Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:29
Static task
static1
Behavioral task
behavioral1
Sample
3faf42b3531ff9b4f8c720d530343b65d6fd6819ecab96379deadccebdbdf1e3.exe
Resource
win10v2004-20241007-en
General
-
Target
3faf42b3531ff9b4f8c720d530343b65d6fd6819ecab96379deadccebdbdf1e3.exe
-
Size
480KB
-
MD5
dc3dc81717465339b41a5ac01f4bb7fb
-
SHA1
5d0a14047d2b0ed16e606af7eb8be2cf26cbdcf6
-
SHA256
3faf42b3531ff9b4f8c720d530343b65d6fd6819ecab96379deadccebdbdf1e3
-
SHA512
8d0354789a85dcb00924c5346a09464e7768e859fc10649f686762af93b4a1e57f9f2f8e005232add7767e84f1daa7da6e4fecc12b8b6df25d8310d4fcd81dcd
-
SSDEEP
12288:FMrVy90kN229NSD6ynkOjCVPMK093qQuhpyahSU6:8ySD6zOW5MH3puhpyakT
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4064-15-0x0000000002460000-0x000000000247A000-memory.dmp healer behavioral1/memory/4064-18-0x0000000004980000-0x0000000004998000-memory.dmp healer behavioral1/memory/4064-21-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/4064-48-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/4064-46-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/4064-44-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/4064-42-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/4064-40-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/4064-38-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/4064-36-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/4064-34-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/4064-32-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/4064-30-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/4064-28-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/4064-26-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/4064-24-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/4064-22-0x0000000004980000-0x0000000004992000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k1948969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k1948969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k1948969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k1948969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k1948969.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k1948969.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023ca6-54.dat family_redline behavioral1/memory/4296-56-0x0000000000B30000-0x0000000000B58000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1392 y0022135.exe 4064 k1948969.exe 4296 l3442420.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k1948969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k1948969.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3faf42b3531ff9b4f8c720d530343b65d6fd6819ecab96379deadccebdbdf1e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y0022135.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l3442420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3faf42b3531ff9b4f8c720d530343b65d6fd6819ecab96379deadccebdbdf1e3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y0022135.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k1948969.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4064 k1948969.exe 4064 k1948969.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4064 k1948969.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3224 wrote to memory of 1392 3224 3faf42b3531ff9b4f8c720d530343b65d6fd6819ecab96379deadccebdbdf1e3.exe 83 PID 3224 wrote to memory of 1392 3224 3faf42b3531ff9b4f8c720d530343b65d6fd6819ecab96379deadccebdbdf1e3.exe 83 PID 3224 wrote to memory of 1392 3224 3faf42b3531ff9b4f8c720d530343b65d6fd6819ecab96379deadccebdbdf1e3.exe 83 PID 1392 wrote to memory of 4064 1392 y0022135.exe 84 PID 1392 wrote to memory of 4064 1392 y0022135.exe 84 PID 1392 wrote to memory of 4064 1392 y0022135.exe 84 PID 1392 wrote to memory of 4296 1392 y0022135.exe 97 PID 1392 wrote to memory of 4296 1392 y0022135.exe 97 PID 1392 wrote to memory of 4296 1392 y0022135.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\3faf42b3531ff9b4f8c720d530343b65d6fd6819ecab96379deadccebdbdf1e3.exe"C:\Users\Admin\AppData\Local\Temp\3faf42b3531ff9b4f8c720d530343b65d6fd6819ecab96379deadccebdbdf1e3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0022135.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0022135.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1948969.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1948969.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3442420.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3442420.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4296
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD576877687e32b696b64a6658535948c7a
SHA144157b318d06c65e1c7e2490cd8faad6707137e0
SHA25687b8512990ca512768bcb96642b8f4e39661d9eb20306cfc42f81428ef52e223
SHA51213f23bff4ffa9385b5eb23a580e2ee03bf70000e0b34203be2e3153241b186d8d1445a31901e7ed6e5208fdab1ddbffa3ef1d34b2735509274fbff2518f064a5
-
Filesize
175KB
MD59a814cbdba57f622d601ea500ea5e859
SHA184c19bb79bbe66044c9777e2e3a72d73863b3b9c
SHA2564e7e6d2d5666beff496993190e4263d9a44cbe3cd71c9551fbab203466df2a7c
SHA51261ae720f3fca170ec172b9a59842ac455ebfb4b79bc844a658a4ec5348e342fe79f28f8063361a699b3130e80fa7842cd98e6450321b77e0cdfb2568e65052a6
-
Filesize
136KB
MD5899e585d287afa3aa77046536b099001
SHA14208b3423bb2f1056167498891f048b17c91a691
SHA2563c9ad3868861f295faadf92684ed3278e70ff1893ffc0e4d6a6746d7d0c52363
SHA51200779557d9a7183236230db60809d479cda8f069300f6aebb7aff724f82029c2780479b327d8713bbfc017c55feab4283bbbbedd1b4e98a0427d700575e31279