Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 02:02
Static task
static1
Behavioral task
behavioral1
Sample
de5bec25119dca426e3cf73b1296f08e9c3b750cc3478da2a60cda26c6eefa80.exe
Resource
win10v2004-20241007-en
General
-
Target
de5bec25119dca426e3cf73b1296f08e9c3b750cc3478da2a60cda26c6eefa80.exe
-
Size
662KB
-
MD5
1d11602bd06c10aed6d7eb60366b0cd9
-
SHA1
a4bb60bf5dfa83d2deeee99fffc89a8b8374356d
-
SHA256
de5bec25119dca426e3cf73b1296f08e9c3b750cc3478da2a60cda26c6eefa80
-
SHA512
48448f301be5c8c7af16bec68b46ed62c22270dbe5db98bcb732fbd1b13f5769077a178cf64b25f1a799df91d2e7d0501916cd88940ba024d453ef30a706fbef
-
SSDEEP
12288:BMr6y90cuTknzzFsIiGsUmgelbCfY69g3BaHK82qfuOG/IMylz:HyLuTKzEGGuYs1HK82qfuOwYV
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1700-19-0x0000000002330000-0x000000000234A000-memory.dmp healer behavioral1/memory/1700-21-0x00000000024D0000-0x00000000024E8000-memory.dmp healer behavioral1/memory/1700-37-0x00000000024D0000-0x00000000024E2000-memory.dmp healer behavioral1/memory/1700-49-0x00000000024D0000-0x00000000024E2000-memory.dmp healer behavioral1/memory/1700-47-0x00000000024D0000-0x00000000024E2000-memory.dmp healer behavioral1/memory/1700-45-0x00000000024D0000-0x00000000024E2000-memory.dmp healer behavioral1/memory/1700-43-0x00000000024D0000-0x00000000024E2000-memory.dmp healer behavioral1/memory/1700-41-0x00000000024D0000-0x00000000024E2000-memory.dmp healer behavioral1/memory/1700-39-0x00000000024D0000-0x00000000024E2000-memory.dmp healer behavioral1/memory/1700-35-0x00000000024D0000-0x00000000024E2000-memory.dmp healer behavioral1/memory/1700-33-0x00000000024D0000-0x00000000024E2000-memory.dmp healer behavioral1/memory/1700-31-0x00000000024D0000-0x00000000024E2000-memory.dmp healer behavioral1/memory/1700-29-0x00000000024D0000-0x00000000024E2000-memory.dmp healer behavioral1/memory/1700-27-0x00000000024D0000-0x00000000024E2000-memory.dmp healer behavioral1/memory/1700-25-0x00000000024D0000-0x00000000024E2000-memory.dmp healer behavioral1/memory/1700-23-0x00000000024D0000-0x00000000024E2000-memory.dmp healer behavioral1/memory/1700-22-0x00000000024D0000-0x00000000024E2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8705.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8705.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8705.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro8705.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8705.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8705.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3492-60-0x00000000025E0000-0x0000000002626000-memory.dmp family_redline behavioral1/memory/3492-61-0x0000000004AC0000-0x0000000004B04000-memory.dmp family_redline behavioral1/memory/3492-67-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/3492-73-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/3492-71-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/3492-69-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/3492-85-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/3492-65-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/3492-63-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/3492-62-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/3492-95-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/3492-93-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/3492-91-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/3492-89-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/3492-87-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/3492-83-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/3492-81-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/3492-79-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/3492-77-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/3492-75-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2692 un909474.exe 1700 pro8705.exe 3492 qu8110.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8705.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8705.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" de5bec25119dca426e3cf73b1296f08e9c3b750cc3478da2a60cda26c6eefa80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un909474.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5bec25119dca426e3cf73b1296f08e9c3b750cc3478da2a60cda26c6eefa80.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un909474.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro8705.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu8110.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1700 pro8705.exe 1700 pro8705.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1700 pro8705.exe Token: SeDebugPrivilege 3492 qu8110.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4692 wrote to memory of 2692 4692 de5bec25119dca426e3cf73b1296f08e9c3b750cc3478da2a60cda26c6eefa80.exe 83 PID 4692 wrote to memory of 2692 4692 de5bec25119dca426e3cf73b1296f08e9c3b750cc3478da2a60cda26c6eefa80.exe 83 PID 4692 wrote to memory of 2692 4692 de5bec25119dca426e3cf73b1296f08e9c3b750cc3478da2a60cda26c6eefa80.exe 83 PID 2692 wrote to memory of 1700 2692 un909474.exe 84 PID 2692 wrote to memory of 1700 2692 un909474.exe 84 PID 2692 wrote to memory of 1700 2692 un909474.exe 84 PID 2692 wrote to memory of 3492 2692 un909474.exe 93 PID 2692 wrote to memory of 3492 2692 un909474.exe 93 PID 2692 wrote to memory of 3492 2692 un909474.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\de5bec25119dca426e3cf73b1296f08e9c3b750cc3478da2a60cda26c6eefa80.exe"C:\Users\Admin\AppData\Local\Temp\de5bec25119dca426e3cf73b1296f08e9c3b750cc3478da2a60cda26c6eefa80.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un909474.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un909474.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8705.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8705.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8110.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8110.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
520KB
MD5314858f8e8e5ab1501b4b4ea456670a7
SHA1aa4ae393ca010e0245ac4438d3a0f397f72f3e34
SHA256ef766260117088ee9873ee4ad2619672dec5186e4b8c943be89612789ab61d26
SHA51253b134c14db1e47f96779b82f3eab70fd232f89c1096b8a7de3e5d513dc78c2551cc8740f635150f0d532fd6e87bf0881a5d582eaf09eb187586dc156990f36e
-
Filesize
236KB
MD596f887cfa848f86767111b37ac21f098
SHA1d8475bec256559d30f58980c7b081dbd6fa4e4fc
SHA2569d8a949b0ca4f7765b87d8cc03b985d7f4a59d0e731825f672c08f501e8cb4c2
SHA512eb2fb1d6756eafa08ca6a128c08c7ef983cdcb90e4f611ab5491a7a84c6e9665b643fd9c93095a9ccc88a1b71434c8225220d3957112976c386e27a069839d73
-
Filesize
295KB
MD5c7bfd28b0f1da95b1660e63b43afdeb8
SHA1fce8d11e8bc67211eb11d8e94540682d4d50b288
SHA25635829154a38e68388dc3fb21bc4e1a95e00355e0d707b37a3fab759f9b739d3d
SHA512099a26c848e1efef5cd9150a5e8eae68278222801bf53fd6ab65e333bae210963328495025a0eb34463f845988e1260b71d36dcb02ebcb42a46d664aad80f344