Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 04:10
Static task
static1
Behavioral task
behavioral1
Sample
9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed.exe
Resource
win10v2004-20241007-en
General
-
Target
9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed.exe
-
Size
1.0MB
-
MD5
e64e0f08a31011d0c9a78bb6c3d49cd5
-
SHA1
949034473e0fc54bbbba186393d607d169f140b0
-
SHA256
9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed
-
SHA512
1923eb9416c8cbf0ea4e7f1652e65b012f3be7b050a61c1a23a5f5f8598f62a496c22f32271d86dade8d8d5d8499c812cd589c7301dec54e71d7ffb2aa24140d
-
SSDEEP
24576:ByZ2gKT5HZJZTBmWi6F169Ggv/KcqyWEC1DnzTq:0ZUd5JbmWi6F1mzXzFgL
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
redline
disa
185.161.248.90:4125
-
auth_value
93f8c4ca7000e3381dd4b6b86434de05
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b65-19.dat healer behavioral1/memory/4836-22-0x0000000000080000-0x000000000008A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it145963.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it145963.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it145963.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it145963.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it145963.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it145963.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2192-2174-0x0000000005760000-0x0000000005792000-memory.dmp family_redline behavioral1/files/0x000b000000023b5c-2179.dat family_redline behavioral1/memory/4760-2188-0x0000000000D60000-0x0000000000D8E000-memory.dmp family_redline behavioral1/files/0x000a000000023b62-2191.dat family_redline behavioral1/memory/2700-2193-0x0000000000750000-0x0000000000780000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation jr658108.exe -
Executes dropped EXE 6 IoCs
pid Process 3224 zien3032.exe 4404 zido9935.exe 4836 it145963.exe 2192 jr658108.exe 4760 1.exe 2700 kp351608.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it145963.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zien3032.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" zido9935.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3196 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zien3032.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zido9935.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jr658108.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp351608.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4836 it145963.exe 4836 it145963.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4836 it145963.exe Token: SeDebugPrivilege 2192 jr658108.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2268 wrote to memory of 3224 2268 9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed.exe 84 PID 2268 wrote to memory of 3224 2268 9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed.exe 84 PID 2268 wrote to memory of 3224 2268 9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed.exe 84 PID 3224 wrote to memory of 4404 3224 zien3032.exe 86 PID 3224 wrote to memory of 4404 3224 zien3032.exe 86 PID 3224 wrote to memory of 4404 3224 zien3032.exe 86 PID 4404 wrote to memory of 4836 4404 zido9935.exe 87 PID 4404 wrote to memory of 4836 4404 zido9935.exe 87 PID 4404 wrote to memory of 2192 4404 zido9935.exe 94 PID 4404 wrote to memory of 2192 4404 zido9935.exe 94 PID 4404 wrote to memory of 2192 4404 zido9935.exe 94 PID 2192 wrote to memory of 4760 2192 jr658108.exe 95 PID 2192 wrote to memory of 4760 2192 jr658108.exe 95 PID 2192 wrote to memory of 4760 2192 jr658108.exe 95 PID 3224 wrote to memory of 2700 3224 zien3032.exe 96 PID 3224 wrote to memory of 2700 3224 zien3032.exe 96 PID 3224 wrote to memory of 2700 3224 zien3032.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed.exe"C:\Users\Admin\AppData\Local\Temp\9b1bf5607fc5c8e8377d5c02d8510cb1d820798603683e83351186ddba7c67ed.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zien3032.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zien3032.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zido9935.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zido9935.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145963.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145963.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr658108.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr658108.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4760
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp351608.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp351608.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2700
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3196
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
723KB
MD56b4a4cc8b467c46b5c1a41fb2909378f
SHA1ab4a3ec3eafba38fc52a53a8074491e1293b8fc3
SHA2560af0effe386b3c8b606efe31a7b1a44db015be197a3804494cf4fcdcaa0468be
SHA512a303b9364f75128d4564435290983038d27edc478e2ce654a9eff88bfafdd45aff446fcf19e49cce403073aa319e03e10a0c0f361478c08e0fa95bd2eb2d32dd
-
Filesize
169KB
MD50568b4bb59a02a8c451b126b907ee577
SHA157a6f17320e728b6c30be5fa16915d2aeb4151e4
SHA25674a46a9912cc3cdede4f6acdda68913f53c38e9ba2c97a03386a8a92d80027a0
SHA51260d6aafd5b03d0ae930c6744f5c2b986e20aff57ea4f6cbfdc3eeb7b79ceec7f8c3edfe68b10492917d0cc67c20f92927e40d9854725370f16890c850f6805ac
-
Filesize
569KB
MD5657d9da5ffd62c69216ef5121af8fde0
SHA1c089cd3d31244d40d307153cd27d6cbbf9665494
SHA256f18ba27487f8c17f3f7a5ce3bdad3dca57b4c9cfb2947e5b4d6ee0c15b52c492
SHA5127b2425e6d6594258212e7a2a9fe28f3be45d717818dbd8d81707c6a9167e4495103102824681b2e324db4d2fa554c36d670c5f5a71e11a8b7a3c816254aaaed4
-
Filesize
11KB
MD5f2877240b3dd6bd57d49335879160cae
SHA1c3b09356f3826971da2e316daa5de909212f0346
SHA256243d3d6ac12883ab1faa1f4a73aee8eb24499eb523306a1c929aaae041662520
SHA51207d3038e99bec6a1310f99f38e243efcef8e78eefee3962c08cd59f6cb67ef80b5c5b9c07af76d30d2f71b542339504e5237decec22771af35b860662a302527
-
Filesize
588KB
MD52980d76b80d7e1abf6a0a1bbe5371ee3
SHA1b362468389bfbc76bb87afd016c2de2e583fdae5
SHA2568ef72057648be6a0e583659a294bac049cd9797ed8c499bf3febc3a9f7a0cd50
SHA512a7cab189cfbdf62c0738b2227df22da78784de370fa5520b9cf55c058fcabf46e96e655cfa5ff13b9499c140bd1a2bf7ea63ce7d1ba20dc190f416a1aa6e366a
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1