Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 03:47
Static task
static1
Behavioral task
behavioral1
Sample
1a0828fed03acdea67533938f738513f78b651b15cd95732c72c43dd4d7bf8c3.exe
Resource
win10v2004-20241007-en
General
-
Target
1a0828fed03acdea67533938f738513f78b651b15cd95732c72c43dd4d7bf8c3.exe
-
Size
1.0MB
-
MD5
a48ef4d79dbfc3507be1416f8da627c2
-
SHA1
9648a076d3097591037420a2f796659018131fb1
-
SHA256
1a0828fed03acdea67533938f738513f78b651b15cd95732c72c43dd4d7bf8c3
-
SHA512
20dc23f4a5721fec2660b3b77635a6a5ac613ebb090c32179c8db61199e26d34591fa9d241c2160e4b2ec98fd06e502d9b17bc195b3110087c164873b5737f1f
-
SSDEEP
24576:LyBG2jgl5VzHyvokFWd9xEafLusuhDiv:+BmVzSAzsD9hDi
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
redline
diza
185.161.248.90:4125
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023c55-19.dat healer behavioral1/memory/2428-22-0x0000000000940000-0x000000000094A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it384369.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it384369.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it384369.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it384369.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it384369.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it384369.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2984-2174-0x0000000005790000-0x00000000057C2000-memory.dmp family_redline behavioral1/files/0x000c000000023b22-2179.dat family_redline behavioral1/memory/5308-2187-0x0000000000B70000-0x0000000000B9E000-memory.dmp family_redline behavioral1/files/0x0008000000023c52-2197.dat family_redline behavioral1/memory/5668-2198-0x0000000000670000-0x00000000006A0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation jr864583.exe -
Executes dropped EXE 6 IoCs
pid Process 5088 zicE4334.exe 3520 zieK6979.exe 2428 it384369.exe 2984 jr864583.exe 5308 1.exe 5668 kp088804.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it384369.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1a0828fed03acdea67533938f738513f78b651b15cd95732c72c43dd4d7bf8c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zicE4334.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" zieK6979.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5544 2984 WerFault.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zicE4334.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zieK6979.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jr864583.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp088804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a0828fed03acdea67533938f738513f78b651b15cd95732c72c43dd4d7bf8c3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2428 it384369.exe 2428 it384369.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2428 it384369.exe Token: SeDebugPrivilege 2984 jr864583.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2500 wrote to memory of 5088 2500 1a0828fed03acdea67533938f738513f78b651b15cd95732c72c43dd4d7bf8c3.exe 84 PID 2500 wrote to memory of 5088 2500 1a0828fed03acdea67533938f738513f78b651b15cd95732c72c43dd4d7bf8c3.exe 84 PID 2500 wrote to memory of 5088 2500 1a0828fed03acdea67533938f738513f78b651b15cd95732c72c43dd4d7bf8c3.exe 84 PID 5088 wrote to memory of 3520 5088 zicE4334.exe 86 PID 5088 wrote to memory of 3520 5088 zicE4334.exe 86 PID 5088 wrote to memory of 3520 5088 zicE4334.exe 86 PID 3520 wrote to memory of 2428 3520 zieK6979.exe 87 PID 3520 wrote to memory of 2428 3520 zieK6979.exe 87 PID 3520 wrote to memory of 2984 3520 zieK6979.exe 97 PID 3520 wrote to memory of 2984 3520 zieK6979.exe 97 PID 3520 wrote to memory of 2984 3520 zieK6979.exe 97 PID 2984 wrote to memory of 5308 2984 jr864583.exe 98 PID 2984 wrote to memory of 5308 2984 jr864583.exe 98 PID 2984 wrote to memory of 5308 2984 jr864583.exe 98 PID 5088 wrote to memory of 5668 5088 zicE4334.exe 103 PID 5088 wrote to memory of 5668 5088 zicE4334.exe 103 PID 5088 wrote to memory of 5668 5088 zicE4334.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a0828fed03acdea67533938f738513f78b651b15cd95732c72c43dd4d7bf8c3.exe"C:\Users\Admin\AppData\Local\Temp\1a0828fed03acdea67533938f738513f78b651b15cd95732c72c43dd4d7bf8c3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zicE4334.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zicE4334.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zieK6979.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zieK6979.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it384369.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it384369.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr864583.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr864583.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5308
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 14685⤵
- Program crash
PID:5544
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp088804.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp088804.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5668
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2984 -ip 29841⤵PID:5452
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
723KB
MD54d600138e8f55047e67c7b0aefc21df7
SHA1690580333793f3aedd1b0f7bc96f02502d42f557
SHA256a5e9cd36a620848360801587d8a9e0a11f365b6da8d8b4aa2cab4f4841656598
SHA512b26949ff0057541a4f7d64b69d40abd57c24382ce69e17ec5ec7d52d13d8291646dffc58a831c998e4c1fec1b1fa258b09625e9cb4fb20316ae33058e404724b
-
Filesize
168KB
MD5c52ebada00a59ec1f651a0e9fbcef2eb
SHA1e1941278df76616f1ca3202ef2a9f99d2592d52f
SHA25635d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e
SHA5126b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2
-
Filesize
569KB
MD5d779604352a4ebd7e034074bd76dfeec
SHA1ce7c10bb997a89227374e58d5e86d73f1b5e74d2
SHA256e6f442c8593a03e4672c50420cc7027b9f257239502f4df962d19809219a5bcc
SHA512068382812fbc0ed9492c52a3c7cd4fd1fcbb362411dd798266eef8efa90502ff0095c69820b5e05c14c1785521a7fdf10246dd88e68107441816931485e2368f
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
588KB
MD54ce843d51085af06483f0603d730130e
SHA11156f207cc6609f74a2517e7a8ec1667006235a0
SHA25696cac5d375ccb8335d4a231fdf23d09e7b203ab3a55c175543fd7177d50836b4
SHA5126d5fc3fb2e53ed5148190f983d0b359fb18993d8f385cb3a1c82c13d98f0e5ae70eb88097055cfb8ad395764e3583ba6fe1f736af3502966f675d82417d28988
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1