Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 14:45
Static task
static1
Behavioral task
behavioral1
Sample
ecb0668b8b131acc1860d5775ce04d707cafc087c2bd32dc3d2e5a16022133a9.exe
Resource
win10v2004-20241007-en
General
-
Target
ecb0668b8b131acc1860d5775ce04d707cafc087c2bd32dc3d2e5a16022133a9.exe
-
Size
814KB
-
MD5
ff886e58b1626436a040221b1b6737a6
-
SHA1
098a03369c6ae60a53f10a6a410c66d8015374a6
-
SHA256
ecb0668b8b131acc1860d5775ce04d707cafc087c2bd32dc3d2e5a16022133a9
-
SHA512
340a234aafed4788248d0af1cd765dc012d073be0763d938973f86c8aca2e860114f94a4ca8c4f49cd4f4777e1d5bd1c0f0d379ee46fac90e865c07de86acfb3
-
SSDEEP
12288:lMr6y90glXQEom6s7ityC9TgN3xU/CY5ccz5HOIBwxyGDQaFUxlgzgVlSaxrb:7yRXQEotEEgTU/CMxMbDFMYgeaxrb
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2260-19-0x0000000002570000-0x000000000258A000-memory.dmp healer behavioral1/memory/2260-21-0x0000000002910000-0x0000000002928000-memory.dmp healer behavioral1/memory/2260-35-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/2260-49-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/2260-47-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/2260-45-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/2260-43-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/2260-41-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/2260-39-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/2260-37-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/2260-34-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/2260-31-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/2260-29-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/2260-27-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/2260-25-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/2260-23-0x0000000002910000-0x0000000002922000-memory.dmp healer behavioral1/memory/2260-22-0x0000000002910000-0x0000000002922000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro9283.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9283.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9283.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9283.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9283.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9283.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/3064-2143-0x0000000005770000-0x00000000057A2000-memory.dmp family_redline behavioral1/files/0x0014000000023acb-2148.dat family_redline behavioral1/memory/5448-2156-0x00000000002E0000-0x0000000000310000-memory.dmp family_redline behavioral1/files/0x000a000000023b8b-2165.dat family_redline behavioral1/memory/5712-2166-0x0000000000800000-0x000000000082E000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation qu9093.exe -
Executes dropped EXE 5 IoCs
pid Process 1608 un512274.exe 2260 pro9283.exe 3064 qu9093.exe 5448 1.exe 5712 si108122.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9283.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9283.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ecb0668b8b131acc1860d5775ce04d707cafc087c2bd32dc3d2e5a16022133a9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un512274.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 848 2260 WerFault.exe 84 5600 3064 WerFault.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu9093.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language si108122.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecb0668b8b131acc1860d5775ce04d707cafc087c2bd32dc3d2e5a16022133a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un512274.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro9283.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2260 pro9283.exe 2260 pro9283.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2260 pro9283.exe Token: SeDebugPrivilege 3064 qu9093.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3924 wrote to memory of 1608 3924 ecb0668b8b131acc1860d5775ce04d707cafc087c2bd32dc3d2e5a16022133a9.exe 83 PID 3924 wrote to memory of 1608 3924 ecb0668b8b131acc1860d5775ce04d707cafc087c2bd32dc3d2e5a16022133a9.exe 83 PID 3924 wrote to memory of 1608 3924 ecb0668b8b131acc1860d5775ce04d707cafc087c2bd32dc3d2e5a16022133a9.exe 83 PID 1608 wrote to memory of 2260 1608 un512274.exe 84 PID 1608 wrote to memory of 2260 1608 un512274.exe 84 PID 1608 wrote to memory of 2260 1608 un512274.exe 84 PID 1608 wrote to memory of 3064 1608 un512274.exe 93 PID 1608 wrote to memory of 3064 1608 un512274.exe 93 PID 1608 wrote to memory of 3064 1608 un512274.exe 93 PID 3064 wrote to memory of 5448 3064 qu9093.exe 94 PID 3064 wrote to memory of 5448 3064 qu9093.exe 94 PID 3064 wrote to memory of 5448 3064 qu9093.exe 94 PID 3924 wrote to memory of 5712 3924 ecb0668b8b131acc1860d5775ce04d707cafc087c2bd32dc3d2e5a16022133a9.exe 97 PID 3924 wrote to memory of 5712 3924 ecb0668b8b131acc1860d5775ce04d707cafc087c2bd32dc3d2e5a16022133a9.exe 97 PID 3924 wrote to memory of 5712 3924 ecb0668b8b131acc1860d5775ce04d707cafc087c2bd32dc3d2e5a16022133a9.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecb0668b8b131acc1860d5775ce04d707cafc087c2bd32dc3d2e5a16022133a9.exe"C:\Users\Admin\AppData\Local\Temp\ecb0668b8b131acc1860d5775ce04d707cafc087c2bd32dc3d2e5a16022133a9.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un512274.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un512274.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9283.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9283.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 10844⤵
- Program crash
PID:848
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9093.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9093.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5448
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 13844⤵
- Program crash
PID:5600
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si108122.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si108122.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5712
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2260 -ip 22601⤵PID:1908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3064 -ip 30641⤵PID:5500
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD553637afb0c7ec5db6eb77509ac800cd5
SHA1387f03ff1c3c6c46798730756580126cdbc0a2d8
SHA2560ffeca6c2d8c04349813baae279900add7bbd686bafc2d0c71b159e817c929f7
SHA512bbfbd2f98f47afa5729763cb84c1fc229b04e021d4df82dbf66209e6bb521d56c622aa692d00b2a3f765705f59588029cfdf1520c4d000882bef7da736e8e3e6
-
Filesize
660KB
MD51b08d84df3986a314edd12b034492385
SHA117e15a0744fe56bf2643064e261fa923843b55a7
SHA25662f62c437bf6dc84575e3cf0d4eaf6333c8ba2308e22663d7170f6f775937206
SHA5126d584c75ad8916b77f37cc3df6f09542a16912906f6c12e1733c7d492d6e9253634e808556276b83c2d8633364ebeb83a93fb2715345e12488b810d8009242d7
-
Filesize
312KB
MD58e0669bf20700f303028063e18a10858
SHA12167a6118fdcaf1370eaa1c77414e728e4ec06ad
SHA256e41f2a36b75d95dc04c6b6298510bb79ef7f33d213612bb5f5546e8506ece303
SHA512b06e5e077b26980dfb96aba3e12b8b0b448c24ceb6ce367a5c932ce3522e1e234f213cc2e0e25a261ea349f989db7803c1c16aefcb11de2f2a2782147a97e1ff
-
Filesize
495KB
MD56853e446348177da0902c73857d191a2
SHA1b0e2467bb6f30042411edd136baf3aa5a466b9f4
SHA25661dc5a51654aaaaff323e3fcb874d562a7db0d3ca4f9ecba4229397e83cb1d11
SHA512a85c5159bcc345b2b0f70dcc6ba6d2d7c7c4310db06109b52b74c451041ea6be51fd756d1a381ca50001eeaa4eec68e92fd77f6b3ae1389ae7889ae515f30e8e
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0