Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:35
Static task
static1
Behavioral task
behavioral1
Sample
5a05ecfa6b630d4cc7bc39c976d8feec16874986d5c6ef975b4e1515befae102.exe
Resource
win10v2004-20241007-en
General
-
Target
5a05ecfa6b630d4cc7bc39c976d8feec16874986d5c6ef975b4e1515befae102.exe
-
Size
790KB
-
MD5
b7900d65e87ecac310bc447e8c3c6c1c
-
SHA1
36efc92b519f5b12632a9135ee4ba128eaa8e063
-
SHA256
5a05ecfa6b630d4cc7bc39c976d8feec16874986d5c6ef975b4e1515befae102
-
SHA512
75eeb3feb8d5aeacb6b152fe4d376f650a3379051a598bdff273172cb213af7ad6c8e3b39b4e782ddc7e61c819899398aec95df30c1580010ac26ae3e34a6520
-
SSDEEP
24576:pyTaiGXmEaY5WYIZDIRmbu5/aJ04c0NlRf:cNGWIYTIgbW/aJ04c0
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x0007000000023ca1-19.dat healer behavioral1/memory/5000-22-0x0000000000140000-0x000000000014A000-memory.dmp healer behavioral1/memory/4876-28-0x0000000002080000-0x000000000209A000-memory.dmp healer behavioral1/memory/4876-30-0x0000000002470000-0x0000000002488000-memory.dmp healer behavioral1/memory/4876-31-0x0000000002470000-0x0000000002482000-memory.dmp healer behavioral1/memory/4876-38-0x0000000002470000-0x0000000002482000-memory.dmp healer behavioral1/memory/4876-58-0x0000000002470000-0x0000000002482000-memory.dmp healer behavioral1/memory/4876-57-0x0000000002470000-0x0000000002482000-memory.dmp healer behavioral1/memory/4876-54-0x0000000002470000-0x0000000002482000-memory.dmp healer behavioral1/memory/4876-52-0x0000000002470000-0x0000000002482000-memory.dmp healer behavioral1/memory/4876-50-0x0000000002470000-0x0000000002482000-memory.dmp healer behavioral1/memory/4876-48-0x0000000002470000-0x0000000002482000-memory.dmp healer behavioral1/memory/4876-46-0x0000000002470000-0x0000000002482000-memory.dmp healer behavioral1/memory/4876-44-0x0000000002470000-0x0000000002482000-memory.dmp healer behavioral1/memory/4876-42-0x0000000002470000-0x0000000002482000-memory.dmp healer behavioral1/memory/4876-40-0x0000000002470000-0x0000000002482000-memory.dmp healer behavioral1/memory/4876-36-0x0000000002470000-0x0000000002482000-memory.dmp healer behavioral1/memory/4876-34-0x0000000002470000-0x0000000002482000-memory.dmp healer behavioral1/memory/4876-32-0x0000000002470000-0x0000000002482000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c46Op90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c46Op90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b9223ir.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c46Op90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b9223ir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b9223ir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b9223ir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c46Op90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c46Op90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c46Op90.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b9223ir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b9223ir.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3512-66-0x0000000002180000-0x00000000021C6000-memory.dmp family_redline behavioral1/memory/3512-67-0x00000000050B0000-0x00000000050F4000-memory.dmp family_redline behavioral1/memory/3512-75-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/3512-101-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/3512-99-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/3512-97-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/3512-95-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/3512-93-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/3512-91-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/3512-89-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/3512-87-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/3512-85-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/3512-83-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/3512-81-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/3512-79-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/3512-77-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/3512-73-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/3512-72-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/3512-69-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/3512-68-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 3320 tice4892.exe 3188 tice7562.exe 5000 b9223ir.exe 4876 c46Op90.exe 3512 dVXjL65.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b9223ir.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c46Op90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c46Op90.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tice4892.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" tice7562.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5a05ecfa6b630d4cc7bc39c976d8feec16874986d5c6ef975b4e1515befae102.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4696 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1304 4876 WerFault.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5a05ecfa6b630d4cc7bc39c976d8feec16874986d5c6ef975b4e1515befae102.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tice4892.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tice7562.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c46Op90.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dVXjL65.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5000 b9223ir.exe 5000 b9223ir.exe 4876 c46Op90.exe 4876 c46Op90.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5000 b9223ir.exe Token: SeDebugPrivilege 4876 c46Op90.exe Token: SeDebugPrivilege 3512 dVXjL65.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3952 wrote to memory of 3320 3952 5a05ecfa6b630d4cc7bc39c976d8feec16874986d5c6ef975b4e1515befae102.exe 84 PID 3952 wrote to memory of 3320 3952 5a05ecfa6b630d4cc7bc39c976d8feec16874986d5c6ef975b4e1515befae102.exe 84 PID 3952 wrote to memory of 3320 3952 5a05ecfa6b630d4cc7bc39c976d8feec16874986d5c6ef975b4e1515befae102.exe 84 PID 3320 wrote to memory of 3188 3320 tice4892.exe 85 PID 3320 wrote to memory of 3188 3320 tice4892.exe 85 PID 3320 wrote to memory of 3188 3320 tice4892.exe 85 PID 3188 wrote to memory of 5000 3188 tice7562.exe 86 PID 3188 wrote to memory of 5000 3188 tice7562.exe 86 PID 3188 wrote to memory of 4876 3188 tice7562.exe 94 PID 3188 wrote to memory of 4876 3188 tice7562.exe 94 PID 3188 wrote to memory of 4876 3188 tice7562.exe 94 PID 3320 wrote to memory of 3512 3320 tice4892.exe 98 PID 3320 wrote to memory of 3512 3320 tice4892.exe 98 PID 3320 wrote to memory of 3512 3320 tice4892.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a05ecfa6b630d4cc7bc39c976d8feec16874986d5c6ef975b4e1515befae102.exe"C:\Users\Admin\AppData\Local\Temp\5a05ecfa6b630d4cc7bc39c976d8feec16874986d5c6ef975b4e1515befae102.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4892.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4892.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice7562.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice7562.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9223ir.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9223ir.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c46Op90.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c46Op90.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 11045⤵
- Program crash
PID:1304
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dVXjL65.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dVXjL65.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4876 -ip 48761⤵PID:3828
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4696
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
644KB
MD57a99175d995fe13b18b319c059bb6f5f
SHA1fbf9547840269e89f70fdc93554ea79a4c3f4d90
SHA256b604528626546003b8ed9a541854407e4033d236cf0ecdf0df5278736d13252f
SHA512bbd370b1f83466eaffcbbc21887327c7c7ce4469bc7b5775fe2b50903d5d1610231130c62ca0404da8b7ad067b17ef092723350ff69857ac28d4a25eed1f06a6
-
Filesize
296KB
MD5e3e4a3152103b50b77db7161efe0039e
SHA17be4aab742babef6785436ef07df1046c696979d
SHA2566386729e80d20e550e7b6675a1e6cc0887c7befc207f286ced04edc4bdebcb79
SHA51296a01f70ed6d9dbfe7116c5b7a5b7f3ed922b8066c0a64ebb85fa6232db378ef7d7097b4864aa4be580b4cb9e8a039e803aeeec7f7dcf91e22fff67678dece21
-
Filesize
323KB
MD51a3f595ca297cd4e042e87972e1e4168
SHA19b16e53e53fa873a77f19a9820d7501892d0cd24
SHA2562f48cd3475fd3bfa08073bcc1706c4bbd34fd95b43046af7286f7336ba94a462
SHA512bf5cad59cb469e80b7400542f1255c71c18e6ecdf882ae1f1195fdd61381857be1b07a5c7ab8bb323564be72e9b25439c5da2c3d9b510d78933f56d2b98418b1
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
239KB
MD5cf2a9bccf8bb8a2b0f877389cc81c680
SHA11c6aa9b12c8c5941a94a436bd160cbe6e8240168
SHA256b9de9d865632f7faac99c55e5162ae84f39ad08aa15e7814251dae4a520f1bee
SHA512b20dbcd04c11fce7bb0247a3e991d6929817cf3245d37149c5639acd6d139d842e4dde80221170db6482c3c10bfd6e240c4a4a3057cc220fdd98ddfa3c198034