Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:26
Static task
static1
Behavioral task
behavioral1
Sample
cfa5aaf9cd6b49f3de97bd3f5a97a21d33b1fd0c89f06a3c63c62112d626de6f.exe
Resource
win10v2004-20241007-en
General
-
Target
cfa5aaf9cd6b49f3de97bd3f5a97a21d33b1fd0c89f06a3c63c62112d626de6f.exe
-
Size
696KB
-
MD5
e288231352766ba55eb8e2517a0a773b
-
SHA1
6f0346fdd7cb930992b2531d7f33d7de54fc5813
-
SHA256
cfa5aaf9cd6b49f3de97bd3f5a97a21d33b1fd0c89f06a3c63c62112d626de6f
-
SHA512
7dffa0d7756e86bc4a8c6bb106306df2c29d3702f7a0de99794bec18fefdc22451993d5d80d1e3336cc1eb9bc431eb94a79d944608e1e98c83fb7dc0071d7428
-
SSDEEP
12288:AMrry90VOSFgR63R9Ei+pGTVXhXuuleu/vtKLz3sWtnhATQs6cIjn0NUo:7yXW/Ei+peXhXuulR/vtyT1hATQshi0t
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1516-19-0x0000000002300000-0x000000000231A000-memory.dmp healer behavioral1/memory/1516-21-0x0000000002390000-0x00000000023A8000-memory.dmp healer behavioral1/memory/1516-47-0x0000000002390000-0x00000000023A2000-memory.dmp healer behavioral1/memory/1516-45-0x0000000002390000-0x00000000023A2000-memory.dmp healer behavioral1/memory/1516-42-0x0000000002390000-0x00000000023A2000-memory.dmp healer behavioral1/memory/1516-39-0x0000000002390000-0x00000000023A2000-memory.dmp healer behavioral1/memory/1516-37-0x0000000002390000-0x00000000023A2000-memory.dmp healer behavioral1/memory/1516-35-0x0000000002390000-0x00000000023A2000-memory.dmp healer behavioral1/memory/1516-33-0x0000000002390000-0x00000000023A2000-memory.dmp healer behavioral1/memory/1516-31-0x0000000002390000-0x00000000023A2000-memory.dmp healer behavioral1/memory/1516-29-0x0000000002390000-0x00000000023A2000-memory.dmp healer behavioral1/memory/1516-27-0x0000000002390000-0x00000000023A2000-memory.dmp healer behavioral1/memory/1516-25-0x0000000002390000-0x00000000023A2000-memory.dmp healer behavioral1/memory/1516-23-0x0000000002390000-0x00000000023A2000-memory.dmp healer behavioral1/memory/1516-49-0x0000000002390000-0x00000000023A2000-memory.dmp healer behavioral1/memory/1516-43-0x0000000002390000-0x00000000023A2000-memory.dmp healer behavioral1/memory/1516-22-0x0000000002390000-0x00000000023A2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro6972.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro6972.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro6972.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro6972.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro6972.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro6972.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/832-60-0x00000000027F0000-0x0000000002836000-memory.dmp family_redline behavioral1/memory/832-61-0x0000000004CF0000-0x0000000004D34000-memory.dmp family_redline behavioral1/memory/832-65-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/832-77-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/832-95-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/832-93-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/832-91-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/832-89-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/832-87-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/832-85-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/832-83-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/832-81-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/832-75-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/832-73-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/832-71-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/832-69-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/832-67-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/832-79-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/832-63-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral1/memory/832-62-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4676 un436562.exe 1516 pro6972.exe 832 qu5749.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro6972.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro6972.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cfa5aaf9cd6b49f3de97bd3f5a97a21d33b1fd0c89f06a3c63c62112d626de6f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un436562.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2516 1516 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfa5aaf9cd6b49f3de97bd3f5a97a21d33b1fd0c89f06a3c63c62112d626de6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un436562.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro6972.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu5749.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1516 pro6972.exe 1516 pro6972.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1516 pro6972.exe Token: SeDebugPrivilege 832 qu5749.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4204 wrote to memory of 4676 4204 cfa5aaf9cd6b49f3de97bd3f5a97a21d33b1fd0c89f06a3c63c62112d626de6f.exe 83 PID 4204 wrote to memory of 4676 4204 cfa5aaf9cd6b49f3de97bd3f5a97a21d33b1fd0c89f06a3c63c62112d626de6f.exe 83 PID 4204 wrote to memory of 4676 4204 cfa5aaf9cd6b49f3de97bd3f5a97a21d33b1fd0c89f06a3c63c62112d626de6f.exe 83 PID 4676 wrote to memory of 1516 4676 un436562.exe 84 PID 4676 wrote to memory of 1516 4676 un436562.exe 84 PID 4676 wrote to memory of 1516 4676 un436562.exe 84 PID 4676 wrote to memory of 832 4676 un436562.exe 98 PID 4676 wrote to memory of 832 4676 un436562.exe 98 PID 4676 wrote to memory of 832 4676 un436562.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfa5aaf9cd6b49f3de97bd3f5a97a21d33b1fd0c89f06a3c63c62112d626de6f.exe"C:\Users\Admin\AppData\Local\Temp\cfa5aaf9cd6b49f3de97bd3f5a97a21d33b1fd0c89f06a3c63c62112d626de6f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un436562.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un436562.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6972.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6972.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 10844⤵
- Program crash
PID:2516
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5749.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5749.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:832
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1516 -ip 15161⤵PID:2752
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
553KB
MD5d5488f997fbbb57cd0ed87ec7dc748ed
SHA14b2e17e49202a7298d1d2a56ddcfe8775ece6f64
SHA256b976e94b4d396d9d7def1f88ec9f70238b0e3a838789e279886d0a6731b40a2d
SHA512b9bdd584a99357d15e8883929d509c39ed0a958c1a7d0bf5989bcb32d5daeca92c683e363cc26e2da1b4c534bf9b6bc97866f5a87ab20d2c535c7bbf87f51215
-
Filesize
308KB
MD5dc1bfe7e1f20b4f23a4ce1561838e703
SHA14d924b085df716509d66af328d5e350d992704a3
SHA25644d3e344fb5b8ffbf9d1e8a9b2caced8263434e4a8d1c86a76709f97a4a5a4dc
SHA5123aaf17d0b80dc608ceffccb55a12dca60106375845ebb3878349bf0f9edd3aa2c86363501478cbad18a8537847c073d51cb2cac01cabec555dbd092671b8a885
-
Filesize
366KB
MD5b145f03e41178d2cd2e0f553387fdf6c
SHA190eaee62904a8009935b3b66921edde862333e54
SHA2565f00901d1ad7e47b899ea8a302faca8319744fc80d1fdd706488375598ff0e74
SHA5120b93740f475cd7f0b6f123fbf5568aa4b79e70756b0e123c90f6418d7d0562aa27c45903e41bc912a4906d418b4ea7b2e656e09e03c9e11ae9daa76ff8d7ff89