Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 20:49
Static task
static1
Behavioral task
behavioral1
Sample
24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe
Resource
win10v2004-20241007-en
General
-
Target
24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe
-
Size
892KB
-
MD5
3305c2a0be55691b63dfda9d02b25632
-
SHA1
1b709b5948a5a78c86413ed7c6cba78b70944d33
-
SHA256
24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929
-
SHA512
2f29660cc6b938d3b79371b121dc0ad4c5037be71b473203fb02f428fe457c6debade6c3420f8eb54afba29ad9e6ebd6dbe371eb8e1d12ae306f75d3813ad520
-
SSDEEP
24576:+yUarjXrUZFtdNgf02TOODw3OAeIlAXuFUEl:NUGj7UntDgf02S7xlAXiUE
Malware Config
Extracted
redline
dark
185.161.248.73:4164
-
auth_value
ae85b01f66afe8770afeed560513fc2d
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/memory/3516-2149-0x0000000005430000-0x000000000543A000-memory.dmp healer behavioral1/files/0x0008000000023cb3-2155.dat healer behavioral1/memory/3968-2163-0x0000000000AB0000-0x0000000000ABA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/4660-4317-0x0000000002C60000-0x0000000002C92000-memory.dmp family_redline behavioral1/files/0x0007000000023cb6-4321.dat family_redline behavioral1/memory/4524-4324-0x0000000000E50000-0x0000000000E80000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 42351937.exe -
Executes dropped EXE 5 IoCs
pid Process 2492 st594663.exe 3516 42351937.exe 3968 1.exe 4660 kp201760.exe 4524 lr934867.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" st594663.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1832 4660 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language st594663.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42351937.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp201760.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lr934867.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3968 1.exe 3968 1.exe 3968 1.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3516 42351937.exe Token: SeDebugPrivilege 4660 kp201760.exe Token: SeDebugPrivilege 3968 1.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1368 wrote to memory of 2492 1368 24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe 85 PID 1368 wrote to memory of 2492 1368 24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe 85 PID 1368 wrote to memory of 2492 1368 24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe 85 PID 2492 wrote to memory of 3516 2492 st594663.exe 86 PID 2492 wrote to memory of 3516 2492 st594663.exe 86 PID 2492 wrote to memory of 3516 2492 st594663.exe 86 PID 3516 wrote to memory of 3968 3516 42351937.exe 90 PID 3516 wrote to memory of 3968 3516 42351937.exe 90 PID 2492 wrote to memory of 4660 2492 st594663.exe 91 PID 2492 wrote to memory of 4660 2492 st594663.exe 91 PID 2492 wrote to memory of 4660 2492 st594663.exe 91 PID 1368 wrote to memory of 4524 1368 24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe 100 PID 1368 wrote to memory of 4524 1368 24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe 100 PID 1368 wrote to memory of 4524 1368 24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe"C:\Users\Admin\AppData\Local\Temp\24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st594663.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st594663.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42351937.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42351937.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp201760.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp201760.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 12684⤵
- Program crash
PID:1832
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr934867.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr934867.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4524
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4660 -ip 46601⤵PID:5824
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD5d020e9f55b92d4bf1c29e21547c99753
SHA119553c26d3db4f29fcb6a446a5095e709a09a30d
SHA25686cad0bf5193925361f58cfffbb0e590c5c3e8e87808e93590c0bbeac140259f
SHA5126dd59762fecd32ce72ded16b8d55be8f816a75facf44187ccdc1f89d7e28c0359d79d713d2b260fae3988ccd1686bea628c065ca0478f43dda1bb7aad772bc5d
-
Filesize
739KB
MD51d842553e51f80edf832e9abede2e306
SHA1d31300633a18eb597c8e82909a1d5f137df33e51
SHA256c9197720ab3e75fb70159a47632f24329343902448ba826c9439d0c2f56a34fb
SHA51207a8ccf79800266d2559f0033a2690e47ebc2b9a1e8ba9e509fed100a98483af100f7296dd8772b5ce831a0f950e9ae4324ae9be399dbc1ad19e2f5f86e1239f
-
Filesize
301KB
MD5b354addd2cd269d32a23a62cefdefba3
SHA11ab89956f494c9aa0ac3633469680f0ea4217121
SHA256e08cd00a91818d34a81fc85ef543c178b0a56e28bea32c3df5cc882b2c45851e
SHA51272d8f1c0db60965338884240197d806d4870c5e2beb01f21fff91b84936a2db4ccf1f16b1ab20a0432a780729fdb6769eef916e685d165bb4561835c063e9ef8
-
Filesize
582KB
MD5f9639bc0419307c14f4fa1331bbfa2e4
SHA154ef89f866a699996f4fcb08bbfc8220eb59da15
SHA2567b5ca53bed811dc6ef1ffd0939250a7ea864d4dad763ea84f8e6fcc1205bdc92
SHA5120e315ea0cf2e223e1172bb4fffe74facd814a685e02ce1e4a617295052cac35c2ef098c89699a5d7234488989e2bf9cd5f986db33dc3b016b1e02702b1579d88
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91