Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:14
Static task
static1
Behavioral task
behavioral1
Sample
941230ca1fb838e3551244e36e23b0d69eedcf6641bcad167f54a3a5a4152226.exe
Resource
win10v2004-20241007-en
General
-
Target
941230ca1fb838e3551244e36e23b0d69eedcf6641bcad167f54a3a5a4152226.exe
-
Size
650KB
-
MD5
b53442b3f6b21aad6ae4e80a25ffbee1
-
SHA1
5ab632a8dfb6bd9c08a21bce0722b2f8d6ecac2d
-
SHA256
941230ca1fb838e3551244e36e23b0d69eedcf6641bcad167f54a3a5a4152226
-
SHA512
e9d8f6d9eb0666456b9b6d4854fdc4afe2b2e1e84d32aaf81e0d52f793ba595d4f30a7764f0a6edbd98a55bde4444d8712782e191591265a2790d94687df641e
-
SSDEEP
12288:RMrly90NXA3DVJ6zXNczgvJ+b+7Kg7B4m2Zwl7v8zgp02Cf:kyjz6zNccvJ+b+RimCKUp
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cbf-12.dat healer behavioral1/memory/3712-15-0x0000000000600000-0x000000000060A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr370571.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr370571.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr370571.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr370571.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr370571.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr370571.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/3396-2105-0x0000000005540000-0x0000000005572000-memory.dmp family_redline behavioral1/files/0x0007000000023cc5-2110.dat family_redline behavioral1/memory/1124-2118-0x0000000000950000-0x0000000000980000-memory.dmp family_redline behavioral1/files/0x0007000000023cbc-2128.dat family_redline behavioral1/memory/5984-2129-0x0000000000730000-0x000000000075E000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation ku462821.exe -
Executes dropped EXE 5 IoCs
pid Process 4908 zial9582.exe 3712 jr370571.exe 3396 ku462821.exe 1124 1.exe 5984 lr481741.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr370571.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 941230ca1fb838e3551244e36e23b0d69eedcf6641bcad167f54a3a5a4152226.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zial9582.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1440 3396 WerFault.exe 100 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lr481741.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 941230ca1fb838e3551244e36e23b0d69eedcf6641bcad167f54a3a5a4152226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zial9582.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku462821.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3712 jr370571.exe 3712 jr370571.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3712 jr370571.exe Token: SeDebugPrivilege 3396 ku462821.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3552 wrote to memory of 4908 3552 941230ca1fb838e3551244e36e23b0d69eedcf6641bcad167f54a3a5a4152226.exe 86 PID 3552 wrote to memory of 4908 3552 941230ca1fb838e3551244e36e23b0d69eedcf6641bcad167f54a3a5a4152226.exe 86 PID 3552 wrote to memory of 4908 3552 941230ca1fb838e3551244e36e23b0d69eedcf6641bcad167f54a3a5a4152226.exe 86 PID 4908 wrote to memory of 3712 4908 zial9582.exe 87 PID 4908 wrote to memory of 3712 4908 zial9582.exe 87 PID 4908 wrote to memory of 3396 4908 zial9582.exe 100 PID 4908 wrote to memory of 3396 4908 zial9582.exe 100 PID 4908 wrote to memory of 3396 4908 zial9582.exe 100 PID 3396 wrote to memory of 1124 3396 ku462821.exe 105 PID 3396 wrote to memory of 1124 3396 ku462821.exe 105 PID 3396 wrote to memory of 1124 3396 ku462821.exe 105 PID 3552 wrote to memory of 5984 3552 941230ca1fb838e3551244e36e23b0d69eedcf6641bcad167f54a3a5a4152226.exe 112 PID 3552 wrote to memory of 5984 3552 941230ca1fb838e3551244e36e23b0d69eedcf6641bcad167f54a3a5a4152226.exe 112 PID 3552 wrote to memory of 5984 3552 941230ca1fb838e3551244e36e23b0d69eedcf6641bcad167f54a3a5a4152226.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\941230ca1fb838e3551244e36e23b0d69eedcf6641bcad167f54a3a5a4152226.exe"C:\Users\Admin\AppData\Local\Temp\941230ca1fb838e3551244e36e23b0d69eedcf6641bcad167f54a3a5a4152226.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zial9582.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zial9582.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr370571.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr370571.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3712
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku462821.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku462821.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1124
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 13844⤵
- Program crash
PID:1440
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr481741.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr481741.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5984
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3396 -ip 33961⤵PID:2848
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5e81df970c4ed4d0c507cc3e2f5b87e54
SHA1a94306846f8ae7157d6334ca0b060ecd959908f6
SHA25657ad75eb5251e6fd34090970e9b21ceef7123d5a1098afa4c1d7f0fd6e0f63be
SHA5123b79ea291737053be6fdc8a20eb89c26bfbb1bdfdd610e5b8d35207ab260e3ac550bd0deaed412a142a39f393e843d67721f6b0fac704272bf3325ead27dd0e9
-
Filesize
496KB
MD5e39fe1de609292ca281ad1626a280383
SHA1cebfc0de3e4012cedace67d01899932bdafc8831
SHA256d20d5be99254759abcd7b7dda86cf1aee47e8976f2eae19b73ddda3a8e34f61c
SHA512e555a38b236235c6022475159f08dba893b6dc645b8fde95d6ee253954e16ca1ac41b589f4119b351c27032247f0945cdb2f972e282bb37f77993f43af5d8e83
-
Filesize
11KB
MD5f98c592dc383dea1e57fb014e254ab32
SHA10ee773115c77af3099adc2e2cb1378feaa4768bc
SHA256af3086e869cbfa48f88e61aac4f302bd9e25ec28ec647daa8264e09b5ee509a5
SHA51286a06292592f1778887e152d6430e918f1215d1d77613a2c6642fb2e3e5cb98c81d923f836e25653596150a89936d8cef6bb6dd8e69aaad61d83a33079446548
-
Filesize
414KB
MD55d7aacb49acb8865b7758d184295fcb1
SHA1febd6db31e80f04c876135846fac54a039b5336f
SHA2563bf7c3cc3d839d60075bbdb826d8cf8b05c220280cf99b049c1a590fb456b610
SHA51244f32c2ad52a82bc76788a764cc0ba02bfcaac4995ac752a5a0bcbee37e6e858a7129f753c04064e6eecc21ad1a638800480f350e4bf3fa844088035419435f4
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0