Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:35
Static task
static1
Behavioral task
behavioral1
Sample
e2b1bfef3eecba44295878ccc3f9738d2265ac495c5790afd1e429452568433d.exe
Resource
win10v2004-20241007-en
General
-
Target
e2b1bfef3eecba44295878ccc3f9738d2265ac495c5790afd1e429452568433d.exe
-
Size
537KB
-
MD5
0188463907b46021fda18694973f8ceb
-
SHA1
c0faf7a04e43849adfeb74e584295c75d6c86d66
-
SHA256
e2b1bfef3eecba44295878ccc3f9738d2265ac495c5790afd1e429452568433d
-
SHA512
7cf9bac2617cb08ec3f3a4d2979f92d1e86dab00df74262681a098edeeaa87ea27c376f8fdc9b2a175160379e146d02f5c6c1441270c4e6c092879a30756bd5e
-
SSDEEP
12288:6Mr4y90fJbVVNxks+PJc0CphTMrRQ174w08:Wy0tV7xAc0wTMrRQ174g
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023c60-12.dat healer behavioral1/memory/3524-15-0x00000000008E0000-0x00000000008EA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr716076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr716076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr716076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr716076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr716076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr716076.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3472-22-0x00000000029B0000-0x00000000029F6000-memory.dmp family_redline behavioral1/memory/3472-24-0x00000000053D0000-0x0000000005414000-memory.dmp family_redline behavioral1/memory/3472-84-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-88-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-86-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-80-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-78-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-76-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-72-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-70-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-68-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-66-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-64-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-62-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-61-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-58-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-56-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-54-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-52-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-50-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-48-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-44-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-42-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-40-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-38-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-36-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-34-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-32-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-30-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-26-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-82-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-74-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-46-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-28-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/3472-25-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1640 zifk5484.exe 3524 jr716076.exe 3472 ku030821.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr716076.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e2b1bfef3eecba44295878ccc3f9738d2265ac495c5790afd1e429452568433d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zifk5484.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2b1bfef3eecba44295878ccc3f9738d2265ac495c5790afd1e429452568433d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zifk5484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku030821.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3524 jr716076.exe 3524 jr716076.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3524 jr716076.exe Token: SeDebugPrivilege 3472 ku030821.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4344 wrote to memory of 1640 4344 e2b1bfef3eecba44295878ccc3f9738d2265ac495c5790afd1e429452568433d.exe 83 PID 4344 wrote to memory of 1640 4344 e2b1bfef3eecba44295878ccc3f9738d2265ac495c5790afd1e429452568433d.exe 83 PID 4344 wrote to memory of 1640 4344 e2b1bfef3eecba44295878ccc3f9738d2265ac495c5790afd1e429452568433d.exe 83 PID 1640 wrote to memory of 3524 1640 zifk5484.exe 84 PID 1640 wrote to memory of 3524 1640 zifk5484.exe 84 PID 1640 wrote to memory of 3472 1640 zifk5484.exe 94 PID 1640 wrote to memory of 3472 1640 zifk5484.exe 94 PID 1640 wrote to memory of 3472 1640 zifk5484.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2b1bfef3eecba44295878ccc3f9738d2265ac495c5790afd1e429452568433d.exe"C:\Users\Admin\AppData\Local\Temp\e2b1bfef3eecba44295878ccc3f9738d2265ac495c5790afd1e429452568433d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifk5484.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifk5484.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr716076.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr716076.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3524
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku030821.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku030821.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3472
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
395KB
MD59855e10188e420bc8b9d5c314bd3484b
SHA14e45a1f9f6464d367171c88d32f5f3f7c3bcef3a
SHA256e9ff910581190df9ca1c9802f986baaaa7ee04e666a6f7364f839d83a3266d57
SHA512b597388ad774d03537b90ea7b5c6633030e910f82b11db0394e12ca4a0888afdfc2d925bb7bad770fc82862b112cd3f1996c271c0d107229d6a41030699a8e6c
-
Filesize
13KB
MD59e6c3717b54ae8b2a310619a970c40aa
SHA1fc0298392c7dbfb48842d113d698acf6015361f4
SHA25672d58c4819b79f87a590ad57c1a738b8b453ed6fecd3bd0b0c568ab9b137372e
SHA512a54e4953a37caf4e07ef40a9bf3a4fca42cd27ef792603474c684261796077544f128f7ec4993ad20060ffa2cd12e61411eb0f0d3bb643a5ecaf84f6a74ba70a
-
Filesize
353KB
MD51a6c1bc8c705dc1ae42f78cf5e0c5c67
SHA1e4b0a5dab9c40045cacfbd14fd6941d1aa78d9be
SHA256b6a234c19abe5f02e7ff1ca17b8f8a2489e046a6aa57520f0e7d3f16236d272c
SHA51205462c067a363032a54a7cbabf7e86e351b3d082337f2ec5b67c8a83bf9b1ea650a922d5f4b15163ff50fded7fdc5c4d5c57358cea1cc648ce4829f27945b7e2