Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/11/2024, 11:05
Static task
static1
Behavioral task
behavioral1
Sample
ca24f8ae21e90ba16a65b569427587644d832a3b71894d4e9332b1519508a7fcN.exe
Resource
win10v2004-20241007-en
General
-
Target
ca24f8ae21e90ba16a65b569427587644d832a3b71894d4e9332b1519508a7fcN.exe
-
Size
366KB
-
MD5
9ac7161296cb9e7621ed5f88cbb655b0
-
SHA1
faf9ae03d9095b9c1076fe3e65abab40b91927dd
-
SHA256
ca24f8ae21e90ba16a65b569427587644d832a3b71894d4e9332b1519508a7fc
-
SHA512
2de1a16bf07b265c78103f708060bd48d805fa93e63fb53f55458eabac0cdbf20917467af8e02bcc93067a2599361fcb652b5d0046e998317abcacfc1447b97a
-
SSDEEP
6144:KXy+bnr+pp0yN90QES5EtlkjZHluB4M/iCDT8w+eb+aEHCZm8aCkQivN9:dMrFy90hQjGF/L3pZWrxP
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1212-12-0x0000000002590000-0x00000000025AA000-memory.dmp healer behavioral1/memory/1212-14-0x0000000002780000-0x0000000002798000-memory.dmp healer behavioral1/memory/1212-22-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1212-42-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1212-41-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1212-38-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1212-36-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1212-34-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1212-32-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1212-30-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1212-28-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1212-26-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1212-24-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1212-20-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1212-18-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1212-16-0x0000000002780000-0x0000000002792000-memory.dmp healer behavioral1/memory/1212-15-0x0000000002780000-0x0000000002792000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bOv03uC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bOv03uC.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection bOv03uC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bOv03uC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bOv03uC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bOv03uC.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b5c-52.dat family_redline behavioral1/memory/4324-54-0x0000000000500000-0x0000000000532000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 1212 bOv03uC.exe 4324 dwQ94gF.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" bOv03uC.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features bOv03uC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ca24f8ae21e90ba16a65b569427587644d832a3b71894d4e9332b1519508a7fcN.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1460 1212 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ca24f8ae21e90ba16a65b569427587644d832a3b71894d4e9332b1519508a7fcN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bOv03uC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dwQ94gF.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1212 bOv03uC.exe 1212 bOv03uC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1212 bOv03uC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2788 wrote to memory of 1212 2788 ca24f8ae21e90ba16a65b569427587644d832a3b71894d4e9332b1519508a7fcN.exe 86 PID 2788 wrote to memory of 1212 2788 ca24f8ae21e90ba16a65b569427587644d832a3b71894d4e9332b1519508a7fcN.exe 86 PID 2788 wrote to memory of 1212 2788 ca24f8ae21e90ba16a65b569427587644d832a3b71894d4e9332b1519508a7fcN.exe 86 PID 2788 wrote to memory of 4324 2788 ca24f8ae21e90ba16a65b569427587644d832a3b71894d4e9332b1519508a7fcN.exe 94 PID 2788 wrote to memory of 4324 2788 ca24f8ae21e90ba16a65b569427587644d832a3b71894d4e9332b1519508a7fcN.exe 94 PID 2788 wrote to memory of 4324 2788 ca24f8ae21e90ba16a65b569427587644d832a3b71894d4e9332b1519508a7fcN.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca24f8ae21e90ba16a65b569427587644d832a3b71894d4e9332b1519508a7fcN.exe"C:\Users\Admin\AppData\Local\Temp\ca24f8ae21e90ba16a65b569427587644d832a3b71894d4e9332b1519508a7fcN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bOv03uC.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bOv03uC.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 10883⤵
- Program crash
PID:1460
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dwQ94gF.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dwQ94gF.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4324
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1212 -ip 12121⤵PID:4396
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220KB
MD5fd815ed5f97b5a0c8091f3f8d5125673
SHA18e062e61dc7fb58a3301741aa4c34b259e3e9b25
SHA2567f2e56fcc1d09a924faf8e9fd38f4781aa79d6d895e8d068d093b4201a3f08e7
SHA512e47b639e4692101ea444ee22b99d638c521ae5c5e8f27b16f9c2f335ab3a242bf0deb51f52a9e75ccb40edffa8bbaaa6cf8915ff74e10be79fbd697fe8ee96b7
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2