Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:35
Static task
static1
Behavioral task
behavioral1
Sample
e0b21eefad3f851aa5606f0708635ab77927be1241b903d3805fd5228431ba3a.exe
Resource
win10v2004-20241007-en
General
-
Target
e0b21eefad3f851aa5606f0708635ab77927be1241b903d3805fd5228431ba3a.exe
-
Size
802KB
-
MD5
ab2a283683a429aca82295e7deba806e
-
SHA1
16557dd7d2fb15f5e2e10753601a806b99fd6dcc
-
SHA256
e0b21eefad3f851aa5606f0708635ab77927be1241b903d3805fd5228431ba3a
-
SHA512
34039fb7493bd9833da5ee23a073e0c43e47ceca5fcd525f2f06f1e1a7971483064f9277bf3d6b872c59f559630f91a77ae29b4556c5c7591593a366f031aaae
-
SSDEEP
24576:fyR2bagt1EmfeXZ8jBv0f262Pu/49MLmG:qR2bdt1yXujBWaSLm
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/380-19-0x00000000022C0000-0x00000000022DA000-memory.dmp healer behavioral1/memory/380-21-0x0000000004B80000-0x0000000004B98000-memory.dmp healer behavioral1/memory/380-49-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/380-48-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/380-45-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/380-43-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/380-41-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/380-37-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/380-36-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/380-33-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/380-32-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/380-29-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/380-27-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/380-25-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/380-23-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/380-39-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/380-22-0x0000000004B80000-0x0000000004B92000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro3962.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro3962.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro3962.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro3962.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro3962.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro3962.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/4072-2142-0x0000000005410000-0x0000000005442000-memory.dmp family_redline behavioral1/files/0x0035000000023b81-2147.dat family_redline behavioral1/memory/4816-2155-0x0000000000190000-0x00000000001C0000-memory.dmp family_redline behavioral1/files/0x000a000000023b7a-2164.dat family_redline behavioral1/memory/5112-2166-0x0000000000E20000-0x0000000000E4E000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation qu3401.exe -
Executes dropped EXE 5 IoCs
pid Process 1376 un875415.exe 380 pro3962.exe 4072 qu3401.exe 4816 1.exe 5112 si349928.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro3962.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro3962.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un875415.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e0b21eefad3f851aa5606f0708635ab77927be1241b903d3805fd5228431ba3a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3128 380 WerFault.exe 85 1588 4072 WerFault.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e0b21eefad3f851aa5606f0708635ab77927be1241b903d3805fd5228431ba3a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un875415.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro3962.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu3401.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language si349928.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 380 pro3962.exe 380 pro3962.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 380 pro3962.exe Token: SeDebugPrivilege 4072 qu3401.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1864 wrote to memory of 1376 1864 e0b21eefad3f851aa5606f0708635ab77927be1241b903d3805fd5228431ba3a.exe 84 PID 1864 wrote to memory of 1376 1864 e0b21eefad3f851aa5606f0708635ab77927be1241b903d3805fd5228431ba3a.exe 84 PID 1864 wrote to memory of 1376 1864 e0b21eefad3f851aa5606f0708635ab77927be1241b903d3805fd5228431ba3a.exe 84 PID 1376 wrote to memory of 380 1376 un875415.exe 85 PID 1376 wrote to memory of 380 1376 un875415.exe 85 PID 1376 wrote to memory of 380 1376 un875415.exe 85 PID 1376 wrote to memory of 4072 1376 un875415.exe 97 PID 1376 wrote to memory of 4072 1376 un875415.exe 97 PID 1376 wrote to memory of 4072 1376 un875415.exe 97 PID 4072 wrote to memory of 4816 4072 qu3401.exe 98 PID 4072 wrote to memory of 4816 4072 qu3401.exe 98 PID 4072 wrote to memory of 4816 4072 qu3401.exe 98 PID 1864 wrote to memory of 5112 1864 e0b21eefad3f851aa5606f0708635ab77927be1241b903d3805fd5228431ba3a.exe 101 PID 1864 wrote to memory of 5112 1864 e0b21eefad3f851aa5606f0708635ab77927be1241b903d3805fd5228431ba3a.exe 101 PID 1864 wrote to memory of 5112 1864 e0b21eefad3f851aa5606f0708635ab77927be1241b903d3805fd5228431ba3a.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0b21eefad3f851aa5606f0708635ab77927be1241b903d3805fd5228431ba3a.exe"C:\Users\Admin\AppData\Local\Temp\e0b21eefad3f851aa5606f0708635ab77927be1241b903d3805fd5228431ba3a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un875415.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un875415.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3962.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3962.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 10804⤵
- Program crash
PID:3128
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3401.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3401.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4816
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 11804⤵
- Program crash
PID:1588
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si349928.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si349928.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 380 -ip 3801⤵PID:1480
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4072 -ip 40721⤵PID:1004
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD50980dc62d57dd075e1f8006ade74233a
SHA1eb8f0efe1c89df2176a2b73448f9ccf31f7b3eea
SHA2561e0be870a12fc19b9f0c81b0bbf7c83332a4eb147c273d81ecfcff355adaa3c2
SHA512b1e82a6973886f472785cfd4b9d0e7703c18b6155213a517eafaa165767b437b3079068b6ced5c5f87abca9f747bf086547827256b9accf53ff8060dad1f3780
-
Filesize
648KB
MD50e1782138a0f0ca750f7e7b14fc78fb7
SHA178aa05c62c88d05f1a9b4af542e3277fcfe444cd
SHA256c030e8ebc12a197bfa0525f603c2a0e72c16c5c9697571e96e844df18fefacc2
SHA5124e9f0d4a102a605343cd4443ec08d92e0e298e21e3204ea21a89ac0e9edf244129bf5a728fa8fc941366467109accac39bc4479491fdc08bdce7cc55bdfee450
-
Filesize
252KB
MD5155a50944f34871453dba6caef349d41
SHA175ee5cd6fc5cf71d586d17746cf2d35e5c838476
SHA25602ccff40f0f109c056afef9876c751ad7db52d775afa09d902f9e6a82be3f16d
SHA5120e9302bd31db41d2b0dc2f2e031fcddc726e148bbb0ffb8794e80affc198c04104c018276553104de43de469918a9a734fbd7d0446163ae803e149f5493cae3c
-
Filesize
435KB
MD5120e9a1d914d5277bfbb475e9ebbebf8
SHA15fd1350a5c3d76f0d241801471402807fc5f8b43
SHA2567187429f6bed15930ee8c29f714693a7291349be8d2aff881c8337fc28b748fa
SHA512e98b24e949e8684b2555672fac46c33cad328b823ba089b0ce091282ee4002b22d028e59b8f850d54876a5f7896f241e9b4bea66433db94cc7aef3de62af1258
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0