Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:24
Static task
static1
Behavioral task
behavioral1
Sample
bcb52e9155b60dfe7cee35fa38c24f0ada6bff026b031d8276f9bac3729791a5.exe
Resource
win10v2004-20241007-en
General
-
Target
bcb52e9155b60dfe7cee35fa38c24f0ada6bff026b031d8276f9bac3729791a5.exe
-
Size
660KB
-
MD5
63891f1f3b652c2bc96640892205dc77
-
SHA1
2933eb0b681123b22588b53deaa8ca3a2acc0d36
-
SHA256
bcb52e9155b60dfe7cee35fa38c24f0ada6bff026b031d8276f9bac3729791a5
-
SHA512
4c5df3f8969676b3d260bb844338480fca09f6437d6d45154b057c0ebedecd2b68948b287a5454b2616223b53c33dc4434fe3bf9cc4613a9fd2017fed91453af
-
SSDEEP
12288:kMrvy90Uyd3znZCm89r3q+WLtZ+LQ3SPHVqczp2IVbkAzhx3cM4kGGf:7yydLZCm89rjw+LQ3SP1hbkQlcsf
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
dozt
77.91.124.145:4125
-
auth_value
857bdfe4fa14711025859d89f18b32cb
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c98-12.dat healer behavioral1/memory/3868-15-0x0000000000440000-0x000000000044A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr815623.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr815623.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr815623.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr815623.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr815623.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr815623.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2236-2105-0x0000000002670000-0x00000000026A2000-memory.dmp family_redline behavioral1/files/0x0008000000023c9b-2110.dat family_redline behavioral1/memory/1028-2118-0x0000000000130000-0x0000000000160000-memory.dmp family_redline behavioral1/files/0x0007000000023c96-2127.dat family_redline behavioral1/memory/5472-2129-0x0000000000570000-0x00000000005A0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation ku736178.exe -
Executes dropped EXE 5 IoCs
pid Process 4904 ziqq5666.exe 3868 jr815623.exe 2236 ku736178.exe 1028 1.exe 5472 lr416198.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr815623.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bcb52e9155b60dfe7cee35fa38c24f0ada6bff026b031d8276f9bac3729791a5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziqq5666.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1860 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3976 2236 WerFault.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lr416198.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bcb52e9155b60dfe7cee35fa38c24f0ada6bff026b031d8276f9bac3729791a5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziqq5666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku736178.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3868 jr815623.exe 3868 jr815623.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3868 jr815623.exe Token: SeDebugPrivilege 2236 ku736178.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 836 wrote to memory of 4904 836 bcb52e9155b60dfe7cee35fa38c24f0ada6bff026b031d8276f9bac3729791a5.exe 84 PID 836 wrote to memory of 4904 836 bcb52e9155b60dfe7cee35fa38c24f0ada6bff026b031d8276f9bac3729791a5.exe 84 PID 836 wrote to memory of 4904 836 bcb52e9155b60dfe7cee35fa38c24f0ada6bff026b031d8276f9bac3729791a5.exe 84 PID 4904 wrote to memory of 3868 4904 ziqq5666.exe 85 PID 4904 wrote to memory of 3868 4904 ziqq5666.exe 85 PID 4904 wrote to memory of 2236 4904 ziqq5666.exe 96 PID 4904 wrote to memory of 2236 4904 ziqq5666.exe 96 PID 4904 wrote to memory of 2236 4904 ziqq5666.exe 96 PID 2236 wrote to memory of 1028 2236 ku736178.exe 97 PID 2236 wrote to memory of 1028 2236 ku736178.exe 97 PID 2236 wrote to memory of 1028 2236 ku736178.exe 97 PID 836 wrote to memory of 5472 836 bcb52e9155b60dfe7cee35fa38c24f0ada6bff026b031d8276f9bac3729791a5.exe 102 PID 836 wrote to memory of 5472 836 bcb52e9155b60dfe7cee35fa38c24f0ada6bff026b031d8276f9bac3729791a5.exe 102 PID 836 wrote to memory of 5472 836 bcb52e9155b60dfe7cee35fa38c24f0ada6bff026b031d8276f9bac3729791a5.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcb52e9155b60dfe7cee35fa38c24f0ada6bff026b031d8276f9bac3729791a5.exe"C:\Users\Admin\AppData\Local\Temp\bcb52e9155b60dfe7cee35fa38c24f0ada6bff026b031d8276f9bac3729791a5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqq5666.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqq5666.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr815623.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr815623.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3868
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku736178.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku736178.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1028
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 14924⤵
- Program crash
PID:3976
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr416198.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr416198.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5472
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2236 -ip 22361⤵PID:1872
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1860
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD5f7998abe3c2e484246d6ca2731484163
SHA1feff19a14e5fee429a74aab36442971148db5a52
SHA2567488125cf4eda30875cceb31456028a9d95d85e0aa545f3927f07b862ceeba0d
SHA512327ec967349aa3ee49d801ce751f96c4dd1536a96e4a9c31ef0884cb3ffbed0284ea344d4be3f10abae667b4a3b14be3207d2b93e5f905ebd87cc42d442532b8
-
Filesize
506KB
MD5ec5fbdd74960819aba9ab1e3712262bd
SHA1d91985c94977b5e7604853a7aad05e96905fd20f
SHA256ca00ee00e6a4301d0a3555d54b504c31ddfea2da4f4431bb97445ee8d609a374
SHA512df3baee5ba70ad11ee105469db13fdf982a60e1703a3b1901bdee28ecf33086d827866be28ae5a36820df22a8f7fce5dd3595db0d7250e8ef49e387b65872eca
-
Filesize
14KB
MD5082943282da44eae393b53dc9d0012c1
SHA1b89b7410a6ad2642a5ad126ea84648edec99ec37
SHA256d44dee52cdb34bde6400b4c9e45542eb6fafbdf6966fe5ead0f86742c09bbb4c
SHA51261f648e13300537d03e1411577d05e4becab98e72e5c9807f7879bebe1f1ba0f5beeaf783489d2ad849e710e5d133903efc574b6133668493bbb1645a3b10ce9
-
Filesize
426KB
MD52f1919ca3afbfa3d64b1471adfd883ae
SHA104db20df3a48cb47133e1be769177a42c5223c78
SHA256593fc5c8ce77a316b227cc95bc1a4f2f198511b90830501e72fe758f50323dfb
SHA512059cadf256cca88324bd9feac62ea7bdbcefd8463669f412bdc1db4eff7d1c380ad3376cff8c4efef30e6a23e9d553571d58f510cf340d33ac1b315d138b5f23
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0