Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 02:05
Static task
static1
Behavioral task
behavioral1
Sample
d165158649333abea45457732b7bf33f815ce8d7f94fc52a948754a2148d13c3.exe
Resource
win10v2004-20241007-en
General
-
Target
d165158649333abea45457732b7bf33f815ce8d7f94fc52a948754a2148d13c3.exe
-
Size
1.0MB
-
MD5
78c8ad8987f7e923fb0fdb1234564bc5
-
SHA1
bf4db3f5c58cd64cbb5cca4e8d3fc8773c25a467
-
SHA256
d165158649333abea45457732b7bf33f815ce8d7f94fc52a948754a2148d13c3
-
SHA512
7b27c81b25f2c943208c8ecb0e1013140fa0729d529420e847a3d4472fcc249ff02daa32638ad95125f99298b6b1a96854e6dbb9ca982a2dadcacb499415c9eb
-
SSDEEP
24576:oyrBO8BKOIx+81pDmlClnrykAV+pPk3ywoHrXCf6HhXBpw0on:vNO8BIqlCxVuOLXZh
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/808-23-0x0000000002560000-0x000000000257A000-memory.dmp healer behavioral1/memory/808-25-0x00000000027A0000-0x00000000027B8000-memory.dmp healer behavioral1/memory/808-39-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/808-53-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/808-51-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/808-50-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/808-47-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/808-45-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/808-43-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/808-42-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/808-37-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/808-35-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/808-33-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/808-31-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/808-29-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/808-27-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/808-26-0x00000000027A0000-0x00000000027B2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr529090.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr529090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr529090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr529090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr529090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr529090.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4304-62-0x0000000002790000-0x00000000027CC000-memory.dmp family_redline behavioral1/memory/4304-63-0x0000000002AC0000-0x0000000002AFA000-memory.dmp family_redline behavioral1/memory/4304-77-0x0000000002AC0000-0x0000000002AF5000-memory.dmp family_redline behavioral1/memory/4304-97-0x0000000002AC0000-0x0000000002AF5000-memory.dmp family_redline behavioral1/memory/4304-95-0x0000000002AC0000-0x0000000002AF5000-memory.dmp family_redline behavioral1/memory/4304-93-0x0000000002AC0000-0x0000000002AF5000-memory.dmp family_redline behavioral1/memory/4304-91-0x0000000002AC0000-0x0000000002AF5000-memory.dmp family_redline behavioral1/memory/4304-89-0x0000000002AC0000-0x0000000002AF5000-memory.dmp family_redline behavioral1/memory/4304-87-0x0000000002AC0000-0x0000000002AF5000-memory.dmp family_redline behavioral1/memory/4304-85-0x0000000002AC0000-0x0000000002AF5000-memory.dmp family_redline behavioral1/memory/4304-83-0x0000000002AC0000-0x0000000002AF5000-memory.dmp family_redline behavioral1/memory/4304-81-0x0000000002AC0000-0x0000000002AF5000-memory.dmp family_redline behavioral1/memory/4304-79-0x0000000002AC0000-0x0000000002AF5000-memory.dmp family_redline behavioral1/memory/4304-75-0x0000000002AC0000-0x0000000002AF5000-memory.dmp family_redline behavioral1/memory/4304-73-0x0000000002AC0000-0x0000000002AF5000-memory.dmp family_redline behavioral1/memory/4304-71-0x0000000002AC0000-0x0000000002AF5000-memory.dmp family_redline behavioral1/memory/4304-69-0x0000000002AC0000-0x0000000002AF5000-memory.dmp family_redline behavioral1/memory/4304-67-0x0000000002AC0000-0x0000000002AF5000-memory.dmp family_redline behavioral1/memory/4304-65-0x0000000002AC0000-0x0000000002AF5000-memory.dmp family_redline behavioral1/memory/4304-64-0x0000000002AC0000-0x0000000002AF5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 4648 un402962.exe 2292 un852778.exe 808 pr529090.exe 4304 qu249529.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr529090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr529090.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un402962.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un852778.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d165158649333abea45457732b7bf33f815ce8d7f94fc52a948754a2148d13c3.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 456 808 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr529090.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu249529.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d165158649333abea45457732b7bf33f815ce8d7f94fc52a948754a2148d13c3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un402962.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un852778.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 808 pr529090.exe 808 pr529090.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 808 pr529090.exe Token: SeDebugPrivilege 4304 qu249529.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3108 wrote to memory of 4648 3108 d165158649333abea45457732b7bf33f815ce8d7f94fc52a948754a2148d13c3.exe 83 PID 3108 wrote to memory of 4648 3108 d165158649333abea45457732b7bf33f815ce8d7f94fc52a948754a2148d13c3.exe 83 PID 3108 wrote to memory of 4648 3108 d165158649333abea45457732b7bf33f815ce8d7f94fc52a948754a2148d13c3.exe 83 PID 4648 wrote to memory of 2292 4648 un402962.exe 85 PID 4648 wrote to memory of 2292 4648 un402962.exe 85 PID 4648 wrote to memory of 2292 4648 un402962.exe 85 PID 2292 wrote to memory of 808 2292 un852778.exe 87 PID 2292 wrote to memory of 808 2292 un852778.exe 87 PID 2292 wrote to memory of 808 2292 un852778.exe 87 PID 2292 wrote to memory of 4304 2292 un852778.exe 96 PID 2292 wrote to memory of 4304 2292 un852778.exe 96 PID 2292 wrote to memory of 4304 2292 un852778.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\d165158649333abea45457732b7bf33f815ce8d7f94fc52a948754a2148d13c3.exe"C:\Users\Admin\AppData\Local\Temp\d165158649333abea45457732b7bf33f815ce8d7f94fc52a948754a2148d13c3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un402962.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un402962.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un852778.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un852778.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr529090.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr529090.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 10925⤵
- Program crash
PID:456
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu249529.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu249529.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 808 -ip 8081⤵PID:1612
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
761KB
MD541b54ef692b3b91422c5ff79a3aebb88
SHA1a28fb37e7f18b0dcff9b072744c83e1ae67e6823
SHA2567291ae1d892eb204d470ca275cb4eee861a39cd5d763de988f67ea1b8acf370e
SHA512aad03db450ab6d231dfae59949fa1401cc813a700e15078bea2bb0b25a5cafeac298d215a20e09dfd683559c42edace3fc57b7e6804a31078b6f56a8db3539ef
-
Filesize
607KB
MD51fda92fc1c057387a5eea7e8322c0d2a
SHA1d6ea0bbf4d53ba97e2363fc3fc38a0636b4c8743
SHA2566adc4bda890cbb7ad30d9326088b5f57d552033861117d038321b738e0c40618
SHA512f8b1c23e4224f8450f432effdcc3234f53d94df26133305ffa4d678e91b3a94f9e07b930d34d0554e79d51651b6c68e20d45ce3a773ac7da8be4b3cef6faf8b7
-
Filesize
400KB
MD56b4a147ad515aaf13db13968f581a060
SHA15b92d93a621c3d643865eb2c3ec2d3908f83b838
SHA25678e6d2e2e6fe813826136f4e18daee201de5b4820772f45c4cb735a0eaf01b7a
SHA5127c4a563a22cc75a7f7be7e9d4e24ff0596e354b72da0b66d1de69e203e786d87becdf648d817b826daac8bbe4279ea0fa15726eb13678283811cc9e41b65647d
-
Filesize
482KB
MD5bb0695c80227b2e818faee2583f4a161
SHA1e697447c1804a49e60cd19a310ffdbfdfbaa3a9a
SHA2561841d04d3154d431ddfb67db796a7ef8118d0b562ca0c7801c951e45b5935b43
SHA5124959e85669eacdcb9cb85535355a06d7308642427ab5686fa8677253b723a05aa588e910912340cc59d8ba5ffbf9f30388b7474122e70fb9ff05497a1cf8dec5