Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:53
Static task
static1
Behavioral task
behavioral1
Sample
55fb7af7fa09cca06434d2f6ce71aa56952b5b574da1d6a728b1ca7fb36ca4cc.exe
Resource
win10v2004-20241007-en
General
-
Target
55fb7af7fa09cca06434d2f6ce71aa56952b5b574da1d6a728b1ca7fb36ca4cc.exe
-
Size
943KB
-
MD5
be8c4039185fe2289d253886372d1457
-
SHA1
060be3703d851fbcdd9b42e2373900b9c145a99b
-
SHA256
55fb7af7fa09cca06434d2f6ce71aa56952b5b574da1d6a728b1ca7fb36ca4cc
-
SHA512
cba31af01eb4e230417ebed5939b8264d7de12b56ed401da696a7abec7de9519b05c1a753277717d07db72b17a7320d552fdb92ed720e9ca784a7288fb561d57
-
SSDEEP
24576:Dy0vHhhg4mMGr76WbnBijXUhviX1eoVh9UjKVdWAW:W0JG4mjBizUhq4oVDUjmdWA
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/5032-22-0x0000000004CF0000-0x0000000004D0A000-memory.dmp healer behavioral1/memory/5032-24-0x0000000007850000-0x0000000007868000-memory.dmp healer behavioral1/memory/5032-40-0x0000000007850000-0x0000000007862000-memory.dmp healer behavioral1/memory/5032-52-0x0000000007850000-0x0000000007862000-memory.dmp healer behavioral1/memory/5032-50-0x0000000007850000-0x0000000007862000-memory.dmp healer behavioral1/memory/5032-48-0x0000000007850000-0x0000000007862000-memory.dmp healer behavioral1/memory/5032-46-0x0000000007850000-0x0000000007862000-memory.dmp healer behavioral1/memory/5032-44-0x0000000007850000-0x0000000007862000-memory.dmp healer behavioral1/memory/5032-42-0x0000000007850000-0x0000000007862000-memory.dmp healer behavioral1/memory/5032-38-0x0000000007850000-0x0000000007862000-memory.dmp healer behavioral1/memory/5032-36-0x0000000007850000-0x0000000007862000-memory.dmp healer behavioral1/memory/5032-34-0x0000000007850000-0x0000000007862000-memory.dmp healer behavioral1/memory/5032-32-0x0000000007850000-0x0000000007862000-memory.dmp healer behavioral1/memory/5032-30-0x0000000007850000-0x0000000007862000-memory.dmp healer behavioral1/memory/5032-28-0x0000000007850000-0x0000000007862000-memory.dmp healer behavioral1/memory/5032-26-0x0000000007850000-0x0000000007862000-memory.dmp healer behavioral1/memory/5032-25-0x0000000007850000-0x0000000007862000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr720747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr720747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr720747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr720747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr720747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr720747.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3916-60-0x00000000048D0000-0x000000000490C000-memory.dmp family_redline behavioral1/memory/3916-61-0x0000000004C30000-0x0000000004C6A000-memory.dmp family_redline behavioral1/memory/3916-67-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/3916-75-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/3916-73-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/3916-71-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/3916-69-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/3916-91-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/3916-81-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/3916-65-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/3916-63-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/3916-62-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/3916-77-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/3916-95-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/3916-93-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/3916-89-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/3916-87-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/3916-85-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/3916-83-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline behavioral1/memory/3916-79-0x0000000004C30000-0x0000000004C65000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 4228 un653018.exe 1888 un287941.exe 5032 pr720747.exe 3916 qu160303.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr720747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr720747.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 55fb7af7fa09cca06434d2f6ce71aa56952b5b574da1d6a728b1ca7fb36ca4cc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un653018.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un287941.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2584 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2320 5032 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr720747.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu160303.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 55fb7af7fa09cca06434d2f6ce71aa56952b5b574da1d6a728b1ca7fb36ca4cc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un653018.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un287941.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5032 pr720747.exe 5032 pr720747.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5032 pr720747.exe Token: SeDebugPrivilege 3916 qu160303.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2908 wrote to memory of 4228 2908 55fb7af7fa09cca06434d2f6ce71aa56952b5b574da1d6a728b1ca7fb36ca4cc.exe 83 PID 2908 wrote to memory of 4228 2908 55fb7af7fa09cca06434d2f6ce71aa56952b5b574da1d6a728b1ca7fb36ca4cc.exe 83 PID 2908 wrote to memory of 4228 2908 55fb7af7fa09cca06434d2f6ce71aa56952b5b574da1d6a728b1ca7fb36ca4cc.exe 83 PID 4228 wrote to memory of 1888 4228 un653018.exe 84 PID 4228 wrote to memory of 1888 4228 un653018.exe 84 PID 4228 wrote to memory of 1888 4228 un653018.exe 84 PID 1888 wrote to memory of 5032 1888 un287941.exe 85 PID 1888 wrote to memory of 5032 1888 un287941.exe 85 PID 1888 wrote to memory of 5032 1888 un287941.exe 85 PID 1888 wrote to memory of 3916 1888 un287941.exe 100 PID 1888 wrote to memory of 3916 1888 un287941.exe 100 PID 1888 wrote to memory of 3916 1888 un287941.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\55fb7af7fa09cca06434d2f6ce71aa56952b5b574da1d6a728b1ca7fb36ca4cc.exe"C:\Users\Admin\AppData\Local\Temp\55fb7af7fa09cca06434d2f6ce71aa56952b5b574da1d6a728b1ca7fb36ca4cc.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un653018.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un653018.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un287941.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un287941.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr720747.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr720747.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 10845⤵
- Program crash
PID:2320
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu160303.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu160303.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3916
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5032 -ip 50321⤵PID:4372
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2584
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
694KB
MD54dc9b5520ac11ca8cb63c152aee7c7be
SHA17f81dd5994b9373853ba8b810764b34d1c755c60
SHA256d4231ae40d930832459a5b718e2aaf4dc4bbb2528e14e703cd937eedf46e96fd
SHA512f678b056e2251dcbaa6339266f6b9c32c09840776f19d1ab4b7c90e3a18a74a855b7b73c49b3f10d3c7fd641019bd5bd5971fc5b04053945cb0a55f47ee0ad03
-
Filesize
540KB
MD52d7863096ba63bfe7fce430d8dcbdc47
SHA169054a4412522629ec62f6e434c94676a89e0331
SHA2563cffa721c862b4ce5f81d5babc2b4cca3d2db17ef0c7f91f40947deadc8bc348
SHA512bfaec0268fb71078f35710271ac862f94cf1f2197a2d5a13364fb855f4791868f8376239310a1b4ee116a1efa64f79f7e732fa21923163c7c5d039c3f27f57a7
-
Filesize
278KB
MD5ec72909a81558b4157d75d87d6779598
SHA18b8b095c515797a805b893e9fc0d466e0f173fbe
SHA256ba17307cb09cf3721bb1763497eedc897c4a3ea2b6550f72a11ba8af47f3e095
SHA5129d5afdcfe52f94ec896c056ed462273ff000b46f4be8bd65547bb88b450a816110d84678c7e6b87657da8607b2a8804719bfbcc34360686bedb831bbbba2f3ef
-
Filesize
361KB
MD57821d684b869d8d6df71731ec0c85a71
SHA1944c0dd6250f52ffd7d628b7b24ca48567d373bc
SHA25666d9ff40d7b3c0d725ce6b5e543eb15160f9c594a1ef66ffa8e838b21325387e
SHA5121f6b8b398786ef5399efc05aafaae4623cddf660cd0a2226b6bc647cbfe17ba4e5961156d939421cd84a715abe7507567808dbfbfd32026f058b1434a15e1959