Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 02:48
Static task
static1
Behavioral task
behavioral1
Sample
d11e19ec46c5a06a1d76e0d12dfe2e038529da58a63f03146a70e050383d7cac.exe
Resource
win10v2004-20241007-en
General
-
Target
d11e19ec46c5a06a1d76e0d12dfe2e038529da58a63f03146a70e050383d7cac.exe
-
Size
529KB
-
MD5
91ec72be4b0e09fbc309b414ca66403f
-
SHA1
3e516c6ab4d797bc79f1f2f4fb4939bda285bef5
-
SHA256
d11e19ec46c5a06a1d76e0d12dfe2e038529da58a63f03146a70e050383d7cac
-
SHA512
3fe1b587e6108b53df05b8ff30fe0ac32837f864a2c66f59eee30d0c41f6a2c761f0951c91da43cbd80e58074acfce87c38f65abd671c4870da07ca6f0637b36
-
SSDEEP
12288:TMroy908GvLgzEKYoAXSyCB5QsePu0Fo+3WikePfM:byZGvMz1YreB3svFwUM
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c99-12.dat healer behavioral1/memory/1732-15-0x0000000000490000-0x000000000049A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr408396.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr408396.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr408396.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr408396.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr408396.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr408396.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4152-22-0x00000000027D0000-0x0000000002816000-memory.dmp family_redline behavioral1/memory/4152-24-0x0000000005400000-0x0000000005444000-memory.dmp family_redline behavioral1/memory/4152-30-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-28-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-26-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-25-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-44-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-88-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-86-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-85-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-82-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-81-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-78-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-76-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-74-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-72-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-70-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-68-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-66-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-62-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-60-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-58-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-56-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-54-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-52-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-50-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-48-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-42-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-40-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-38-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-36-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-34-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-32-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-64-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4152-46-0x0000000005400000-0x000000000543F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3340 ziDf8499.exe 1732 jr408396.exe 4152 ku166512.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr408396.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d11e19ec46c5a06a1d76e0d12dfe2e038529da58a63f03146a70e050383d7cac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziDf8499.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d11e19ec46c5a06a1d76e0d12dfe2e038529da58a63f03146a70e050383d7cac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziDf8499.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku166512.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1732 jr408396.exe 1732 jr408396.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1732 jr408396.exe Token: SeDebugPrivilege 4152 ku166512.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3104 wrote to memory of 3340 3104 d11e19ec46c5a06a1d76e0d12dfe2e038529da58a63f03146a70e050383d7cac.exe 85 PID 3104 wrote to memory of 3340 3104 d11e19ec46c5a06a1d76e0d12dfe2e038529da58a63f03146a70e050383d7cac.exe 85 PID 3104 wrote to memory of 3340 3104 d11e19ec46c5a06a1d76e0d12dfe2e038529da58a63f03146a70e050383d7cac.exe 85 PID 3340 wrote to memory of 1732 3340 ziDf8499.exe 86 PID 3340 wrote to memory of 1732 3340 ziDf8499.exe 86 PID 3340 wrote to memory of 4152 3340 ziDf8499.exe 93 PID 3340 wrote to memory of 4152 3340 ziDf8499.exe 93 PID 3340 wrote to memory of 4152 3340 ziDf8499.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\d11e19ec46c5a06a1d76e0d12dfe2e038529da58a63f03146a70e050383d7cac.exe"C:\Users\Admin\AppData\Local\Temp\d11e19ec46c5a06a1d76e0d12dfe2e038529da58a63f03146a70e050383d7cac.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDf8499.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDf8499.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr408396.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr408396.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku166512.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku166512.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD5aaf181a188cb42a374ae5355d40bd611
SHA15a78d9bc2cab0d93f0e57f8efbe8054868da9f09
SHA2567dff8a65d7e366db5d5042c3ef9d6f9b043b6325a14b27f0695f92555635c300
SHA512f2df828838a6f27f66adad44a9efd4e43c6ffc9ad4895a9ded78f1636e714e97ef2e5dd3305654a14c8d6d6807e2aa95c472ef10d1bece2dd8d804c4e2e5db82
-
Filesize
12KB
MD5e07a7b2a08c7e8254b294ae9fd79455d
SHA16dce4445f6132ecec600ae10a307f5ea1a0ba5fc
SHA2563d0cf5ed46fe8e21d69191cedfabdc89367361498c238f0e18b4c5e3dd0f3529
SHA512e0519c99fdd1936a9349097ddcdbc0e79306258c344b5f691f5352afb67a2d6628f861b3f6324d0319675fd776ad7045c500c3ba706d05c407489a0a6cc17f8b
-
Filesize
434KB
MD598348191944f0d37ccc98a1e235d55aa
SHA1282cccc22e53b150bf55b2c7551c6286d75f338c
SHA25646b5d3c64298a773c0d31cd9deb248637ba380099d56f2e93b8e740b096f3938
SHA5121bc569b1176211d8c7007b59292b3b89d32c1bee4a3ccb132da0ae965a0f836311317f685a237f2d62de22a1d6aaedfab3493ab26e8c4f3791a65eeb7ee3ab8b