Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 02:07
Static task
static1
Behavioral task
behavioral1
Sample
7069c2cd542013af8f7f658e12b57e16b37f9481814e2964308012e89c33b1e4.exe
Resource
win10v2004-20241007-en
General
-
Target
7069c2cd542013af8f7f658e12b57e16b37f9481814e2964308012e89c33b1e4.exe
-
Size
660KB
-
MD5
d506d58c640e4f8d79f0833d36dcae44
-
SHA1
e19def7ea43d2cbd46c039bfb1e2eb1394fdbdd1
-
SHA256
7069c2cd542013af8f7f658e12b57e16b37f9481814e2964308012e89c33b1e4
-
SHA512
089772036f9b5102a34df7d06a27667e8d11c25b02cea9b75650bc4c11edd5aa078d6d17beac7cc47a6623a67670aa2da85cd261343f73bb006149b04a4c34f7
-
SSDEEP
12288:MMroy90UPGwT/qdoM6o72AhwTe38L51eFyANzRq9g02RufdlFTS:0ymrwu8L51eFyAN9q9gtIFTS
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
dozt
77.91.124.145:4125
-
auth_value
857bdfe4fa14711025859d89f18b32cb
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c98-12.dat healer behavioral1/memory/3632-15-0x0000000000380000-0x000000000038A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr244156.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr244156.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr244156.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr244156.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr244156.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr244156.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/4048-2104-0x0000000005540000-0x0000000005572000-memory.dmp family_redline behavioral1/files/0x000e000000023b52-2109.dat family_redline behavioral1/memory/5776-2117-0x0000000000A10000-0x0000000000A40000-memory.dmp family_redline behavioral1/files/0x0007000000023c96-2126.dat family_redline behavioral1/memory/5424-2128-0x0000000000520000-0x0000000000550000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation ku827444.exe -
Executes dropped EXE 5 IoCs
pid Process 3288 zifH5859.exe 3632 jr244156.exe 4048 ku827444.exe 5776 1.exe 5424 lr942084.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr244156.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7069c2cd542013af8f7f658e12b57e16b37f9481814e2964308012e89c33b1e4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zifH5859.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5528 4048 WerFault.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7069c2cd542013af8f7f658e12b57e16b37f9481814e2964308012e89c33b1e4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zifH5859.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku827444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lr942084.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3632 jr244156.exe 3632 jr244156.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3632 jr244156.exe Token: SeDebugPrivilege 4048 ku827444.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1620 wrote to memory of 3288 1620 7069c2cd542013af8f7f658e12b57e16b37f9481814e2964308012e89c33b1e4.exe 83 PID 1620 wrote to memory of 3288 1620 7069c2cd542013af8f7f658e12b57e16b37f9481814e2964308012e89c33b1e4.exe 83 PID 1620 wrote to memory of 3288 1620 7069c2cd542013af8f7f658e12b57e16b37f9481814e2964308012e89c33b1e4.exe 83 PID 3288 wrote to memory of 3632 3288 zifH5859.exe 84 PID 3288 wrote to memory of 3632 3288 zifH5859.exe 84 PID 3288 wrote to memory of 4048 3288 zifH5859.exe 96 PID 3288 wrote to memory of 4048 3288 zifH5859.exe 96 PID 3288 wrote to memory of 4048 3288 zifH5859.exe 96 PID 4048 wrote to memory of 5776 4048 ku827444.exe 97 PID 4048 wrote to memory of 5776 4048 ku827444.exe 97 PID 4048 wrote to memory of 5776 4048 ku827444.exe 97 PID 1620 wrote to memory of 5424 1620 7069c2cd542013af8f7f658e12b57e16b37f9481814e2964308012e89c33b1e4.exe 102 PID 1620 wrote to memory of 5424 1620 7069c2cd542013af8f7f658e12b57e16b37f9481814e2964308012e89c33b1e4.exe 102 PID 1620 wrote to memory of 5424 1620 7069c2cd542013af8f7f658e12b57e16b37f9481814e2964308012e89c33b1e4.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\7069c2cd542013af8f7f658e12b57e16b37f9481814e2964308012e89c33b1e4.exe"C:\Users\Admin\AppData\Local\Temp\7069c2cd542013af8f7f658e12b57e16b37f9481814e2964308012e89c33b1e4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifH5859.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifH5859.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr244156.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr244156.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku827444.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku827444.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5776
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 15004⤵
- Program crash
PID:5528
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr942084.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr942084.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5424
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4048 -ip 40481⤵PID:5620
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD5349d75dde76f61ce62c6dd177ec9fe2f
SHA104eb29b5510987b18cd6daa8e109797ffd1a6b2d
SHA2568341cf643fa1c3e678f7954fd520fb6e6ed9946a6ea146713a978fb9a8571588
SHA5122ee4de283756bca4d1ef97b438558815459c1dd8ea732db29f7b18d857dd46fb134333788009f0066a651af58e7289245b8a749408f98f05f0dae2234246c667
-
Filesize
506KB
MD5956ab40ad252d98bc3cef938ad5d8995
SHA165ad119e5dc9432ce6b62230ad5c43a6f2c16082
SHA256795c2b7f77c6c0961909dc9b9b0008cbefc78407ca220888db907762e34c2ae8
SHA512302555d43ab982cfba91728312cab308a0348822f1af54c59350fdefc46de74e75527758fe9e4722abc794f1fd704ee68f721683c3ed72d111a3d64614913df6
-
Filesize
14KB
MD51da60c77d1e9b828f6872143aaf9df81
SHA1e8978f38fe7860fbb5b59e06c5e2aa4e2bbdf03f
SHA256f354701456dd17de3ffd3db2ca19480b92aa2ff25a22638a6cc9edd34265de44
SHA512218ed812972f4007e628472e3cace165d8ae2503e33bd6025c6f740680103543222571b496d9cfec5a16023ae6c2425a8c47a489e590763862156730bb8e497b
-
Filesize
426KB
MD52d7136b1c8e2e8896323604c9e590635
SHA14c662cd6d3cc2e1ec99cd635b19692160409642c
SHA256426250878dff648f5b1d4ca25680213977f60a03a56d74b86dc2793ced059163
SHA51285968829f9ccee4a3a147e7b4bff89a716da0eaec2f1fa04cf4baf5f274d9c0859056f1a9314d944f7ba49d4b5992ec302d4dd00ac2d2945359c13daf0be02b7
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0