Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/11/2024, 08:25
Static task
static1
Behavioral task
behavioral1
Sample
4cb2599774a521938073e58183815fa52069615631548bb82d00e619b1e7f5d3N.exe
Resource
win10v2004-20241007-en
General
-
Target
4cb2599774a521938073e58183815fa52069615631548bb82d00e619b1e7f5d3N.exe
-
Size
763KB
-
MD5
ad0fe4ff065ce228924eb057bb893030
-
SHA1
c6b212a00e62f2c5f4cb10c57f6bc5ada150701b
-
SHA256
4cb2599774a521938073e58183815fa52069615631548bb82d00e619b1e7f5d3
-
SHA512
47df0d06f79c2c39ce6d29a2a3ba7c796a805df489e4206414d05ac69d889c2886fcb7c428e2489036aa12f75053daf0abb6011b5e199f5d4869fd0a5c694d96
-
SSDEEP
12288:Ky90B+JwEJLJlB9ypuiq6HGkZ9xnIGqxuYAC7MD8Mh58OqijcX:KyFJLJlz6Bqi3GOYAC7w8SO
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2680-19-0x00000000025B0000-0x00000000025CA000-memory.dmp healer behavioral1/memory/2680-21-0x0000000002840000-0x0000000002858000-memory.dmp healer behavioral1/memory/2680-49-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2680-47-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2680-45-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2680-43-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2680-41-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2680-39-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2680-37-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2680-35-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2680-33-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2680-31-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2680-29-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2680-27-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2680-25-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2680-23-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2680-22-0x0000000002840000-0x0000000002852000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr705163.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr705163.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr705163.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr705163.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr705163.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr705163.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3184-61-0x0000000002850000-0x000000000288C000-memory.dmp family_redline behavioral1/memory/3184-62-0x0000000004E70000-0x0000000004EAA000-memory.dmp family_redline behavioral1/memory/3184-66-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3184-76-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3184-96-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3184-94-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3184-92-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3184-90-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3184-88-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3184-84-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3184-82-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3184-80-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3184-78-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3184-74-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3184-72-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3184-70-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3184-68-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3184-86-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3184-64-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/3184-63-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1664 un064592.exe 2680 pr705163.exe 3184 qu405132.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr705163.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr705163.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4cb2599774a521938073e58183815fa52069615631548bb82d00e619b1e7f5d3N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un064592.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1312 2680 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr705163.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu405132.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4cb2599774a521938073e58183815fa52069615631548bb82d00e619b1e7f5d3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un064592.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2680 pr705163.exe 2680 pr705163.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2680 pr705163.exe Token: SeDebugPrivilege 3184 qu405132.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2168 wrote to memory of 1664 2168 4cb2599774a521938073e58183815fa52069615631548bb82d00e619b1e7f5d3N.exe 83 PID 2168 wrote to memory of 1664 2168 4cb2599774a521938073e58183815fa52069615631548bb82d00e619b1e7f5d3N.exe 83 PID 2168 wrote to memory of 1664 2168 4cb2599774a521938073e58183815fa52069615631548bb82d00e619b1e7f5d3N.exe 83 PID 1664 wrote to memory of 2680 1664 un064592.exe 85 PID 1664 wrote to memory of 2680 1664 un064592.exe 85 PID 1664 wrote to memory of 2680 1664 un064592.exe 85 PID 1664 wrote to memory of 3184 1664 un064592.exe 97 PID 1664 wrote to memory of 3184 1664 un064592.exe 97 PID 1664 wrote to memory of 3184 1664 un064592.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cb2599774a521938073e58183815fa52069615631548bb82d00e619b1e7f5d3N.exe"C:\Users\Admin\AppData\Local\Temp\4cb2599774a521938073e58183815fa52069615631548bb82d00e619b1e7f5d3N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un064592.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un064592.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr705163.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr705163.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 10284⤵
- Program crash
PID:1312
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu405132.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu405132.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2680 -ip 26801⤵PID:1812
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
609KB
MD5721f379d5ad2fa1f2eb3407b022e6a1c
SHA1cc42645030b645659086a31c0d062bcc076f4f40
SHA256c2f9b4db2d805f6d20c18d8669c8097e0c964c90d2c5ee76ef335adde3339941
SHA512b037418ef018fec97b31dbcbf9bc04f7f45b0dcd6d84402fef5e6a4465262028df68a9a303abb2450609f125cc779f420b260d86a30f798d308e4000d5bbefd4
-
Filesize
403KB
MD5815b8363770b2c86297769dfaa3252ec
SHA13a358d04f16250e03a584a9143a889d75e9402c4
SHA25675faaac076752682d9c4a3738889720dcc357f383622aaa06d381a2337478a1b
SHA512f74630254e66881298eaa067e49b7dd36999169f1bdd76b58c98f6356f407648938ee5b78a41f95126593d8752f5b4075452406aeb847366ba9d8a4ad2d4801e
-
Filesize
485KB
MD5b880b6639d71e8bc98e8324791bf6e12
SHA175a639a73b22ae4b0600db049d218ed1469e77f8
SHA2562c57cf73ba6431e7797e5ae78f1010d7cdb8863d7dc072c0921e7bb8d3210056
SHA51242d69652de60da3779d83c5ef327ffa63d8ea3b50bc7ca53ab54ee7b66ce03e93dabe4d7fd82de9797e0be51ce61aaea00999b1adeaf1850d015a1ac6c2c53a3