Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 02:34
Static task
static1
Behavioral task
behavioral1
Sample
ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69.exe
Resource
win10v2004-20241007-en
General
-
Target
ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69.exe
-
Size
1.0MB
-
MD5
a89b8910107f3463c025e649c65dbb70
-
SHA1
397aaf3dfc3fab6c3c1deaa0d1885cb4287e8317
-
SHA256
ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69
-
SHA512
32f74b773dfea40a4d2e9629ddbbb09bbc087dc92d08f44b782e8016f1ab7d6c6b0424083ec3c9ffdd1e84aecc6aae68cda0f7e9650cc4c7f1eda340c0055991
-
SSDEEP
24576:hyA6tsxGj5Gh3BJ6+74LJNJ1O94KHyavf2+1C98IeumqS2bdj:UkGjAVxE9NJ1iJHvvf2D8IRZTb
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
redline
disa
185.161.248.90:4125
-
auth_value
93f8c4ca7000e3381dd4b6b86434de05
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b95-19.dat healer behavioral1/memory/1380-22-0x0000000000CE0000-0x0000000000CEA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it488814.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it488814.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it488814.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it488814.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it488814.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it488814.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/1144-2174-0x0000000005760000-0x0000000005792000-memory.dmp family_redline behavioral1/files/0x0008000000022719-2179.dat family_redline behavioral1/memory/5452-2187-0x0000000000520000-0x000000000054E000-memory.dmp family_redline behavioral1/files/0x000a000000023b93-2191.dat family_redline behavioral1/memory/5512-2193-0x0000000000440000-0x0000000000470000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation jr109715.exe -
Executes dropped EXE 6 IoCs
pid Process 3276 zipD4508.exe 3184 ziEL4033.exe 1380 it488814.exe 1144 jr109715.exe 5452 1.exe 5512 kp190198.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it488814.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zipD4508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ziEL4033.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zipD4508.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziEL4033.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jr109715.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp190198.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1380 it488814.exe 1380 it488814.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1380 it488814.exe Token: SeDebugPrivilege 1144 jr109715.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1872 wrote to memory of 3276 1872 ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69.exe 83 PID 1872 wrote to memory of 3276 1872 ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69.exe 83 PID 1872 wrote to memory of 3276 1872 ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69.exe 83 PID 3276 wrote to memory of 3184 3276 zipD4508.exe 84 PID 3276 wrote to memory of 3184 3276 zipD4508.exe 84 PID 3276 wrote to memory of 3184 3276 zipD4508.exe 84 PID 3184 wrote to memory of 1380 3184 ziEL4033.exe 86 PID 3184 wrote to memory of 1380 3184 ziEL4033.exe 86 PID 3184 wrote to memory of 1144 3184 ziEL4033.exe 97 PID 3184 wrote to memory of 1144 3184 ziEL4033.exe 97 PID 3184 wrote to memory of 1144 3184 ziEL4033.exe 97 PID 1144 wrote to memory of 5452 1144 jr109715.exe 98 PID 1144 wrote to memory of 5452 1144 jr109715.exe 98 PID 1144 wrote to memory of 5452 1144 jr109715.exe 98 PID 3276 wrote to memory of 5512 3276 zipD4508.exe 99 PID 3276 wrote to memory of 5512 3276 zipD4508.exe 99 PID 3276 wrote to memory of 5512 3276 zipD4508.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69.exe"C:\Users\Admin\AppData\Local\Temp\ee14b6fb8112e867a5b075077fa5455d6443318605f9cd8c2fcb8807ec28cf69.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipD4508.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipD4508.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEL4033.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEL4033.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it488814.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it488814.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr109715.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr109715.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5452
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp190198.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp190198.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5512
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
723KB
MD58e553773aa18e58e87ab5599223d22eb
SHA115a9dbec5f96a0ae27c2bfa06ac303e496c3124d
SHA2560d52c22c3d8cee989c38fdefd93a66fdfaeff249e2074254ef3944de1bd29020
SHA5126ba6914fdf64ff414f1cf5b2e2707875e1655d1d70db004a60e965a33d6476bd813760c71408b61cace7f79dc3b8cd1065cf658957d505b9af972d448888a81b
-
Filesize
169KB
MD5e8a42884bd8abe9d58e9489fffefd238
SHA1a319bf07f298587ed16d26304d98472898abb7c0
SHA256a51a490c6f4f6a63f30f1bb921db5a1f16040810d4be9eb0c65317b870293cfe
SHA5127a64af47af2bdc20576ae259d50d0e22ebba4a867e323d5aa677a03a26cb006a6f2e0204bb12eee70653ea7563b752e6a3ff8a4a67dce368c91fe1b63e09fe88
-
Filesize
569KB
MD52134c6b814b039e9b0149274a873de82
SHA11d9847f5516d14a12d846700ed434c4fb3daec40
SHA256d0c8f298046e595d87008916c226201f6b4d9e8f6d03c6bf6b4fd18b9a346ebc
SHA512cc20f440d6e6710b5e32d0b34e77d5b0eabbfcb22661a0f8cd6eb0eed741bc49bd9beb9c0b93ffbbb0cb8dbcf8ae2df242a701813fc2ebdd91d9d77251260027
-
Filesize
11KB
MD5d6a68f1f4d9196c62a22c45bfcd81d1f
SHA1c50e566d21576d0c2c3f24b4bcc41e4cf5337fec
SHA256f2618bcf4048c4546f76f805f2c7c8da49b37038eaec6514125a63783dac432e
SHA5123ab6fea14a937eed4b8ad0111635ded2a039be2b0575eb9167c74d9d74cc2cddc101e63deab1ae85cd3eb8796c893ee422e444f9b5e4e48f1107a864d5ebb13b
-
Filesize
588KB
MD5ee8fff59c990bb7b24622197661a272d
SHA140d1b8fea7ecfcfc99cf344d7366c5652ec6fcfa
SHA2564117daa21221afaccc409f06d776d06417e705edbd8a4821b819ba872ac994da
SHA512e29cdafd9b2531ab4aec3d81245be46e394a0763b20f33ae8c053724ee9969ac932f7afd79589c4029afc9bd2bfe1d3b1abea2f319470db2ddb3cadc4bc255b2
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1