Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:33
Static task
static1
Behavioral task
behavioral1
Sample
e44a3511096b324abaca97a4e3e3bdfaa838acc174315ca8175188d2137cfca3.exe
Resource
win10v2004-20241007-en
General
-
Target
e44a3511096b324abaca97a4e3e3bdfaa838acc174315ca8175188d2137cfca3.exe
-
Size
537KB
-
MD5
cacad4e5230e2f23f4e343ff2eab9478
-
SHA1
afe0d0fdefa4e1dd2b163f271fe99314a780dca3
-
SHA256
e44a3511096b324abaca97a4e3e3bdfaa838acc174315ca8175188d2137cfca3
-
SHA512
77f563f695866d1446faec19d9f1461b161416bbc497ec944ed7fdff6de24536c3f9854c804ca4320efd0ef4861743792a9afb981e277341c86968d5fcb47fed
-
SSDEEP
12288:KMr+y90y/uqhfWA//98dLuDUsQHVwIT91CXQ41v7Y7xpeUPi+L:AycwWU98puDY1wO91QQsvs7xk8xL
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b6f-12.dat healer behavioral1/memory/2712-15-0x0000000000D80000-0x0000000000D8A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr250057.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr250057.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr250057.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr250057.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr250057.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr250057.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2828-22-0x00000000029B0000-0x00000000029F6000-memory.dmp family_redline behavioral1/memory/2828-24-0x00000000053C0000-0x0000000005404000-memory.dmp family_redline behavioral1/memory/2828-38-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-40-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-88-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-86-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-82-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-80-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-78-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-76-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-74-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-72-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-70-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-66-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-64-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-62-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-60-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-56-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-54-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-52-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-50-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-48-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-47-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-45-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-42-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-36-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-34-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-32-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-30-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-84-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-68-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-58-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-28-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-26-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2828-25-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2796 ziUB7317.exe 2712 jr250057.exe 2828 ku425158.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr250057.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e44a3511096b324abaca97a4e3e3bdfaa838acc174315ca8175188d2137cfca3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziUB7317.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e44a3511096b324abaca97a4e3e3bdfaa838acc174315ca8175188d2137cfca3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziUB7317.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku425158.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2712 jr250057.exe 2712 jr250057.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2712 jr250057.exe Token: SeDebugPrivilege 2828 ku425158.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3828 wrote to memory of 2796 3828 e44a3511096b324abaca97a4e3e3bdfaa838acc174315ca8175188d2137cfca3.exe 83 PID 3828 wrote to memory of 2796 3828 e44a3511096b324abaca97a4e3e3bdfaa838acc174315ca8175188d2137cfca3.exe 83 PID 3828 wrote to memory of 2796 3828 e44a3511096b324abaca97a4e3e3bdfaa838acc174315ca8175188d2137cfca3.exe 83 PID 2796 wrote to memory of 2712 2796 ziUB7317.exe 84 PID 2796 wrote to memory of 2712 2796 ziUB7317.exe 84 PID 2796 wrote to memory of 2828 2796 ziUB7317.exe 93 PID 2796 wrote to memory of 2828 2796 ziUB7317.exe 93 PID 2796 wrote to memory of 2828 2796 ziUB7317.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\e44a3511096b324abaca97a4e3e3bdfaa838acc174315ca8175188d2137cfca3.exe"C:\Users\Admin\AppData\Local\Temp\e44a3511096b324abaca97a4e3e3bdfaa838acc174315ca8175188d2137cfca3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziUB7317.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziUB7317.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr250057.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr250057.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425158.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku425158.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
395KB
MD5e3cbd2c100cba4536e3a10ee825a112f
SHA15f75b44b5cbac04bc382347aecbeae648193c9af
SHA2560932998dca11059c3d35c8f5147f92cd24a85d0446a8b3af7f442f6cdfe87f50
SHA512495bd25dc2bfcea149c0a7747fe70d36ec9c43cd351a9e56872c5508592fd997784ec98c2ab2a7624dd894d36947bb491f8b7971e4287c442a4e62f2ec276e6e
-
Filesize
13KB
MD5ce79d92003032d72af265412d78fd580
SHA17e6b1d8774a11b49e0deb15bc58957099d11e0ce
SHA256f241c84c5edaee59f48e523535a63960acc5f5a545ee4840d7587bdc98bcd22a
SHA512f917091d4837f10a801b6da65a04243b791b7598642941f6da2b89e843660fe6b388249d6b71f4a45b6fdcdde583ff8f19a68b432f3ab59db6ae95b7c2d9cb91
-
Filesize
352KB
MD507c11341bc44bc2554fe6275a0106647
SHA1d627e20f5f8ae589060d01e64b1274c22a8f740e
SHA256b7c615b40a3d4fb4a72cc9ad2bbb6296ade914e6ef06bf933fdaceac0c54c8b8
SHA512643d119757a7f95c3b11687c7800a5652a1e4f841920fabd40ea88b44d3970b042150cb30f4203cb857a8ecf90b3032aeb73fe9489f241b52813f324c4c43c21