354f6de8c1f039b0cd2b281ea723a03ea20eebf4c6a75ff1c9bd4ca1f71f6458a6
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
352KB
MD53c6e0a6c1078e0ec0421fb3e5e8a34db
SHA186556566df69a8a841d9e0a2678de6bc2f3a6d26
SHA2564e6d8e52e28e0e9de648cfc114cb56c94f79c2bd4f44bec45ab550dd5e7f90b3
SHA51289b633ea404a836368289537d3458b564fe31c661f7fd4e0c4fd7a8957d08d66af668c30ebc28b1d2f055478fb5f8b971d4cfb688a94c1e4e99a0bf6b471a9d7