Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 03:59
Static task
static1
Behavioral task
behavioral1
Sample
d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0.exe
Resource
win10v2004-20241007-en
General
-
Target
d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0.exe
-
Size
1.0MB
-
MD5
4218e2d7a9d79c3cf25bc5e0e22ad024
-
SHA1
3cc7734166e94e420914da48d6f44c7409704217
-
SHA256
d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0
-
SHA512
276ee90260125f1a64992ddcb09ac5bdbeb4beb12285f164f51ad7b763e1721e4921dd65a192281854b3f29262ab55db47ce78a6bd4ce7e5006f39a4d091e064
-
SSDEEP
24576:kyJjq2nLq0gMC311q9+Tn8hwTWbSNGUOa/:zBq2nOMC3112GnU0AUOa
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
redline
disa
185.161.248.90:4125
-
auth_value
93f8c4ca7000e3381dd4b6b86434de05
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c82-19.dat healer behavioral1/memory/1160-22-0x0000000000BE0000-0x0000000000BEA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it286958.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it286958.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it286958.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it286958.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it286958.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it286958.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/1116-2173-0x0000000005760000-0x0000000005792000-memory.dmp family_redline behavioral1/files/0x0008000000023c7a-2178.dat family_redline behavioral1/memory/5384-2187-0x0000000000320000-0x000000000034E000-memory.dmp family_redline behavioral1/files/0x0007000000023c80-2191.dat family_redline behavioral1/memory/2248-2192-0x00000000009B0000-0x00000000009E0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation jr038880.exe -
Executes dropped EXE 6 IoCs
pid Process 3864 zibS3935.exe 2884 ziMj6245.exe 1160 it286958.exe 1116 jr038880.exe 5384 1.exe 2248 kp590316.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it286958.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zibS3935.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ziMj6245.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp590316.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zibS3935.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziMj6245.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jr038880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1160 it286958.exe 1160 it286958.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1160 it286958.exe Token: SeDebugPrivilege 1116 jr038880.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4076 wrote to memory of 3864 4076 d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0.exe 83 PID 4076 wrote to memory of 3864 4076 d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0.exe 83 PID 4076 wrote to memory of 3864 4076 d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0.exe 83 PID 3864 wrote to memory of 2884 3864 zibS3935.exe 84 PID 3864 wrote to memory of 2884 3864 zibS3935.exe 84 PID 3864 wrote to memory of 2884 3864 zibS3935.exe 84 PID 2884 wrote to memory of 1160 2884 ziMj6245.exe 85 PID 2884 wrote to memory of 1160 2884 ziMj6245.exe 85 PID 2884 wrote to memory of 1116 2884 ziMj6245.exe 97 PID 2884 wrote to memory of 1116 2884 ziMj6245.exe 97 PID 2884 wrote to memory of 1116 2884 ziMj6245.exe 97 PID 1116 wrote to memory of 5384 1116 jr038880.exe 98 PID 1116 wrote to memory of 5384 1116 jr038880.exe 98 PID 1116 wrote to memory of 5384 1116 jr038880.exe 98 PID 3864 wrote to memory of 2248 3864 zibS3935.exe 99 PID 3864 wrote to memory of 2248 3864 zibS3935.exe 99 PID 3864 wrote to memory of 2248 3864 zibS3935.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0.exe"C:\Users\Admin\AppData\Local\Temp\d9f61f0e80dc8a5f9c1481a6734867cb110c2673b78a7d13f63fd7b35c07bea0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibS3935.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibS3935.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziMj6245.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziMj6245.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286958.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286958.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr038880.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr038880.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5384
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp590316.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp590316.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2248
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
723KB
MD579ae5dd82dccde59f8df629c4c679deb
SHA1984cc968a2b9b6651f31224d01eea10b78c8bcef
SHA25684895d1b1ef1ec9f6f8e108d64207502b76d22388107be11cf901329f639ef1d
SHA512fd9ec0989c0fe817505a1c422502e36e73039bc345d01d263c2340e815051ebc559667721aaf32d911f75a7e0ab9a211a63cb3ab23f477938be96e45da0a1302
-
Filesize
169KB
MD5f0a769f50b612023a4abc6031dcc1e4d
SHA19383515026c8b4f60e22b742374225f4b7642436
SHA256c8628f6b24334d2a3a75b74037c98d39935c13eacaadf4c082316a55bc2bedcb
SHA512d94e09197619fd44f54b0e762aaf5c280b1da8f0f56cb8fb70cf79684af34040be8d18a618c8a4605285da0f3417534928ac7f26c17d8fb52cc68276a912fdfb
-
Filesize
569KB
MD580a83d02b627f0cc971f01f5f8fb3537
SHA10fada6a77092fd586d8075fc6ce56fb080effdac
SHA2563bfbae003e3855608fe5dec6b117eff108ce1d44bdc0cf0e29ad9b66aa2e9bcf
SHA5128dbdf19ebf6489cf99ed190368d9e05c9e76db10ab07caf78597e3aa10c6441baa5fbe99c2d27e95e43dd93d66aebb9aa4cd3706411e33a78cd2c465781a6fd0
-
Filesize
11KB
MD59b43665fa86d1099ea442a2d72f30757
SHA1b6e5bc76c36b2a90fb5e66e3b37c92381184c7c6
SHA25699bf34d38b2931df778696c2f6ffe4d9483db530136ab79439fb5d9295c63648
SHA5124f397667dfd7ab349c9d5a04b947d29cc2eee3e6ba04450b3e70a992d826b1722b5aa371d081db2b0760f7f9a327036577a21ea31e783e92284f4da59c6812f3
-
Filesize
588KB
MD51c6383d9183c7cc21cb7faee31aae0bb
SHA17576e283433896733fa78b77170da9129647eca7
SHA25633313578eec22c0ba22abcc2673aeb7edefa0c11660cdb53a21b63572634e21d
SHA51257830d144d358332873306f0ad26ee2502563c7e1f4190b932f19d0ad471e8b3ab2027fd035e7083dfcfef1412d7920270a72170587f05879042b5d7daf19f2f
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1