Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2024 12:11
Static task
static1
Behavioral task
behavioral1
Sample
45913f741bd775873951ee167d5eff7674c385a34afd019ed483468f162e4a9b.exe
Resource
win10v2004-20241007-en
General
-
Target
45913f741bd775873951ee167d5eff7674c385a34afd019ed483468f162e4a9b.exe
-
Size
660KB
-
MD5
72013278f2830163557db0d64843deb6
-
SHA1
913fb413b98a5f8bd89e7c41dd84561427b4dd71
-
SHA256
45913f741bd775873951ee167d5eff7674c385a34afd019ed483468f162e4a9b
-
SHA512
0dad3d4cbc4ccdaa9e84a8be912559e3f0fea1aafe59bd24ee84182111bd68d9c572e0e886db37c9874684f988c81556419afd6aaa4ee7b7cfc2cd2db28a88a8
-
SSDEEP
12288:RMrdy90sLmOAbtMIzHNS0BZ4jBfiNyS2Yz+2tuSzcwniN/kOgfKhoCl:0yqtMIzHNS0BZ4jBk962tuEW/krfif
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b9f-12.dat healer behavioral1/memory/976-15-0x0000000000230000-0x000000000023A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr224058.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr224058.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr224058.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr224058.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr224058.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr224058.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/3964-2105-0x0000000005540000-0x0000000005572000-memory.dmp family_redline behavioral1/files/0x000400000001e4d4-2110.dat family_redline behavioral1/memory/1596-2118-0x0000000000BD0000-0x0000000000C00000-memory.dmp family_redline behavioral1/files/0x000a000000023b9d-2127.dat family_redline behavioral1/memory/5480-2129-0x00000000005D0000-0x00000000005FE000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation ku314560.exe -
Executes dropped EXE 5 IoCs
pid Process 4212 ziJJ3672.exe 976 jr224058.exe 3964 ku314560.exe 1596 1.exe 5480 lr691443.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr224058.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 45913f741bd775873951ee167d5eff7674c385a34afd019ed483468f162e4a9b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziJJ3672.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5368 3964 WerFault.exe 95 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 45913f741bd775873951ee167d5eff7674c385a34afd019ed483468f162e4a9b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziJJ3672.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku314560.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lr691443.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 976 jr224058.exe 976 jr224058.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 976 jr224058.exe Token: SeDebugPrivilege 3964 ku314560.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3084 wrote to memory of 4212 3084 45913f741bd775873951ee167d5eff7674c385a34afd019ed483468f162e4a9b.exe 85 PID 3084 wrote to memory of 4212 3084 45913f741bd775873951ee167d5eff7674c385a34afd019ed483468f162e4a9b.exe 85 PID 3084 wrote to memory of 4212 3084 45913f741bd775873951ee167d5eff7674c385a34afd019ed483468f162e4a9b.exe 85 PID 4212 wrote to memory of 976 4212 ziJJ3672.exe 86 PID 4212 wrote to memory of 976 4212 ziJJ3672.exe 86 PID 4212 wrote to memory of 3964 4212 ziJJ3672.exe 95 PID 4212 wrote to memory of 3964 4212 ziJJ3672.exe 95 PID 4212 wrote to memory of 3964 4212 ziJJ3672.exe 95 PID 3964 wrote to memory of 1596 3964 ku314560.exe 96 PID 3964 wrote to memory of 1596 3964 ku314560.exe 96 PID 3964 wrote to memory of 1596 3964 ku314560.exe 96 PID 3084 wrote to memory of 5480 3084 45913f741bd775873951ee167d5eff7674c385a34afd019ed483468f162e4a9b.exe 100 PID 3084 wrote to memory of 5480 3084 45913f741bd775873951ee167d5eff7674c385a34afd019ed483468f162e4a9b.exe 100 PID 3084 wrote to memory of 5480 3084 45913f741bd775873951ee167d5eff7674c385a34afd019ed483468f162e4a9b.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\45913f741bd775873951ee167d5eff7674c385a34afd019ed483468f162e4a9b.exe"C:\Users\Admin\AppData\Local\Temp\45913f741bd775873951ee167d5eff7674c385a34afd019ed483468f162e4a9b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziJJ3672.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziJJ3672.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr224058.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr224058.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku314560.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku314560.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 12124⤵
- Program crash
PID:5368
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr691443.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr691443.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5480
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3964 -ip 39641⤵PID:5312
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5f80ca79f509a17ea712647fbcd5ddd44
SHA16a397876d8ebf1c46a58f10e280c04a5a5426ba1
SHA25670b8182fc122bf31697b8264d0ea9479363bda821b604030206ca12cfb2c85ec
SHA512e1795718b2a49dc0567b024678afd37f981c45100bb254047e1db376ae055cad26257e7747c2cfd05dd5b5584010e345d1f035e4de4bad906ebf28165d1fa315
-
Filesize
507KB
MD5bb6e196a516e23d8b0860f4eef2b1130
SHA12cdaf5d77323add8dd29801a2c292a6197c3361d
SHA25630e6693af414e31597df161fdf216059ed77fd6b5e824b91d0d2e12ca1d90b23
SHA5123a416d4fd5cfe57ee4c58976828fc8b40e6dbc6112a9bde0fd40b31c370fec2c63795ff40b4d4b55e79ae2dadd7d40bf954e45fa321d6856901d60d6a05c1692
-
Filesize
11KB
MD5ca1b3291440c7e7bd61989c06eddc378
SHA168835b0590783f4031d7f50bc5523862b4ff366e
SHA256620d54aacdcd97d378965840455a89b934bcd4c04b91c2e38a19387594d7a232
SHA5124863fb12a4e19b9e2deb1291b4e9c7a9abf7a5ce758d7301ed67cc77e374723e770252dc3d44f842b5a014ff2b3362e0714dcdbf4fc642e8a3747729ff8fb969
-
Filesize
435KB
MD595ba5a51208565c4627ad7713671de76
SHA17063314b1fd1b12f6148a3fa313f1a673dd52f42
SHA25698aa151a24120a9dbe5013580f09cb5388ce8ac696d13903eaf4eec9af0aca65
SHA5123d220d677c4e8f5c6766f4d4186aed001e5f0d96c534bffb97318f8a4afc829d4ce9f5aa31684995ff66e9e260a7e1983e397c986201077872db8d6acca33247
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0