Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 10:26
Static task
static1
Behavioral task
behavioral1
Sample
1ef3f30e107e6b3f91d3920848d5e7528e8bfc39c037afe5ff9a77e6ccc2ed32.exe
Resource
win10v2004-20241007-en
General
-
Target
1ef3f30e107e6b3f91d3920848d5e7528e8bfc39c037afe5ff9a77e6ccc2ed32.exe
-
Size
661KB
-
MD5
649c73956854fb5841a2b164c59a9e87
-
SHA1
87dc22f60f5196085a0c59597cfb66f04dcb40a5
-
SHA256
1ef3f30e107e6b3f91d3920848d5e7528e8bfc39c037afe5ff9a77e6ccc2ed32
-
SHA512
e6b6dc5686226e05022b60068b2459b8ff5c671943aa8cfdbb03d31083014a9bce0e90823c7faf045823bd803f7b52b501310a07ac54cdb143c69f310bbdc081
-
SSDEEP
12288:xMrGy90CHmMYICcg7vBOH7BQk9G9Obe++4QDliJ7bcS0noFrygEZkUCE7DzLW:Ly3JXgdOH7BQk9Cg/5I27bcSQjgU2Ee
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
droz
77.91.124.145:4125
-
auth_value
d099adf6dbf6ccb8e16967104280634a
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023ca3-12.dat healer behavioral1/memory/4040-15-0x0000000000D50000-0x0000000000D5A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr521164.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr521164.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr521164.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr521164.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr521164.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr521164.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/4988-2105-0x0000000005540000-0x0000000005572000-memory.dmp family_redline behavioral1/files/0x000900000001e58b-2110.dat family_redline behavioral1/memory/5364-2118-0x0000000000FD0000-0x0000000001000000-memory.dmp family_redline behavioral1/files/0x0007000000023ca0-2128.dat family_redline behavioral1/memory/5568-2129-0x0000000000210000-0x000000000023E000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation ku574478.exe -
Executes dropped EXE 5 IoCs
pid Process 616 zigT5241.exe 4040 jr521164.exe 4988 ku574478.exe 5364 1.exe 5568 lr983411.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr521164.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1ef3f30e107e6b3f91d3920848d5e7528e8bfc39c037afe5ff9a77e6ccc2ed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zigT5241.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5488 4988 WerFault.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku574478.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lr983411.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ef3f30e107e6b3f91d3920848d5e7528e8bfc39c037afe5ff9a77e6ccc2ed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zigT5241.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4040 jr521164.exe 4040 jr521164.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4040 jr521164.exe Token: SeDebugPrivilege 4988 ku574478.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4760 wrote to memory of 616 4760 1ef3f30e107e6b3f91d3920848d5e7528e8bfc39c037afe5ff9a77e6ccc2ed32.exe 82 PID 4760 wrote to memory of 616 4760 1ef3f30e107e6b3f91d3920848d5e7528e8bfc39c037afe5ff9a77e6ccc2ed32.exe 82 PID 4760 wrote to memory of 616 4760 1ef3f30e107e6b3f91d3920848d5e7528e8bfc39c037afe5ff9a77e6ccc2ed32.exe 82 PID 616 wrote to memory of 4040 616 zigT5241.exe 83 PID 616 wrote to memory of 4040 616 zigT5241.exe 83 PID 616 wrote to memory of 4988 616 zigT5241.exe 94 PID 616 wrote to memory of 4988 616 zigT5241.exe 94 PID 616 wrote to memory of 4988 616 zigT5241.exe 94 PID 4988 wrote to memory of 5364 4988 ku574478.exe 95 PID 4988 wrote to memory of 5364 4988 ku574478.exe 95 PID 4988 wrote to memory of 5364 4988 ku574478.exe 95 PID 4760 wrote to memory of 5568 4760 1ef3f30e107e6b3f91d3920848d5e7528e8bfc39c037afe5ff9a77e6ccc2ed32.exe 100 PID 4760 wrote to memory of 5568 4760 1ef3f30e107e6b3f91d3920848d5e7528e8bfc39c037afe5ff9a77e6ccc2ed32.exe 100 PID 4760 wrote to memory of 5568 4760 1ef3f30e107e6b3f91d3920848d5e7528e8bfc39c037afe5ff9a77e6ccc2ed32.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ef3f30e107e6b3f91d3920848d5e7528e8bfc39c037afe5ff9a77e6ccc2ed32.exe"C:\Users\Admin\AppData\Local\Temp\1ef3f30e107e6b3f91d3920848d5e7528e8bfc39c037afe5ff9a77e6ccc2ed32.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigT5241.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zigT5241.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr521164.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr521164.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku574478.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku574478.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 13844⤵
- Program crash
PID:5488
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr983411.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr983411.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5568
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4988 -ip 49881⤵PID:5452
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5601e8eaf6f18811138c42146fd7aa49e
SHA1f25085db286d385233c15d0e4f72a0e14a51a659
SHA256c77eccf08b1d78891d9c7779fbf602962883f48bb5eaec15e7d7e5fc6ba8cc93
SHA51237a8394d7e65a589a2a4fe2ab7118d3080a025821067c537a74b57081cff89cbd443b20dde62215277ebdda9d551512aa91db8db37eeb658e292c5349f50e903
-
Filesize
507KB
MD5e23c2775f0b3de7199e1043c920bebb4
SHA1a175726028c324b46eeebe15fa0fbd6489c2e36a
SHA256c24c05a706f11bd4dc675bd2654004cd7dc98b77d6f43493f610d68ebb45c709
SHA5128474d4dd3da237352cbd256bf1d0e2071e7c6aa6ed654bc40172a55df5325bedf291085563092a99f6e21f0e4040d67b1f960c9c67743b8bb07885d4a41a673d
-
Filesize
14KB
MD57171e545d61764fc4182af9f5c1f883b
SHA1eeee529afb27cea370fcb89bd755f0d8749882bb
SHA2562758e6f0ce04476df81673b96da9ca3b8270bf36cdef7c3e337ba24650b80d01
SHA512f50a3905ba2daf05c5224cef3e49b1a91354a8ff911cb13803978b3a1910e433d6247c3038ad30a8b06c8c975230ea72f9d5f467ce8762bbf2d271193207e3b2
-
Filesize
426KB
MD5853dbd2cfc656d18d19daffbf68de473
SHA1b845c8a17a7ce3c8d4be241edb57d1178441cb0e
SHA25617ef56c399306f43d3b34c9f3ff43e547838a9ff65bfd970a5b3eef97ec5bb40
SHA5125334cd9c9adceb5d637d56041ec2d72d6cd472575c787b5099ae00c6d935d61e91da92cfd7c703e45e92f3a2d8c58a45e097c11b64b87700114cc1f77345596e
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0