Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 02:04
Static task
static1
Behavioral task
behavioral1
Sample
fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459.exe
Resource
win10v2004-20241007-en
General
-
Target
fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459.exe
-
Size
940KB
-
MD5
1ef58248d23f454c6f9a69807d628ce8
-
SHA1
2638ff10898ca2e7f0838e7d2efbd6e9140fa58f
-
SHA256
fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459
-
SHA512
664666f33d95d7ce24224d9aadf059110b741c8038be2c6aae3626011077b257f23b09c567fe004c299f5d6002fd7e15d49766c32b2a3ac86bc73945cb8f0632
-
SSDEEP
24576:tygLlN7E4q67f3DhJQTjmukiZ0tyFWgZPK/Cb:Ig5NXq67f3DvgyugtGPK/C
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
redline
diro
185.161.248.90:4125
-
auth_value
ae95bda0dd2e95169886a3a68138568b
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cba-19.dat healer behavioral1/memory/3844-22-0x0000000000AE0000-0x0000000000AEA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it256579.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it256579.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it256579.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it256579.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it256579.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it256579.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/1052-2174-0x0000000005400000-0x0000000005432000-memory.dmp family_redline behavioral1/files/0x000c000000023b73-2179.dat family_redline behavioral1/memory/3112-2187-0x0000000000A70000-0x0000000000A9E000-memory.dmp family_redline behavioral1/files/0x0007000000023cb8-2196.dat family_redline behavioral1/memory/4588-2198-0x0000000000A80000-0x0000000000AB0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation jr357132.exe -
Executes dropped EXE 6 IoCs
pid Process 5084 zijF3565.exe 2276 ziho3441.exe 3844 it256579.exe 1052 jr357132.exe 3112 1.exe 4588 kp520940.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it256579.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zijF3565.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ziho3441.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2120 1052 WerFault.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp520940.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zijF3565.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziho3441.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jr357132.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3844 it256579.exe 3844 it256579.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3844 it256579.exe Token: SeDebugPrivilege 1052 jr357132.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4692 wrote to memory of 5084 4692 fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459.exe 83 PID 4692 wrote to memory of 5084 4692 fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459.exe 83 PID 4692 wrote to memory of 5084 4692 fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459.exe 83 PID 5084 wrote to memory of 2276 5084 zijF3565.exe 84 PID 5084 wrote to memory of 2276 5084 zijF3565.exe 84 PID 5084 wrote to memory of 2276 5084 zijF3565.exe 84 PID 2276 wrote to memory of 3844 2276 ziho3441.exe 85 PID 2276 wrote to memory of 3844 2276 ziho3441.exe 85 PID 2276 wrote to memory of 1052 2276 ziho3441.exe 94 PID 2276 wrote to memory of 1052 2276 ziho3441.exe 94 PID 2276 wrote to memory of 1052 2276 ziho3441.exe 94 PID 1052 wrote to memory of 3112 1052 jr357132.exe 95 PID 1052 wrote to memory of 3112 1052 jr357132.exe 95 PID 1052 wrote to memory of 3112 1052 jr357132.exe 95 PID 5084 wrote to memory of 4588 5084 zijF3565.exe 100 PID 5084 wrote to memory of 4588 5084 zijF3565.exe 100 PID 5084 wrote to memory of 4588 5084 zijF3565.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459.exe"C:\Users\Admin\AppData\Local\Temp\fcc757033a86379feded38e4afd244634bc1f2076aaa902a1807e0d023fba459.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF3565.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijF3565.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziho3441.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziho3441.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it256579.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it256579.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3844
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr357132.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr357132.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 13805⤵
- Program crash
PID:2120
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp520940.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp520940.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4588
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1052 -ip 10521⤵PID:4796
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
668KB
MD52f0c3b3cfc1515719af07cf90f4892f2
SHA1ec355d090cc3a60238bab1fa7c210ded3044315f
SHA2566de6b8062ec89af8fef628ddd91174e80b3dacbd43cb7180dbdcbc8a7e63e775
SHA512a8c24c66c632054acce6d04c53682f8365fee57cbbc566294b883499c71fdadaad2d7cae9f1ff8cc64b6183bd18b0ff735d12b189a0c31973d73b30e97525a5f
-
Filesize
168KB
MD5aa8bb998c46f60bacf91f98f8d4d7b5c
SHA161c7e314d916035128849f85a29b34ac1fb482e0
SHA2567e0252d52b7ff9e4466411941eb98cc220824be0f2eefdfe38e6b494f1176131
SHA5123e1e8400351fbeedbb0f07370260dea23782c24924482d33c54f9db9659c858c2ee89f69b9a8256b091efec0ea33b09e408e0d218769ca3e2cbd013dd935dde7
-
Filesize
514KB
MD5ab2b4133f8bdc72165110ec8ecad1316
SHA11bc85196c64ce77d4263cdabc5cf9413cb090106
SHA256d37053abae8150fdf5b71c764b63e6d436ace9c1dd4504df48d74e1ca459008c
SHA512c4eed5debfb7e1f2399ebfee071528edac247a327815b5158724d739be6f2ea69dca149b55519bc4f89a5a3ed6795daf9281560fff930241253235bf7f289e80
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
445KB
MD52b471f30b694f45aec51cdea2c208f27
SHA1a96e1653f63afa3d6a9bdfeb81f59e73113702d3
SHA25695200802f814a58701696eecae05349f90b7c7d1be752073f4c49204c04e2e60
SHA512235eb8fc430700e81d2cc38676fbb5c5c913897aec53fa6dabfd75414af36b60c628779cee1b1c40c2a77b32d4e6679812a85dda2caca39ee1bedfd6aa1b4d2f
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1