Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:53
Static task
static1
Behavioral task
behavioral1
Sample
85ab5e3435884685f28cff1d0bc4b65bcae1d17e3b733f4410efdd969e9bd4ee.exe
Resource
win10v2004-20241007-en
General
-
Target
85ab5e3435884685f28cff1d0bc4b65bcae1d17e3b733f4410efdd969e9bd4ee.exe
-
Size
522KB
-
MD5
db0897b60a1f71439d1c5c16902ac4a5
-
SHA1
8167a6683c1795d9b0cebdc48798c953567b2e40
-
SHA256
85ab5e3435884685f28cff1d0bc4b65bcae1d17e3b733f4410efdd969e9bd4ee
-
SHA512
0d9e694e4b185b94211cfeb2cce66b30c448276dc372035dfbf65dd024fddc036fe2cce624c4fbac3fccdc406493d92b243f1f73ecc29c4497f8dae2a995bc6a
-
SSDEEP
12288:gMrly90jGoo/34tkdpSdLoP8wjj2WHgr7dmqmgDnm9QYD:1yNAidgRS7jj7HA73Dm9bD
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c9f-12.dat healer behavioral1/memory/4804-15-0x0000000000450000-0x000000000045A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr720904.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr720904.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr720904.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr720904.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr720904.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr720904.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2208-22-0x00000000024C0000-0x0000000002506000-memory.dmp family_redline behavioral1/memory/2208-24-0x0000000004AE0000-0x0000000004B24000-memory.dmp family_redline behavioral1/memory/2208-30-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-34-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-88-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-86-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-84-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-80-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-78-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-76-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-74-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-72-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-70-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-68-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-64-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-62-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-60-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-59-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-56-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-54-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-52-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-50-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-46-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-44-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-42-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-40-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-38-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-36-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-32-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-28-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-82-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-66-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-48-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-26-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/2208-25-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2432 ziOA8577.exe 4804 jr720904.exe 2208 ku423659.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr720904.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 85ab5e3435884685f28cff1d0bc4b65bcae1d17e3b733f4410efdd969e9bd4ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziOA8577.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 85ab5e3435884685f28cff1d0bc4b65bcae1d17e3b733f4410efdd969e9bd4ee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziOA8577.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku423659.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4804 jr720904.exe 4804 jr720904.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4804 jr720904.exe Token: SeDebugPrivilege 2208 ku423659.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4036 wrote to memory of 2432 4036 85ab5e3435884685f28cff1d0bc4b65bcae1d17e3b733f4410efdd969e9bd4ee.exe 83 PID 4036 wrote to memory of 2432 4036 85ab5e3435884685f28cff1d0bc4b65bcae1d17e3b733f4410efdd969e9bd4ee.exe 83 PID 4036 wrote to memory of 2432 4036 85ab5e3435884685f28cff1d0bc4b65bcae1d17e3b733f4410efdd969e9bd4ee.exe 83 PID 2432 wrote to memory of 4804 2432 ziOA8577.exe 84 PID 2432 wrote to memory of 4804 2432 ziOA8577.exe 84 PID 2432 wrote to memory of 2208 2432 ziOA8577.exe 92 PID 2432 wrote to memory of 2208 2432 ziOA8577.exe 92 PID 2432 wrote to memory of 2208 2432 ziOA8577.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\85ab5e3435884685f28cff1d0bc4b65bcae1d17e3b733f4410efdd969e9bd4ee.exe"C:\Users\Admin\AppData\Local\Temp\85ab5e3435884685f28cff1d0bc4b65bcae1d17e3b733f4410efdd969e9bd4ee.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOA8577.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOA8577.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr720904.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr720904.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4804
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku423659.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku423659.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD5ff7b2e2798bca2c66f6a3ae83b287f5c
SHA145498686e73bbc5b9c20e44fb082557b6104b441
SHA256fa04dccdf7875f73566defcab5f5c791a30be209bdc6a5ce5e6be2d956467e53
SHA5124bdb04cec6a61981acda053c295f3558cf75e5afaba2d4b0ca3720c730dcaa005eb4dab25b2ef9fe08fcfb6708ba0c2a12ae3842e7a027fd197595e428a2fee4
-
Filesize
15KB
MD5f85cd5a8430104a2d089518be51f02ce
SHA12b0759d260151ba3c451d7fe169261a287e3ce98
SHA256c08376e7440400409cc8c7aec38845dce6bc2c90ecb418a48ff150db960631f2
SHA51233a13db9c95544bda3ab79b6856b3a660b94994dae6568c16a3316ca6d399a3375cb0df94b3b8224b953e00341d27bf6e3d3fd2f706c530f0c74611d7db5a0d6
-
Filesize
294KB
MD5ff4cb3548ca5167389f522423ec37578
SHA1801ffe575ad20b2a376ab2bc6dbeac320e2da0fd
SHA2563eccd3077b1c8cb1b7e9036247484330c672f5ed26b4e912a7a7b801519d30a1
SHA512159c57ac34fdfc25942bd38391253f78c81452f705712b3042d3eef11267c7cf6351cc725be42cc91b9c7772b417751f3a2d6a6f1a75039db368f6b93395d3a8