Analysis
-
max time kernel
107s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 11:19
Static task
static1
Behavioral task
behavioral1
Sample
3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742eN.exe
Resource
win10v2004-20241007-en
General
-
Target
3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742eN.exe
-
Size
897KB
-
MD5
80845924d2dbe7d8b2166db81d265fe0
-
SHA1
406f257d405d571f85d53585a37435ea56f75afb
-
SHA256
3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742e
-
SHA512
1ca234ae7557dfc5691edea1bfb4cc12d6bf6af350a65ce36f7e8405896270f12e49fa253ddcf7de7b0e215b09e4ff743bca2d263ab156739a324745c0e6d9dc
-
SSDEEP
12288:DMrdy90dX6ZWgnR06+07CJO+sdtDTo51Bi/89+lIg2eXm2KlqronPHi6KHl0l5fi:SyiSrreJO+WDToPGN+gZm2ka6bCPl
Malware Config
Extracted
redline
jokes
77.91.124.82:19071
-
auth_value
fb7b36b70ae30fb2b72f789037350cdb
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral1/memory/1112-28-0x0000000000400000-0x000000000040A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b99-42.dat family_redline behavioral1/memory/5028-44-0x0000000000780000-0x00000000007B0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation r7095938.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation explonde.exe -
Executes dropped EXE 9 IoCs
pid Process 2820 z5771142.exe 2092 z2397745.exe 64 z5453283.exe 3304 q3620391.exe 3992 r7095938.exe 396 explonde.exe 5028 s1925188.exe 3472 explonde.exe 3736 explonde.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z5771142.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z2397745.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z5453283.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3304 set thread context of 1112 3304 q3620391.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1896 3304 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language r7095938.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explonde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language z5453283.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q3620391.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s1925188.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language z5771142.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language z2397745.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3876 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1112 AppLaunch.exe 1112 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1112 AppLaunch.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 4192 wrote to memory of 2820 4192 3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742eN.exe 84 PID 4192 wrote to memory of 2820 4192 3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742eN.exe 84 PID 4192 wrote to memory of 2820 4192 3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742eN.exe 84 PID 2820 wrote to memory of 2092 2820 z5771142.exe 85 PID 2820 wrote to memory of 2092 2820 z5771142.exe 85 PID 2820 wrote to memory of 2092 2820 z5771142.exe 85 PID 2092 wrote to memory of 64 2092 z2397745.exe 86 PID 2092 wrote to memory of 64 2092 z2397745.exe 86 PID 2092 wrote to memory of 64 2092 z2397745.exe 86 PID 64 wrote to memory of 3304 64 z5453283.exe 87 PID 64 wrote to memory of 3304 64 z5453283.exe 87 PID 64 wrote to memory of 3304 64 z5453283.exe 87 PID 3304 wrote to memory of 4484 3304 q3620391.exe 89 PID 3304 wrote to memory of 4484 3304 q3620391.exe 89 PID 3304 wrote to memory of 4484 3304 q3620391.exe 89 PID 3304 wrote to memory of 1112 3304 q3620391.exe 90 PID 3304 wrote to memory of 1112 3304 q3620391.exe 90 PID 3304 wrote to memory of 1112 3304 q3620391.exe 90 PID 3304 wrote to memory of 1112 3304 q3620391.exe 90 PID 3304 wrote to memory of 1112 3304 q3620391.exe 90 PID 3304 wrote to memory of 1112 3304 q3620391.exe 90 PID 3304 wrote to memory of 1112 3304 q3620391.exe 90 PID 3304 wrote to memory of 1112 3304 q3620391.exe 90 PID 64 wrote to memory of 3992 64 z5453283.exe 96 PID 64 wrote to memory of 3992 64 z5453283.exe 96 PID 64 wrote to memory of 3992 64 z5453283.exe 96 PID 3992 wrote to memory of 396 3992 r7095938.exe 97 PID 3992 wrote to memory of 396 3992 r7095938.exe 97 PID 3992 wrote to memory of 396 3992 r7095938.exe 97 PID 2092 wrote to memory of 5028 2092 z2397745.exe 98 PID 2092 wrote to memory of 5028 2092 z2397745.exe 98 PID 2092 wrote to memory of 5028 2092 z2397745.exe 98 PID 396 wrote to memory of 3876 396 explonde.exe 100 PID 396 wrote to memory of 3876 396 explonde.exe 100 PID 396 wrote to memory of 3876 396 explonde.exe 100 PID 396 wrote to memory of 3880 396 explonde.exe 102 PID 396 wrote to memory of 3880 396 explonde.exe 102 PID 396 wrote to memory of 3880 396 explonde.exe 102 PID 3880 wrote to memory of 3288 3880 cmd.exe 104 PID 3880 wrote to memory of 3288 3880 cmd.exe 104 PID 3880 wrote to memory of 3288 3880 cmd.exe 104 PID 3880 wrote to memory of 2560 3880 cmd.exe 105 PID 3880 wrote to memory of 2560 3880 cmd.exe 105 PID 3880 wrote to memory of 2560 3880 cmd.exe 105 PID 3880 wrote to memory of 4288 3880 cmd.exe 106 PID 3880 wrote to memory of 4288 3880 cmd.exe 106 PID 3880 wrote to memory of 4288 3880 cmd.exe 106 PID 3880 wrote to memory of 4796 3880 cmd.exe 107 PID 3880 wrote to memory of 4796 3880 cmd.exe 107 PID 3880 wrote to memory of 4796 3880 cmd.exe 107 PID 3880 wrote to memory of 3776 3880 cmd.exe 108 PID 3880 wrote to memory of 3776 3880 cmd.exe 108 PID 3880 wrote to memory of 3776 3880 cmd.exe 108 PID 3880 wrote to memory of 736 3880 cmd.exe 109 PID 3880 wrote to memory of 736 3880 cmd.exe 109 PID 3880 wrote to memory of 736 3880 cmd.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742eN.exe"C:\Users\Admin\AppData\Local\Temp\3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742eN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5771142.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5771142.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2397745.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2397745.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5453283.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5453283.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q3620391.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q3620391.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:4484
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 5526⤵
- Program crash
PID:1896
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r7095938.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r7095938.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3876
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
- System Location Discovery: System Language Discovery
PID:3288
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:N"8⤵
- System Location Discovery: System Language Discovery
PID:2560
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:R" /E8⤵
- System Location Discovery: System Language Discovery
PID:4288
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
- System Location Discovery: System Language Discovery
PID:4796
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"8⤵
- System Location Discovery: System Language Discovery
PID:3776
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E8⤵
- System Location Discovery: System Language Discovery
PID:736
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s1925188.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s1925188.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5028
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3304 -ip 33041⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
PID:3472
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
PID:3736
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
639KB
MD584465def7d2fb37691c5ff0e4bb0035d
SHA1b0a467ee217df41ad89906992e0abd3cab079998
SHA25601c06789ae9f0b06d97dc0169033259adfdef9886ad3443b314164333537a82f
SHA51255a526e3e321e73fcd4a851f8576ec2051d9a26ddb70aac404fec053a71e48d4760ff0a6f1677df026ed3a2158029531e58b2116de9152f870a89576a506b44b
-
Filesize
456KB
MD5c46e6c3e0c8418703fda428ac2f0345a
SHA19d8ced5faddc0a62610176d18d4c546ccbd67cb5
SHA25699315d9aaeee73594faf51f41ed76300fbe110c19788bc42a510f015db28d403
SHA512bc503d896147a0afa873a299ea13006a2f6717df13906890d249f3c124191e689c62e4c0622bc4586b93ed86ecf815e6fe8c97fe97776c0b19c5df8e92eb5e2b
-
Filesize
174KB
MD5c1037f18b0f062fcdde86edb77aaace0
SHA18f3c22c37e296e072e39a98f93cbf01445dad65a
SHA256e43f8acd8318ed6e5aa2644fae8303d4c9a5a2829da0e22dc50352d95fa31cc1
SHA512017e77f805fb0f45c77b189da987ada8e2dffd352d1855438e79dcdd5dd151d44acf7fdcbdf82cc9f4a82a3fe30d12aa2593024b86f1012e25597a74650f615d
-
Filesize
301KB
MD518db01c358228e38eb90f940fcbe4193
SHA180ffe3c870e621122678bcd44e3f2ac7e9cf83f1
SHA256941fe27645b26b0f3705c6c9ee42b4473d804ef70a535561caa3a9f52575a430
SHA51269d38964ee365a06bb6b884695e94757ec368ca9909198c1e78084c5e5e6ec628b092bccbe2013e4f3549570c49a629dbb7f0d747de05b50ab7ebbf354c17e30
-
Filesize
190KB
MD5994938d4b1f58a9f57ad2a4781fca7fc
SHA195b458f72559c58402b4b16987ca21ce42f3a73d
SHA25654f80be349f1d4a9c8d855ad5fb00601e4e7d56dc4d40c22c1afe950ffa9edac
SHA51202174a88c83e604feb06ce185490ad1ab6412599846f5f2913f92eb0f84a4090a1d838b61311fc2a1b3da27578a6c1338947c1d94734b3e3adeb9ed71dd6aae8
-
Filesize
222KB
MD572bdc38bc642bd50901b75c325679b51
SHA1ce59d066c9db2824693aeac389bd11d45ac53a29
SHA25681eca1210cbdc34de5fdefb201982618a5d5b3995b7b3233a71ba7d035b2bec0
SHA5126cf22cb55b6d48bc2c37e7f9f4749aaf2ad40fee0771f2302d7120e67ddd98e964bd6fab1632276e62d0160c36b35273f72e597cc5ef12418234771df8713b9c