Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:56
Static task
static1
Behavioral task
behavioral1
Sample
3928299e3c40601b34a18e6f8ae2f9e49a0d82fd365892b41b303117650f3671.exe
Resource
win10v2004-20241007-en
General
-
Target
3928299e3c40601b34a18e6f8ae2f9e49a0d82fd365892b41b303117650f3671.exe
-
Size
673KB
-
MD5
ca08d8d104a198126a703084a9a257e7
-
SHA1
5ce48ac91b9bccb9c022074cc16bc0840514679b
-
SHA256
3928299e3c40601b34a18e6f8ae2f9e49a0d82fd365892b41b303117650f3671
-
SHA512
7963dbf33d59e239f439c58eb6796c85e27b95a36e9c2060dce83d2c83e79d55d5a2e039dcd432427abd10b8486b4349125719b5023320e11aa50b9c0b11bfcc
-
SSDEEP
12288:AMrcy90mPmqpsTIVduM1JEIiT704GP6buW7hqvauah:MyDPmdI/ul9GPyucbuah
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3188-19-0x0000000002370000-0x000000000238A000-memory.dmp healer behavioral1/memory/3188-21-0x0000000002520000-0x0000000002538000-memory.dmp healer behavioral1/memory/3188-47-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3188-49-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3188-45-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3188-43-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3188-41-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3188-40-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3188-37-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3188-36-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3188-33-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3188-31-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3188-29-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3188-28-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3188-25-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3188-23-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3188-22-0x0000000002520000-0x0000000002532000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9530.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9530.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9530.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro9530.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9530.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9530.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3916-60-0x0000000002490000-0x00000000024D6000-memory.dmp family_redline behavioral1/memory/3916-61-0x0000000002670000-0x00000000026B4000-memory.dmp family_redline behavioral1/memory/3916-75-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/3916-65-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/3916-63-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/3916-62-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/3916-87-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/3916-95-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/3916-93-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/3916-91-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/3916-90-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/3916-85-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/3916-83-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/3916-82-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/3916-79-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/3916-77-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/3916-73-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/3916-71-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/3916-69-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/3916-67-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3060 un998532.exe 3188 pro9530.exe 3916 qu3246.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9530.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9530.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3928299e3c40601b34a18e6f8ae2f9e49a0d82fd365892b41b303117650f3671.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un998532.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1688 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3976 3188 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro9530.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu3246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3928299e3c40601b34a18e6f8ae2f9e49a0d82fd365892b41b303117650f3671.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un998532.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3188 pro9530.exe 3188 pro9530.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3188 pro9530.exe Token: SeDebugPrivilege 3916 qu3246.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4000 wrote to memory of 3060 4000 3928299e3c40601b34a18e6f8ae2f9e49a0d82fd365892b41b303117650f3671.exe 83 PID 4000 wrote to memory of 3060 4000 3928299e3c40601b34a18e6f8ae2f9e49a0d82fd365892b41b303117650f3671.exe 83 PID 4000 wrote to memory of 3060 4000 3928299e3c40601b34a18e6f8ae2f9e49a0d82fd365892b41b303117650f3671.exe 83 PID 3060 wrote to memory of 3188 3060 un998532.exe 84 PID 3060 wrote to memory of 3188 3060 un998532.exe 84 PID 3060 wrote to memory of 3188 3060 un998532.exe 84 PID 3060 wrote to memory of 3916 3060 un998532.exe 99 PID 3060 wrote to memory of 3916 3060 un998532.exe 99 PID 3060 wrote to memory of 3916 3060 un998532.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\3928299e3c40601b34a18e6f8ae2f9e49a0d82fd365892b41b303117650f3671.exe"C:\Users\Admin\AppData\Local\Temp\3928299e3c40601b34a18e6f8ae2f9e49a0d82fd365892b41b303117650f3671.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un998532.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un998532.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9530.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9530.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 10204⤵
- Program crash
PID:3976
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3246.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3246.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3916
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3188 -ip 31881⤵PID:1660
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1688
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
531KB
MD54543bec8b42add374ebc0ccc6a745d32
SHA1094a70e86284d96aa23590c73268a2034d44a9be
SHA2566d3c3385b483561371cae9678c0d6fb688e7047450a345b9716e9b6ff0c2520a
SHA512f2208a40ae3ff8bb57c255fc38983cade88564a0bb82383f45f6d81a6e1fd62f42125327ff4ba6b020678259b6aaac2cbf259822528fa8c95eceb15cf13cf200
-
Filesize
260KB
MD5b169da793fb7bcd483e1d8b395cd3c75
SHA1c74701db8983d62e6bba608e7dda2625f7a79898
SHA2567469cd9a996be0323d3a4387a948cb1fb984b10641e27ac002f81dbe1cde93a7
SHA512e2f9bf0cfacac545e0c5b918cebe77be3e6c65e88ce62c72a113f34ee28a733b6e2ec22288cf51eeb6b46a28151dd0b419d2920037e8190adfe2fcfbbb060b62
-
Filesize
319KB
MD50c1cefaf67449e3762e2536c09a041e6
SHA152172672115c7b95f113365f0b21ddc309dc0987
SHA256d8a5df68240fb2b16268dbffc2dd76668181060997c8dc88c1590f662157e653
SHA512f9139efbeca21ae5f9f10cbefe8d83f716549ae174080ab9a318b99cc16dfaab3d3640029551200207589de9d26c332481810434eb6e940cbe65637da14736e5