Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 15:09
Static task
static1
Behavioral task
behavioral1
Sample
aade7371c756a35b6254fed02754968b9e645b278d467b94708223e88d8ebe61.exe
Resource
win10v2004-20241007-en
General
-
Target
aade7371c756a35b6254fed02754968b9e645b278d467b94708223e88d8ebe61.exe
-
Size
652KB
-
MD5
0918435f20b4382e4211ea0501f8b47e
-
SHA1
df0e815bdbbb76901ea5c2629c8c6934a8837c84
-
SHA256
aade7371c756a35b6254fed02754968b9e645b278d467b94708223e88d8ebe61
-
SHA512
bab67081cc3198d85fe08e1ac67394085cfbb37637c12d7fb612805670902bdfd666bd1471ff59ccf4bd2f8cc38e200b602a3289c4b4a479f7dffcfe49fa0f11
-
SSDEEP
12288:vMrhy90G2jGxRmP2BeqNoPTRhUi3rT9PsGKV3tcb1S8O+Q6x:yyKqxsP2BtyjP5ycU+jx
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023bb2-12.dat healer behavioral1/memory/4536-15-0x00000000007D0000-0x00000000007DA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr522379.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr522379.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr522379.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr522379.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr522379.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr522379.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/3396-2105-0x0000000005540000-0x0000000005572000-memory.dmp family_redline behavioral1/files/0x000800000001e58a-2110.dat family_redline behavioral1/memory/2384-2118-0x0000000000BB0000-0x0000000000BE0000-memory.dmp family_redline behavioral1/files/0x000a000000023bb0-2128.dat family_redline behavioral1/memory/4848-2129-0x0000000000570000-0x000000000059E000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation ku337555.exe -
Executes dropped EXE 5 IoCs
pid Process 4936 ziuj7047.exe 4536 jr522379.exe 3396 ku337555.exe 2384 1.exe 4848 lr621615.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr522379.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" aade7371c756a35b6254fed02754968b9e645b278d467b94708223e88d8ebe61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziuj7047.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 540 3396 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aade7371c756a35b6254fed02754968b9e645b278d467b94708223e88d8ebe61.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziuj7047.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku337555.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lr621615.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4536 jr522379.exe 4536 jr522379.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4536 jr522379.exe Token: SeDebugPrivilege 3396 ku337555.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4764 wrote to memory of 4936 4764 aade7371c756a35b6254fed02754968b9e645b278d467b94708223e88d8ebe61.exe 84 PID 4764 wrote to memory of 4936 4764 aade7371c756a35b6254fed02754968b9e645b278d467b94708223e88d8ebe61.exe 84 PID 4764 wrote to memory of 4936 4764 aade7371c756a35b6254fed02754968b9e645b278d467b94708223e88d8ebe61.exe 84 PID 4936 wrote to memory of 4536 4936 ziuj7047.exe 85 PID 4936 wrote to memory of 4536 4936 ziuj7047.exe 85 PID 4936 wrote to memory of 3396 4936 ziuj7047.exe 89 PID 4936 wrote to memory of 3396 4936 ziuj7047.exe 89 PID 4936 wrote to memory of 3396 4936 ziuj7047.exe 89 PID 3396 wrote to memory of 2384 3396 ku337555.exe 90 PID 3396 wrote to memory of 2384 3396 ku337555.exe 90 PID 3396 wrote to memory of 2384 3396 ku337555.exe 90 PID 4764 wrote to memory of 4848 4764 aade7371c756a35b6254fed02754968b9e645b278d467b94708223e88d8ebe61.exe 95 PID 4764 wrote to memory of 4848 4764 aade7371c756a35b6254fed02754968b9e645b278d467b94708223e88d8ebe61.exe 95 PID 4764 wrote to memory of 4848 4764 aade7371c756a35b6254fed02754968b9e645b278d467b94708223e88d8ebe61.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\aade7371c756a35b6254fed02754968b9e645b278d467b94708223e88d8ebe61.exe"C:\Users\Admin\AppData\Local\Temp\aade7371c756a35b6254fed02754968b9e645b278d467b94708223e88d8ebe61.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziuj7047.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziuj7047.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr522379.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr522379.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4536
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku337555.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku337555.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 9924⤵
- Program crash
PID:540
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr621615.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr621615.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3396 -ip 33961⤵PID:4232
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD59512c5caa5245973058913fae345b125
SHA141a15f906fc2c3d177ca7bd38377a42f64aa7fa0
SHA25653962b6bd4af0e1c083c9c11364c3d94af71b067d18ded1519c66cedd01bfa06
SHA5127c6a64a346063b3fe8be36b36d32196a65d8d708e58c331a6438a2d3f3b6d17a3f093f56059d479e6daf1f99db0470fa15c898a2d77108aa99c34bce707bb378
-
Filesize
498KB
MD586973886b1b24952ec7c2ef6fd0c18f5
SHA1eccae191537029e5fea79c343273dd1bd97bdcb3
SHA2565985194af2691c36b5befc210a7fceb613feb8b203b463709742cd9c5dc8fe64
SHA51291aa6ec4091696ab909c6f7c2754fbeb9bd7ed6de5219b6146b06a087b21ed13d566cf3c62183d77bdd49eebfc336233414d822fc8eb29a6fcb8dabdcc00c9db
-
Filesize
12KB
MD53d38f2de87def49a1503fa63f2c79ea1
SHA1c022644adab2559b11ad4c0eda4757c85a8076df
SHA2568ad3f114cb1b84845b9986858a370d7686ad3065fda99c7d83fc5c6b03e2b02c
SHA5127cdfacfb95e31bb5fc44b795eb13fdb656e7e840ba405973ff1e542c7eed4b059cf23dc89f29bc7f9471113ca47e1a0c48ca98f09661ca4e6fe7f66281fefd75
-
Filesize
417KB
MD5d18780869684fc66bd2462531079a158
SHA15c0742bcdd3a98997f08601f9706ea37c410b435
SHA2561539195ef0840e8a53b61c8de1ba74d284858092de1d7571f3d3744122840fb6
SHA512d1c0119e801c4f13b8298b729a0e8c43ab7f6dc9798f93f4a315dc394734f7fb2aafbb1ab7a4096c59f74fbe1434cf17e1232e4e8d091a005aab5f8d842e8b89
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0