Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:27
Static task
static1
Behavioral task
behavioral1
Sample
8fbf824afd7fc568bb9d07814d44416b54189cffe1519b8458b8aeefaacdff70.exe
Resource
win10v2004-20241007-en
General
-
Target
8fbf824afd7fc568bb9d07814d44416b54189cffe1519b8458b8aeefaacdff70.exe
-
Size
1.5MB
-
MD5
34b6dd411e5243d69effcf36337df531
-
SHA1
a9c178a38835eb959fc5dcdceb9e5c067ac57f8a
-
SHA256
8fbf824afd7fc568bb9d07814d44416b54189cffe1519b8458b8aeefaacdff70
-
SHA512
e32a08e90879add60db728b5f5578618c7087f7a6b7f24dab4b6616be347a579bb8d08013e69aefaea168f72eeff6eeed81893f6f0163a9d430aceecf8222d63
-
SSDEEP
49152:wj+vEreRoZrq4dAGLOtlZkzuapRLl4YKEv1Cg7:2CEreEAGLOfapR54
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c74-33.dat healer behavioral1/memory/2912-35-0x0000000000850000-0x000000000085A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" az828836.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" az828836.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" az828836.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" az828836.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection az828836.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" az828836.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4528-41-0x00000000027A0000-0x00000000027DC000-memory.dmp family_redline behavioral1/memory/4528-43-0x0000000002880000-0x00000000028BA000-memory.dmp family_redline behavioral1/memory/4528-53-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-57-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-107-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-105-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-104-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-99-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-97-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-95-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-93-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-91-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-89-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-87-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-85-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-83-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-79-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-77-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-75-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-73-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-72-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-69-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-67-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-65-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-63-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-61-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-59-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-55-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-51-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-49-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-101-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-81-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-47-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-45-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline behavioral1/memory/4528-44-0x0000000002880000-0x00000000028B5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 3628 ki382825.exe 4536 ki117293.exe 1828 ki476325.exe 5000 ki135310.exe 2912 az828836.exe 4528 bu828268.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" az828836.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8fbf824afd7fc568bb9d07814d44416b54189cffe1519b8458b8aeefaacdff70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ki382825.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ki117293.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" ki476325.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" ki135310.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fbf824afd7fc568bb9d07814d44416b54189cffe1519b8458b8aeefaacdff70.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ki382825.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ki117293.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ki476325.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ki135310.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bu828268.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2912 az828836.exe 2912 az828836.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2912 az828836.exe Token: SeDebugPrivilege 4528 bu828268.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2780 wrote to memory of 3628 2780 8fbf824afd7fc568bb9d07814d44416b54189cffe1519b8458b8aeefaacdff70.exe 83 PID 2780 wrote to memory of 3628 2780 8fbf824afd7fc568bb9d07814d44416b54189cffe1519b8458b8aeefaacdff70.exe 83 PID 2780 wrote to memory of 3628 2780 8fbf824afd7fc568bb9d07814d44416b54189cffe1519b8458b8aeefaacdff70.exe 83 PID 3628 wrote to memory of 4536 3628 ki382825.exe 84 PID 3628 wrote to memory of 4536 3628 ki382825.exe 84 PID 3628 wrote to memory of 4536 3628 ki382825.exe 84 PID 4536 wrote to memory of 1828 4536 ki117293.exe 86 PID 4536 wrote to memory of 1828 4536 ki117293.exe 86 PID 4536 wrote to memory of 1828 4536 ki117293.exe 86 PID 1828 wrote to memory of 5000 1828 ki476325.exe 88 PID 1828 wrote to memory of 5000 1828 ki476325.exe 88 PID 1828 wrote to memory of 5000 1828 ki476325.exe 88 PID 5000 wrote to memory of 2912 5000 ki135310.exe 89 PID 5000 wrote to memory of 2912 5000 ki135310.exe 89 PID 5000 wrote to memory of 4528 5000 ki135310.exe 98 PID 5000 wrote to memory of 4528 5000 ki135310.exe 98 PID 5000 wrote to memory of 4528 5000 ki135310.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fbf824afd7fc568bb9d07814d44416b54189cffe1519b8458b8aeefaacdff70.exe"C:\Users\Admin\AppData\Local\Temp\8fbf824afd7fc568bb9d07814d44416b54189cffe1519b8458b8aeefaacdff70.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki382825.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki382825.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki117293.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki117293.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki476325.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki476325.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki135310.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki135310.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az828836.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az828836.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu828268.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu828268.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5f66d9b9b309236b1facd9bc6fba5aae8
SHA1351592c89b08c1f67746be392cbd2c2da64e6483
SHA256c6eef272e6b81b1d7314ffe02fd63acee89414b0c6b9a61c10ef637c3dfd29a4
SHA5129f8e54ef14dc65b558ea0ba6cfd69b1b791a70763906e12dd176457b3d8d95a88b962e52b10930c527ab4b843ae367c1e53af929bc00e182ba402b7403429173
-
Filesize
1.1MB
MD5917ceb61d8a964a3480f6ef759e24a9a
SHA198108e669cfa57b91b6303700049339a5f047d5a
SHA2563fe0160545c4a9c57aa8f48ad8dd61f4d657a88c1b1a9474106bc2194b91b977
SHA5125ef6b1e7f9b0f6afabd6ca577ee8a2c8e2d816184c1c187fbe4cf0a5c5da75b8579dc916c8de321f4b8a34e919b5d254ef7b739f2996b5ffa48417dbf65f5cd4
-
Filesize
804KB
MD5399ad2aa24b1720a73cb8fff3ed6f0cd
SHA108f00a1e3e5fa286e2f56f5cdb9950fa63926d42
SHA25696efa7276a3c68c40ed277abdb8b67ecd1efe45859078189b50e388e51ab10be
SHA512744d0b26bec8ddc972c81c3fe16754ca817ec89decb328b1b2cb75ac1d765df86fb36c4b1bcbe6133e0c9d383b2ddd48dfcd2ea291e9c22e22293f3e33af76b3
-
Filesize
468KB
MD54dec899177ee885c5fa3c114efb100c9
SHA1e192ca52b4ec5d6e5264d494663d598f255a9b4c
SHA256ce1239031f738274540f6929f3a1d7cc384d8c6eb5f74ad432dcf588cd21dff8
SHA512010bf06bbfdd8d0d89d94b5c59bb2e829f7ce4d554354e874f3cc654a9776be287e7874ab46baf960dd5a6c0538fe402afd9ac038ccb891c5456685c1b003565
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
487KB
MD5a31efd9bc96386fdc6962173fe8f7916
SHA130818c7f3246fa64a80eb458a4dead2742b1d065
SHA2569ff2cb2adf9fb68468f0429952c6b4dd4098c8bc395250ce14321f41f372a0e4
SHA512b1fb924cebbd88d21556b3bfae291745db8cdec9d28c74d4cfe8811d509b6c6bb47931abb643afd01a29597c50decd976e2b0a63956b671092dad8aae71dc182