Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 02:00
Static task
static1
Behavioral task
behavioral1
Sample
169290f535eaec8227ea74642c6805f725d485186174007bde95cfdd4475c84e.exe
Resource
win10v2004-20241007-en
General
-
Target
169290f535eaec8227ea74642c6805f725d485186174007bde95cfdd4475c84e.exe
-
Size
964KB
-
MD5
e69d61ab0e370bd156b42f119a56ab21
-
SHA1
cc89fac6b399df87b0a63b0b9581cb135596989b
-
SHA256
169290f535eaec8227ea74642c6805f725d485186174007bde95cfdd4475c84e
-
SHA512
f16faffc78c5396b8de26ef6e2c29eda7f8eca241892c71ff1cececd81d1de18bc793e49af2dc652a686753d913d7fe9d59323b2cd25b7a9ca9332df699d7979
-
SSDEEP
24576:Ly/T5TgXxtsod32EbxI5k3JUbixyh/LZ9S:+75Oxtso42xULZLX
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/832-22-0x0000000004AE0000-0x0000000004AFA000-memory.dmp healer behavioral1/memory/832-24-0x0000000004C80000-0x0000000004C98000-memory.dmp healer behavioral1/memory/832-32-0x0000000004C80000-0x0000000004C92000-memory.dmp healer behavioral1/memory/832-50-0x0000000004C80000-0x0000000004C92000-memory.dmp healer behavioral1/memory/832-48-0x0000000004C80000-0x0000000004C92000-memory.dmp healer behavioral1/memory/832-46-0x0000000004C80000-0x0000000004C92000-memory.dmp healer behavioral1/memory/832-44-0x0000000004C80000-0x0000000004C92000-memory.dmp healer behavioral1/memory/832-42-0x0000000004C80000-0x0000000004C92000-memory.dmp healer behavioral1/memory/832-40-0x0000000004C80000-0x0000000004C92000-memory.dmp healer behavioral1/memory/832-38-0x0000000004C80000-0x0000000004C92000-memory.dmp healer behavioral1/memory/832-36-0x0000000004C80000-0x0000000004C92000-memory.dmp healer behavioral1/memory/832-34-0x0000000004C80000-0x0000000004C92000-memory.dmp healer behavioral1/memory/832-30-0x0000000004C80000-0x0000000004C92000-memory.dmp healer behavioral1/memory/832-52-0x0000000004C80000-0x0000000004C92000-memory.dmp healer behavioral1/memory/832-26-0x0000000004C80000-0x0000000004C92000-memory.dmp healer behavioral1/memory/832-28-0x0000000004C80000-0x0000000004C92000-memory.dmp healer behavioral1/memory/832-25-0x0000000004C80000-0x0000000004C92000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr923593.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr923593.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr923593.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr923593.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr923593.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr923593.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2472-60-0x00000000047D0000-0x000000000480C000-memory.dmp family_redline behavioral1/memory/2472-61-0x00000000071B0000-0x00000000071EA000-memory.dmp family_redline behavioral1/memory/2472-75-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/2472-89-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/2472-95-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/2472-93-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/2472-92-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/2472-87-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/2472-85-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/2472-83-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/2472-81-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/2472-79-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/2472-77-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/2472-73-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/2472-71-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/2472-69-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/2472-67-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/2472-65-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/2472-63-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline behavioral1/memory/2472-62-0x00000000071B0000-0x00000000071E5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 2108 un880574.exe 3400 un088053.exe 832 pr923593.exe 2472 qu716641.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr923593.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr923593.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 169290f535eaec8227ea74642c6805f725d485186174007bde95cfdd4475c84e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un880574.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un088053.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3544 832 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr923593.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu716641.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 169290f535eaec8227ea74642c6805f725d485186174007bde95cfdd4475c84e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un880574.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un088053.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 832 pr923593.exe 832 pr923593.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 832 pr923593.exe Token: SeDebugPrivilege 2472 qu716641.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3464 wrote to memory of 2108 3464 169290f535eaec8227ea74642c6805f725d485186174007bde95cfdd4475c84e.exe 87 PID 3464 wrote to memory of 2108 3464 169290f535eaec8227ea74642c6805f725d485186174007bde95cfdd4475c84e.exe 87 PID 3464 wrote to memory of 2108 3464 169290f535eaec8227ea74642c6805f725d485186174007bde95cfdd4475c84e.exe 87 PID 2108 wrote to memory of 3400 2108 un880574.exe 89 PID 2108 wrote to memory of 3400 2108 un880574.exe 89 PID 2108 wrote to memory of 3400 2108 un880574.exe 89 PID 3400 wrote to memory of 832 3400 un088053.exe 90 PID 3400 wrote to memory of 832 3400 un088053.exe 90 PID 3400 wrote to memory of 832 3400 un088053.exe 90 PID 3400 wrote to memory of 2472 3400 un088053.exe 100 PID 3400 wrote to memory of 2472 3400 un088053.exe 100 PID 3400 wrote to memory of 2472 3400 un088053.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\169290f535eaec8227ea74642c6805f725d485186174007bde95cfdd4475c84e.exe"C:\Users\Admin\AppData\Local\Temp\169290f535eaec8227ea74642c6805f725d485186174007bde95cfdd4475c84e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880574.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880574.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un088053.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un088053.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr923593.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr923593.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 10645⤵
- Program crash
PID:3544
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu716641.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu716641.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 832 -ip 8321⤵PID:4740
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
705KB
MD54fc5c95256ae32d07e590b084a1bef6e
SHA1c5c8d6e5383aafdc971fc87afc50f2dabf162286
SHA256ca3b50c90494060c24eabb377fb1cecca0c1defad091a1fd3af0b74446b756cb
SHA5124c10df02d32034aa2f02baa94b14b46a554392d787acc7215bcd28d58b78b18a86f92a2da4c7dab50792dd211978c98fa885f99e128fe815fede35dd2e2ecec7
-
Filesize
552KB
MD5f1def6f3602648609e3063614080a326
SHA1fc969dd2e5c8504968b1480467263c7eadd515b3
SHA256c50af19f6ba8c7f05e6b0dd5651751a68c28362a6f578f6c78ca19a2b4454048
SHA51275412ff4cd96fd8bc4a071dd167ed43cf6346a389c96ffec3ade14cf72ab124868161996145e5cef4e60889c97d87b36af77cd7177c2e8d4b748aaf814eb3e72
-
Filesize
299KB
MD57da9683d7044dde27c772996e4231a59
SHA152af43350a3ca6c1cc44f737e85e03fdcb00193d
SHA256e1a9644f21c150381ad22596daa0e8ec9fd4ef8596481cab07e32e42500fb074
SHA51229c94af2c7f478969165d5b78520ecbd6291a4ace38698118a6a758aeaa88a2618d1ad06bfb2708dd424bf242b19361a7464be45cc67afbae712317b1216d4cd
-
Filesize
381KB
MD55b034a59bf771837c376e7ce376bfcfd
SHA18671fbb3cd75e59c99df8b6a946f39d60e1b6c80
SHA2569f6d937154b9c1ba2520dcf2637662466b813f81aa358976eb3997d407253ed6
SHA512e984a52e9f86fbcd7494d055df7395eb16dd96572ea6411a0058d7a4bc4e8b01f78aa7c059583004369a1cd72623b68b1d57656b35448a7cc585e6d08f0f8d78