Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/11/2024, 03:11
Static task
static1
Behavioral task
behavioral1
Sample
53f7f7904d9c3a3eb6f0fe630fcfc05c4ad1b4a610591d650e7b6e3042ce7c24N.exe
Resource
win10v2004-20241007-en
General
-
Target
53f7f7904d9c3a3eb6f0fe630fcfc05c4ad1b4a610591d650e7b6e3042ce7c24N.exe
-
Size
681KB
-
MD5
40dbb55541543ce16686cc79d7d76b60
-
SHA1
679204ec7b0e24e287d77bf6cc30f21ebc00fbd7
-
SHA256
53f7f7904d9c3a3eb6f0fe630fcfc05c4ad1b4a610591d650e7b6e3042ce7c24
-
SHA512
43e702c5455c58cacfdbd71a7d17692197f4a002f42366470ed61b45feb3166d017b86e1e4109c132b4d1581a7d526ba12efa1693186ad41281adb4cbaab5b67
-
SSDEEP
12288:lMrLy90eqeG1m1uw8z7GyhO2KYyOJI8fTCOMi51duX17kbxy9w/9NsiXF:qyPx8zbhOsJZB1duKbA9wVii1
Malware Config
Extracted
redline
ronur
193.233.20.20:4134
-
auth_value
f88f86755a528d4b25f6f3628c460965
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2040-19-0x0000000002290000-0x00000000022AA000-memory.dmp healer behavioral1/memory/2040-21-0x00000000026F0000-0x0000000002708000-memory.dmp healer behavioral1/memory/2040-31-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2040-49-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2040-47-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2040-45-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2040-43-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2040-42-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2040-39-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2040-37-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2040-35-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2040-33-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2040-29-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2040-27-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2040-25-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2040-23-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2040-22-0x00000000026F0000-0x0000000002702000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" aMJ32As.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection aMJ32As.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" aMJ32As.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" aMJ32As.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" aMJ32As.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" aMJ32As.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/932-61-0x0000000002450000-0x0000000002496000-memory.dmp family_redline behavioral1/memory/932-62-0x0000000002820000-0x0000000002864000-memory.dmp family_redline behavioral1/memory/932-92-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/932-82-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/932-96-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/932-94-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/932-90-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/932-88-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/932-86-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/932-84-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/932-80-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/932-78-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/932-76-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/932-74-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/932-72-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/932-70-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/932-68-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/932-66-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/932-64-0x0000000002820000-0x000000000285E000-memory.dmp family_redline behavioral1/memory/932-63-0x0000000002820000-0x000000000285E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3680 nIL29iR.exe 2040 aMJ32As.exe 932 boJ53er.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features aMJ32As.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" aMJ32As.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 53f7f7904d9c3a3eb6f0fe630fcfc05c4ad1b4a610591d650e7b6e3042ce7c24N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nIL29iR.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2840 2040 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aMJ32As.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language boJ53er.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 53f7f7904d9c3a3eb6f0fe630fcfc05c4ad1b4a610591d650e7b6e3042ce7c24N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nIL29iR.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2040 aMJ32As.exe 2040 aMJ32As.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2040 aMJ32As.exe Token: SeDebugPrivilege 932 boJ53er.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3956 wrote to memory of 3680 3956 53f7f7904d9c3a3eb6f0fe630fcfc05c4ad1b4a610591d650e7b6e3042ce7c24N.exe 83 PID 3956 wrote to memory of 3680 3956 53f7f7904d9c3a3eb6f0fe630fcfc05c4ad1b4a610591d650e7b6e3042ce7c24N.exe 83 PID 3956 wrote to memory of 3680 3956 53f7f7904d9c3a3eb6f0fe630fcfc05c4ad1b4a610591d650e7b6e3042ce7c24N.exe 83 PID 3680 wrote to memory of 2040 3680 nIL29iR.exe 84 PID 3680 wrote to memory of 2040 3680 nIL29iR.exe 84 PID 3680 wrote to memory of 2040 3680 nIL29iR.exe 84 PID 3680 wrote to memory of 932 3680 nIL29iR.exe 100 PID 3680 wrote to memory of 932 3680 nIL29iR.exe 100 PID 3680 wrote to memory of 932 3680 nIL29iR.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\53f7f7904d9c3a3eb6f0fe630fcfc05c4ad1b4a610591d650e7b6e3042ce7c24N.exe"C:\Users\Admin\AppData\Local\Temp\53f7f7904d9c3a3eb6f0fe630fcfc05c4ad1b4a610591d650e7b6e3042ce7c24N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nIL29iR.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nIL29iR.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aMJ32As.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aMJ32As.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 10804⤵
- Program crash
PID:2840
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\boJ53er.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\boJ53er.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:932
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2040 -ip 20401⤵PID:1092
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
537KB
MD5542261fa0279078b1e833bff923d985d
SHA1cf1a55da55798a8a232a248e52276f52f481b4de
SHA2566b3d8b793cd4fcdabf0dc730bc4a336fde9ffc2e12a0c629ff994be171dc9455
SHA512e12280c553ab8b18e99c01455c36065cc5cc4b0880c4db238b77ab8dcae9dffedd29ca642fb871723cf7d60066963113ce278747dfb6634494f28e583236309d
-
Filesize
256KB
MD5b4b2f9219c0886fdf0df98b3f565e6eb
SHA12f408478d1c6c0e3ef00186edc643cd4f67fec5b
SHA256419a4f1cb376a7f26527c5a28458217bb167285d73d48d67fb9ef30c3d32cfb6
SHA512ae86d48e606bef2d46a75206e7041f4217ff72736cf9144f9861cc3d5d24ac630cc65b75b527690c5adb991a24aac4a88ec078d30826f50521c1957668b68c79
-
Filesize
313KB
MD547a425090c56d643cc2911208bdeb5ff
SHA18c1972d7fea07fed4c5aab5ea6da778fecf882f4
SHA256182546aa1bafd3b66a1c52f9d02f40f370f56dd143afdaab2ad2301e71c11d05
SHA512d1d7831d6243ef41c2b8c1cef9630c33eadccb715fe835a5de7ad60e227d4694eae765787c0d802cbb4e54cbf298cab82732136d941b43013c7de3267b8ec595