Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 23:44
Static task
static1
Behavioral task
behavioral1
Sample
3e06b9a6ddb24ed3e6a7afdbb02e5d2c2fda6d82e1888416f83cddbbc1d82c77.exe
Resource
win10v2004-20241007-en
General
-
Target
3e06b9a6ddb24ed3e6a7afdbb02e5d2c2fda6d82e1888416f83cddbbc1d82c77.exe
-
Size
787KB
-
MD5
03bdd27d427bc0fb6807e178ac2b61b0
-
SHA1
667e0925a84702c5d75fee03e325cbdb9d5ccb46
-
SHA256
3e06b9a6ddb24ed3e6a7afdbb02e5d2c2fda6d82e1888416f83cddbbc1d82c77
-
SHA512
615b0920b40a0b8ce063414dfc20697955c55b23352baaa69408e502898f3f1969a53e02392c28b93c93314a9bf1ff290b94f24ab46c26274d0fea12e4b399c9
-
SSDEEP
12288:GMroy90nbjhHnvZlFRwkQqdSRuUwfI/dlDXcU7L7K1m4Zsll88mlKVU2:CygvZhQqdSRuUWI/dlDXcKomkQnwKVl
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/860-19-0x00000000026D0000-0x00000000026EA000-memory.dmp healer behavioral1/memory/860-21-0x0000000002740000-0x0000000002758000-memory.dmp healer behavioral1/memory/860-49-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/860-47-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/860-45-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/860-43-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/860-41-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/860-39-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/860-37-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/860-35-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/860-33-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/860-31-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/860-29-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/860-27-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/860-25-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/860-23-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/860-22-0x0000000002740000-0x0000000002752000-memory.dmp healer -
Healer family
-
Processes:
pro3359.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro3359.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro3359.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro3359.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro3359.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro3359.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro3359.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/624-2143-0x0000000005400000-0x0000000005432000-memory.dmp family_redline C:\Windows\Temp\1.exe family_redline behavioral1/memory/5628-2156-0x00000000006A0000-0x00000000006D0000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si265737.exe family_redline behavioral1/memory/2804-2167-0x0000000000070000-0x000000000009E000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
qu8478.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation qu8478.exe -
Executes dropped EXE 5 IoCs
Processes:
un778091.exepro3359.exequ8478.exe1.exesi265737.exepid process 1308 un778091.exe 860 pro3359.exe 624 qu8478.exe 5628 1.exe 2804 si265737.exe -
Processes:
pro3359.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro3359.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro3359.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3e06b9a6ddb24ed3e6a7afdbb02e5d2c2fda6d82e1888416f83cddbbc1d82c77.exeun778091.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3e06b9a6ddb24ed3e6a7afdbb02e5d2c2fda6d82e1888416f83cddbbc1d82c77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un778091.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3180 860 WerFault.exe pro3359.exe 6072 624 WerFault.exe qu8478.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3e06b9a6ddb24ed3e6a7afdbb02e5d2c2fda6d82e1888416f83cddbbc1d82c77.exeun778091.exepro3359.exequ8478.exe1.exesi265737.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3e06b9a6ddb24ed3e6a7afdbb02e5d2c2fda6d82e1888416f83cddbbc1d82c77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un778091.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro3359.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu8478.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language si265737.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro3359.exepid process 860 pro3359.exe 860 pro3359.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro3359.exequ8478.exedescription pid process Token: SeDebugPrivilege 860 pro3359.exe Token: SeDebugPrivilege 624 qu8478.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
3e06b9a6ddb24ed3e6a7afdbb02e5d2c2fda6d82e1888416f83cddbbc1d82c77.exeun778091.exequ8478.exedescription pid process target process PID 3828 wrote to memory of 1308 3828 3e06b9a6ddb24ed3e6a7afdbb02e5d2c2fda6d82e1888416f83cddbbc1d82c77.exe un778091.exe PID 3828 wrote to memory of 1308 3828 3e06b9a6ddb24ed3e6a7afdbb02e5d2c2fda6d82e1888416f83cddbbc1d82c77.exe un778091.exe PID 3828 wrote to memory of 1308 3828 3e06b9a6ddb24ed3e6a7afdbb02e5d2c2fda6d82e1888416f83cddbbc1d82c77.exe un778091.exe PID 1308 wrote to memory of 860 1308 un778091.exe pro3359.exe PID 1308 wrote to memory of 860 1308 un778091.exe pro3359.exe PID 1308 wrote to memory of 860 1308 un778091.exe pro3359.exe PID 1308 wrote to memory of 624 1308 un778091.exe qu8478.exe PID 1308 wrote to memory of 624 1308 un778091.exe qu8478.exe PID 1308 wrote to memory of 624 1308 un778091.exe qu8478.exe PID 624 wrote to memory of 5628 624 qu8478.exe 1.exe PID 624 wrote to memory of 5628 624 qu8478.exe 1.exe PID 624 wrote to memory of 5628 624 qu8478.exe 1.exe PID 3828 wrote to memory of 2804 3828 3e06b9a6ddb24ed3e6a7afdbb02e5d2c2fda6d82e1888416f83cddbbc1d82c77.exe si265737.exe PID 3828 wrote to memory of 2804 3828 3e06b9a6ddb24ed3e6a7afdbb02e5d2c2fda6d82e1888416f83cddbbc1d82c77.exe si265737.exe PID 3828 wrote to memory of 2804 3828 3e06b9a6ddb24ed3e6a7afdbb02e5d2c2fda6d82e1888416f83cddbbc1d82c77.exe si265737.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e06b9a6ddb24ed3e6a7afdbb02e5d2c2fda6d82e1888416f83cddbbc1d82c77.exe"C:\Users\Admin\AppData\Local\Temp\3e06b9a6ddb24ed3e6a7afdbb02e5d2c2fda6d82e1888416f83cddbbc1d82c77.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un778091.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un778091.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3359.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3359.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 10644⤵
- Program crash
PID:3180 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8478.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8478.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5628 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 11964⤵
- Program crash
PID:6072 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si265737.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si265737.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 860 -ip 8601⤵PID:4504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 624 -ip 6241⤵PID:6116
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD55e26f2b058b31f255dc7a48357af8bdd
SHA1515814d7b072a3d9983200c294daff6722686455
SHA2562dfeb598b19f1971ab7c335ae85325152ad6bd0ddde5ef2f9f98a5f99d89b2ed
SHA51241c219be38befa2d29550e193df7c81d1f85f5d7d5ed94bedd0a897c610c249062176971b08353dd6d2b48cfde8a20fc58eb3ffdf0d58618dc4a79b49b1fd50b
-
Filesize
633KB
MD5233bfb926a7ba01e213eb5fa69397c4f
SHA1666577476c30c0d4984fd0de757326b0bd45f21a
SHA25694ae56314a346ee6d7566c19f6941cdc39f8c0afd0afe9a7a153691f42820624
SHA51212168c962996895da6db569b18117769c16b9d78ee4fbf9511a55d61b4df145e21fdd6f92777b039452612f08dd8e07931368fe867a48ffba768846bd545c14c
-
Filesize
231KB
MD5f1d3439d7b479c4c6ad0f67a769e9e75
SHA1a0b4703d6e8f27367a52c877b003c902e54519b9
SHA2562e13f33a870c84e3d26c6a449032cf6b21e9d3f75c603d94259ef50efecea87d
SHA5126747900f9fc287e104d049c760c93b8df305636ade96df449c474ead53202f3e5852ed9d0a60d3304d120b1bec4cd837f688bda94b92be4bace6a6ce992d49b1
-
Filesize
414KB
MD5f0d422a6fcc9018cecc268db6f132fe8
SHA13ff266df2c7e5db163bedb5dd3ce0d6ac11cefda
SHA256629d14dc51ac610ad8b6dd8fe56e731c3f7ab93a56ed0a38a519807a077ce778
SHA51275d6a0f26d75ad989d692505dabd796a95e7088c278337faa99a3779422c9ba04505856c6ec5c1afb805efae31424615a41f6de310fa11bb1ef99eb585c13627
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0