Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:44
Static task
static1
Behavioral task
behavioral1
Sample
ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe
Resource
win10v2004-20241007-en
General
-
Target
ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe
-
Size
814KB
-
MD5
6f5f3f58c516439e7dee0b626706c41c
-
SHA1
5b2f74f045cba13e36ff26bbb4b9ec67f2a639ef
-
SHA256
ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93
-
SHA512
e75efbd96ce7872827a1dc36f89ef97a4ed944da4b0567be36630e1d0517d1af2b0031099e595f15f99563c4a9f55b1ffef94adfe76d4bf19f513f00acf53168
-
SSDEEP
12288:YMr8y90RBL6U7skFNqO05JaaGlPdckaVpWfyivOtzhJonk6iyn0OdC6fWjpD8AoV:EyI1UkaOqilPxaVDivO0qy0OdX0Ib
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/5072-19-0x0000000002780000-0x000000000279A000-memory.dmp healer behavioral1/memory/5072-21-0x0000000004DA0000-0x0000000004DB8000-memory.dmp healer behavioral1/memory/5072-23-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/5072-22-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/5072-43-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/5072-49-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/5072-47-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/5072-45-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/5072-41-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/5072-39-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/5072-37-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/5072-35-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/5072-33-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/5072-31-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/5072-29-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/5072-27-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/5072-25-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro4952.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro4952.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro4952.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro4952.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro4952.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro4952.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2872-2143-0x00000000050A0000-0x00000000050D2000-memory.dmp family_redline behavioral1/files/0x0014000000023b7f-2148.dat family_redline behavioral1/memory/4740-2156-0x0000000000980000-0x00000000009B0000-memory.dmp family_redline behavioral1/files/0x0007000000023cc0-2164.dat family_redline behavioral1/memory/5728-2167-0x0000000000CA0000-0x0000000000CCE000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation qu7109.exe -
Executes dropped EXE 5 IoCs
pid Process 4556 un492162.exe 5072 pro4952.exe 2872 qu7109.exe 4740 1.exe 5728 si959341.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro4952.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro4952.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un492162.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2588 5072 WerFault.exe 85 5384 2872 WerFault.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un492162.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro4952.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu7109.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language si959341.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5072 pro4952.exe 5072 pro4952.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5072 pro4952.exe Token: SeDebugPrivilege 2872 qu7109.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3920 wrote to memory of 4556 3920 ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe 84 PID 3920 wrote to memory of 4556 3920 ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe 84 PID 3920 wrote to memory of 4556 3920 ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe 84 PID 4556 wrote to memory of 5072 4556 un492162.exe 85 PID 4556 wrote to memory of 5072 4556 un492162.exe 85 PID 4556 wrote to memory of 5072 4556 un492162.exe 85 PID 4556 wrote to memory of 2872 4556 un492162.exe 97 PID 4556 wrote to memory of 2872 4556 un492162.exe 97 PID 4556 wrote to memory of 2872 4556 un492162.exe 97 PID 2872 wrote to memory of 4740 2872 qu7109.exe 98 PID 2872 wrote to memory of 4740 2872 qu7109.exe 98 PID 2872 wrote to memory of 4740 2872 qu7109.exe 98 PID 3920 wrote to memory of 5728 3920 ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe 101 PID 3920 wrote to memory of 5728 3920 ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe 101 PID 3920 wrote to memory of 5728 3920 ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe"C:\Users\Admin\AppData\Local\Temp\ca0acff592494132389b9d0604769c8bf72462c526d23b9c44d0c05512f8da93.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492162.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un492162.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4952.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4952.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 10044⤵
- Program crash
PID:2588
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7109.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7109.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 13764⤵
- Program crash
PID:5384
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si959341.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si959341.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5072 -ip 50721⤵PID:4428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2872 -ip 28721⤵PID:3752
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD5431c85d48f449c8ef14d544c312bf925
SHA15b4949d806f85d1d003acce4d6728da4911a3856
SHA256cdbefdcb9b74b27294932ecb43f2608f097a17b0d9e3bf65b20ea31b101c6a11
SHA512481d2803523e995d017c96d1bf5298b5de433458f9bbe7e4729a54a8a58a9431d37505cfaf3b8f86f27ab985c8d34ba23feeb965bf371ae3471a238c270ed26e
-
Filesize
660KB
MD56b374084032be67bedfdcc082de439a0
SHA12ca5793c18f07d0c456c81e53057e470c3dcb31b
SHA256b756f24e4cbf6b6151d95e0d25bcaa1d59f58de5742b3c5b08373c90f1604648
SHA5120a67dc400573295eab47f6fbf36159d212e619a70c37fb41be6e1e2d53ef308393666e7d4a1141c537aeaa27a90d299dbc05a19ee61fa04819a99055d983f92f
-
Filesize
332KB
MD59bc12f29b331507bdb5f607bdecbd64a
SHA1db23d36642f7b3f086d3e26ee82d525c6002f4c6
SHA256783ce6f1acfd8266d672a9ddf2193154f2a14cfdb911df082b53dbb3c8cfeacc
SHA512c22fe639e5561035c02bc0208fa0393810b8b1a313a04cb48c66ace6d947485d05d8696d6bcb8a18adaf171a72ecac4aa3dcf0554f3dd431b6936d4a0703c6d4
-
Filesize
515KB
MD5fedb9535573fa0657e99313221c438df
SHA1e065225b34ed492635f682b04c104c81016ca9a4
SHA256e938b8e76cf47d16377b3a76fa9e96cd7b131d3ef747aee7e52ada6c2ca2f94a
SHA512ebe84b74ff6bcce9d470de27e8458a26a221ee65d915d2ee6c204f617a15a2c220607b93fe51d7150461574b972693ef0e8a156902856b6573bdcb71f8cd53f0
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0