Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:15
Static task
static1
Behavioral task
behavioral1
Sample
b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe
Resource
win10v2004-20241007-en
General
-
Target
b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe
-
Size
787KB
-
MD5
e924881cd5d269936034a331a10960c6
-
SHA1
5b3bb1c2502bb073b726a9e8e8e250f96ee1aaaf
-
SHA256
b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2
-
SHA512
1e1ece4a9812585eec9fcea91808f06d21dc789145bf41794169d16fef91ab5245eea96e285117ee373746454fbe8b97ad73d7f21bead6caa1cd62f97fd9522a
-
SSDEEP
12288:5Mrgy90dfl633DFc6Q3dlvJuRZKDAk9j3fY1ldFiwa9VaS:NyCd6HSX3dlvJwZuAKj3fEgwaDaS
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1376-19-0x00000000007A0000-0x00000000007BA000-memory.dmp healer behavioral1/memory/1376-21-0x0000000002340000-0x0000000002358000-memory.dmp healer behavioral1/memory/1376-33-0x0000000002340000-0x0000000002352000-memory.dmp healer behavioral1/memory/1376-47-0x0000000002340000-0x0000000002352000-memory.dmp healer behavioral1/memory/1376-45-0x0000000002340000-0x0000000002352000-memory.dmp healer behavioral1/memory/1376-43-0x0000000002340000-0x0000000002352000-memory.dmp healer behavioral1/memory/1376-41-0x0000000002340000-0x0000000002352000-memory.dmp healer behavioral1/memory/1376-39-0x0000000002340000-0x0000000002352000-memory.dmp healer behavioral1/memory/1376-37-0x0000000002340000-0x0000000002352000-memory.dmp healer behavioral1/memory/1376-35-0x0000000002340000-0x0000000002352000-memory.dmp healer behavioral1/memory/1376-31-0x0000000002340000-0x0000000002352000-memory.dmp healer behavioral1/memory/1376-49-0x0000000002340000-0x0000000002352000-memory.dmp healer behavioral1/memory/1376-27-0x0000000002340000-0x0000000002352000-memory.dmp healer behavioral1/memory/1376-25-0x0000000002340000-0x0000000002352000-memory.dmp healer behavioral1/memory/1376-23-0x0000000002340000-0x0000000002352000-memory.dmp healer behavioral1/memory/1376-22-0x0000000002340000-0x0000000002352000-memory.dmp healer behavioral1/memory/1376-29-0x0000000002340000-0x0000000002352000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro3715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro3715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro3715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro3715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro3715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro3715.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/1424-2143-0x0000000004CF0000-0x0000000004D22000-memory.dmp family_redline behavioral1/files/0x000b000000023cda-2148.dat family_redline behavioral1/memory/5672-2156-0x0000000000B60000-0x0000000000B90000-memory.dmp family_redline behavioral1/files/0x0007000000023cd5-2165.dat family_redline behavioral1/memory/5856-2167-0x00000000000C0000-0x00000000000EE000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation qu3408.exe -
Executes dropped EXE 5 IoCs
pid Process 4988 un795890.exe 1376 pro3715.exe 1424 qu3408.exe 5672 1.exe 5856 si501416.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro3715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro3715.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un795890.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2100 1376 WerFault.exe 86 5784 1424 WerFault.exe 102 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language si501416.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un795890.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro3715.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu3408.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1376 pro3715.exe 1376 pro3715.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1376 pro3715.exe Token: SeDebugPrivilege 1424 qu3408.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 372 wrote to memory of 4988 372 b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe 85 PID 372 wrote to memory of 4988 372 b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe 85 PID 372 wrote to memory of 4988 372 b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe 85 PID 4988 wrote to memory of 1376 4988 un795890.exe 86 PID 4988 wrote to memory of 1376 4988 un795890.exe 86 PID 4988 wrote to memory of 1376 4988 un795890.exe 86 PID 4988 wrote to memory of 1424 4988 un795890.exe 102 PID 4988 wrote to memory of 1424 4988 un795890.exe 102 PID 4988 wrote to memory of 1424 4988 un795890.exe 102 PID 1424 wrote to memory of 5672 1424 qu3408.exe 103 PID 1424 wrote to memory of 5672 1424 qu3408.exe 103 PID 1424 wrote to memory of 5672 1424 qu3408.exe 103 PID 372 wrote to memory of 5856 372 b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe 106 PID 372 wrote to memory of 5856 372 b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe 106 PID 372 wrote to memory of 5856 372 b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe"C:\Users\Admin\AppData\Local\Temp\b1ef8a77390c2929441e4b5097c912759da99e15f1bf48d790ca8f0db819b5b2.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un795890.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un795890.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3715.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3715.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 10044⤵
- Program crash
PID:2100
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3408.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3408.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5672
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 15444⤵
- Program crash
PID:5784
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si501416.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si501416.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5856
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1376 -ip 13761⤵PID:3488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1424 -ip 14241⤵PID:5712
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5effd9088e5a4c0915673ebdd00d85e7d
SHA1412f90d32c89e8193371c4c04a0fc273a8b77574
SHA256cad8e1a21485522122095ddabcb37e694c968449c5813f92ffa634f8bccbd47b
SHA512584ad7bb23c1a9f423d737978c787f376d4ca2a3f9fadd39a660603f0e624b3b4d0f1734f5e27f06d3e99188634bbfba454ce43e813ed829fd2518e360573c96
-
Filesize
633KB
MD560abf9e419721a7682fc787f34db8b7f
SHA14a74f6f9b4623920ba2dfe7ce5cb80445e4e4a86
SHA256da82603941288fe57a69499c4e06655e3ca7be494b41915cdc5714bdcb86810d
SHA51264013c6247d4b1d1a9e5c89f73ac67ad58a99490ee94ab075a722e4d201727936d8cf802eab32608e0237c009d59838082bd79a4e6414ee3f013518c3a170d3e
-
Filesize
230KB
MD5ae4d5c598d757fc26e0924f6c8727c76
SHA1451c2eb8671db4729af05de661f582965c88d810
SHA25607d883fb6aa30562ab9d0503bdbd91e6bf91872eae45e18ed868664a4659446d
SHA512d8448ba5e462cffb669d1c152ec2e345848a5251a48c8dd7f3b388e6d2078194a2f0f145de26097e9effed6cafc80f011684cb788ecceea0c2753072eb43d0ee
-
Filesize
414KB
MD52a87622297c16d63a425839e53cfc29b
SHA12bf35e9f7c2c50699dc7d7da98714478a895c2c6
SHA25630ef6bac870ed2a351aa857702c6555d415f844d346c933a2f32e3b5cb227385
SHA512fe08bdb42ad71d499bff95eff886dedacaee0f483282526455ae37cff331607e09754cb0e02ac78069cf9e010201febcd8adf7d6275b433c7ea0b6a8d5f079ee
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0