Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2024 23:23
Static task
static1
Behavioral task
behavioral1
Sample
199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe
Resource
win10v2004-20241007-en
General
-
Target
199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe
-
Size
1.1MB
-
MD5
ed60dc024241d102a0d66ca1953f0bf2
-
SHA1
af1f97093edbe05bdae4bea708c97658cfe4607b
-
SHA256
199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a
-
SHA512
9b968e382c081c0f81019bc48acedd69e93ecd22089e7b719ee84341afa64ff670552f1e8ede1ec9bf6275bc2150153a394dffc7191cbae74fb19ee53bc509e6
-
SSDEEP
24576:XyqFZaxgNBAVjn3561GskjUoCZR+zdqhop9EJLC6:iqFSgNBxkjq5hUs
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
redline
diro
185.161.248.90:4125
-
auth_value
ae95bda0dd2e95169886a3a68138568b
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2676-23-0x00000000023C0000-0x00000000023DA000-memory.dmp healer behavioral1/memory/2676-25-0x0000000004A60000-0x0000000004A78000-memory.dmp healer behavioral1/memory/2676-29-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/2676-53-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/2676-51-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/2676-49-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/2676-47-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/2676-45-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/2676-43-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/2676-42-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/2676-39-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/2676-37-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/2676-35-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/2676-33-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/2676-31-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/2676-26-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/2676-27-0x0000000004A60000-0x0000000004A72000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr776495.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr776495.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr776495.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr776495.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr776495.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr776495.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2212-2206-0x0000000005420000-0x0000000005452000-memory.dmp family_redline behavioral1/files/0x0011000000023b56-2211.dat family_redline behavioral1/memory/5464-2219-0x0000000000CC0000-0x0000000000CEE000-memory.dmp family_redline behavioral1/files/0x0007000000023c97-2228.dat family_redline behavioral1/memory/5148-2230-0x0000000000170000-0x00000000001A0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation qu876598.exe -
Executes dropped EXE 6 IoCs
pid Process 4940 un348814.exe 324 un661698.exe 2676 pr776495.exe 2212 qu876598.exe 5464 1.exe 5148 rk404908.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr776495.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr776495.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un661698.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un348814.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2744 2676 WerFault.exe 86 5232 2212 WerFault.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un348814.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un661698.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr776495.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu876598.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk404908.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2676 pr776495.exe 2676 pr776495.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2676 pr776495.exe Token: SeDebugPrivilege 2212 qu876598.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3668 wrote to memory of 4940 3668 199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe 83 PID 3668 wrote to memory of 4940 3668 199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe 83 PID 3668 wrote to memory of 4940 3668 199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe 83 PID 4940 wrote to memory of 324 4940 un348814.exe 84 PID 4940 wrote to memory of 324 4940 un348814.exe 84 PID 4940 wrote to memory of 324 4940 un348814.exe 84 PID 324 wrote to memory of 2676 324 un661698.exe 86 PID 324 wrote to memory of 2676 324 un661698.exe 86 PID 324 wrote to memory of 2676 324 un661698.exe 86 PID 324 wrote to memory of 2212 324 un661698.exe 99 PID 324 wrote to memory of 2212 324 un661698.exe 99 PID 324 wrote to memory of 2212 324 un661698.exe 99 PID 2212 wrote to memory of 5464 2212 qu876598.exe 100 PID 2212 wrote to memory of 5464 2212 qu876598.exe 100 PID 2212 wrote to memory of 5464 2212 qu876598.exe 100 PID 4940 wrote to memory of 5148 4940 un348814.exe 103 PID 4940 wrote to memory of 5148 4940 un348814.exe 103 PID 4940 wrote to memory of 5148 4940 un348814.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe"C:\Users\Admin\AppData\Local\Temp\199a10d99194447252874e061991d15527be95978bebf2f08549b8323e3cd32a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un348814.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un661698.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr776495.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 10805⤵
- Program crash
PID:2744
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu876598.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5464
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 13885⤵
- Program crash
PID:5232
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk404908.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk404908.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5148
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2676 -ip 26761⤵PID:4404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2212 -ip 22121⤵PID:5372
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
818KB
MD5e4ef7dfd93dea32928ebeba3b2ce7bb9
SHA1d898e18016487c44de13e376fc2a03ba52500c7f
SHA256fb984c3ea9bd73a5492cfb5f8cbe96efab00cccf05ff14339dc369c9d44cc6ad
SHA5124eb41fbd9954e6323ebf1d0cb4e5b47909018a926fac6d513beb6e45ad0880c82b1d5632e304b795165363e4a1d363cbfe42811f5a7f7e9feeb8f21ddb034685
-
Filesize
168KB
MD58abb261bd0e7255e98af2fdcc12caa64
SHA1880211c94ad958f54123bf8e38bf536e37448af8
SHA25643398a966aeef51c58f3520b0b4ae432ccb3e96641b59fcb1e3522739520701d
SHA5129d512eeb75ae89e32963d6b1ceb129d8274de4bc1d3950c6041d8da6e931c0eb0652d9770c95b528abbfb5d8b34cf9b71ff8380007284429eae143cdea61a2c4
-
Filesize
664KB
MD5b1b17e50a2f82d03df9e21458a3b38bd
SHA1e784a0d759645adc7c2200f21a23e992797318b3
SHA2569f7947645dd14d4830abc380934766586345dc6503bf0d3070aea01cd17b1ade
SHA512b0884ccf4d2acfbe3b78d97a1b151d6ea8fff8d231da322c19a99c228a63fc3ddd17e7c07cb90ccbfaccae93757b8beb36153f9b3b59db37e4ce61360003da0b
-
Filesize
317KB
MD5e985998f41151beecdc63faae3fb48a6
SHA1b5ddb794e981d65ea24b971460ad5ae6829bc425
SHA256d2533596ac5658440b3e57d5ae6b53b6a8a5f016203b9e582fadca9347b7dbbe
SHA512cd82da593e5b90ce2c174ba3a3d9cee5c9539e0c37235d802e5c75efd4362190296f73ee30a1a93e514e11d964e2c283cb51964aa96f668adb7f01049dcacb38
-
Filesize
501KB
MD50f124e24fe73195dd107aab785488ca9
SHA122d33378786cca1d90b5f49358fb93156cb52a45
SHA25677fe098332cb95ab56650e8512439805bcad3d2863a519369c4c5b1e5ff78cb6
SHA512d2351dc6355f4d6cf3290c2c84ba2560a5df289cdb28bd410af1edbeb7cf6423e1fa8354e8e65336daec0bec74624f323b4f13ab5eed2c95b77189ba119343e9
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1