Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:14
Static task
static1
Behavioral task
behavioral1
Sample
fd97cf9b0f70f4b0bdd9165bfc2dddc770f6a5d3800b265845821be0d0a4b26e.exe
Resource
win10v2004-20241007-en
General
-
Target
fd97cf9b0f70f4b0bdd9165bfc2dddc770f6a5d3800b265845821be0d0a4b26e.exe
-
Size
787KB
-
MD5
40c0e0d4a657bd213faebee33b1ea725
-
SHA1
e833a6140993f78c4a3e82702d56da449ac78857
-
SHA256
fd97cf9b0f70f4b0bdd9165bfc2dddc770f6a5d3800b265845821be0d0a4b26e
-
SHA512
7bdb7538685acaa309ea78a377c74897a71f25b38fc301f1984288d66ff197780b2039c738aed6447a90e4c5bcdab92a76aacffe6fb7a562edf78883c6273547
-
SSDEEP
12288:cMr2y90EryjxfmUALGgZmwzQqs1+9SjJwfcZDiWcoXX7m1mfZjl1X8RC0Gh:CyWlYtfQqsAwjJWcZDiWcmcmhrM05
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4728-19-0x00000000022A0000-0x00000000022BA000-memory.dmp healer behavioral1/memory/4728-21-0x00000000022F0000-0x0000000002308000-memory.dmp healer behavioral1/memory/4728-22-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/4728-49-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/4728-47-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/4728-45-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/4728-43-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/4728-42-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/4728-39-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/4728-38-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/4728-35-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/4728-33-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/4728-31-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/4728-29-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/4728-27-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/4728-25-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/4728-23-0x00000000022F0000-0x0000000002302000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8712.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8712.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro8712.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8712.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8712.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8712.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/1336-2143-0x0000000004B50000-0x0000000004B82000-memory.dmp family_redline behavioral1/files/0x00090000000229c7-2148.dat family_redline behavioral1/memory/4892-2156-0x0000000000050000-0x0000000000080000-memory.dmp family_redline behavioral1/files/0x0008000000023ca1-2165.dat family_redline behavioral1/memory/5456-2167-0x0000000000F20000-0x0000000000F4E000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation qu5910.exe -
Executes dropped EXE 5 IoCs
pid Process 644 un928469.exe 4728 pro8712.exe 1336 qu5910.exe 4892 1.exe 5456 si170791.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8712.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8712.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fd97cf9b0f70f4b0bdd9165bfc2dddc770f6a5d3800b265845821be0d0a4b26e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un928469.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1124 4728 WerFault.exe 85 5576 1336 WerFault.exe 98 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language si170791.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd97cf9b0f70f4b0bdd9165bfc2dddc770f6a5d3800b265845821be0d0a4b26e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un928469.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro8712.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu5910.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4728 pro8712.exe 4728 pro8712.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4728 pro8712.exe Token: SeDebugPrivilege 1336 qu5910.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 436 wrote to memory of 644 436 fd97cf9b0f70f4b0bdd9165bfc2dddc770f6a5d3800b265845821be0d0a4b26e.exe 83 PID 436 wrote to memory of 644 436 fd97cf9b0f70f4b0bdd9165bfc2dddc770f6a5d3800b265845821be0d0a4b26e.exe 83 PID 436 wrote to memory of 644 436 fd97cf9b0f70f4b0bdd9165bfc2dddc770f6a5d3800b265845821be0d0a4b26e.exe 83 PID 644 wrote to memory of 4728 644 un928469.exe 85 PID 644 wrote to memory of 4728 644 un928469.exe 85 PID 644 wrote to memory of 4728 644 un928469.exe 85 PID 644 wrote to memory of 1336 644 un928469.exe 98 PID 644 wrote to memory of 1336 644 un928469.exe 98 PID 644 wrote to memory of 1336 644 un928469.exe 98 PID 1336 wrote to memory of 4892 1336 qu5910.exe 99 PID 1336 wrote to memory of 4892 1336 qu5910.exe 99 PID 1336 wrote to memory of 4892 1336 qu5910.exe 99 PID 436 wrote to memory of 5456 436 fd97cf9b0f70f4b0bdd9165bfc2dddc770f6a5d3800b265845821be0d0a4b26e.exe 102 PID 436 wrote to memory of 5456 436 fd97cf9b0f70f4b0bdd9165bfc2dddc770f6a5d3800b265845821be0d0a4b26e.exe 102 PID 436 wrote to memory of 5456 436 fd97cf9b0f70f4b0bdd9165bfc2dddc770f6a5d3800b265845821be0d0a4b26e.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd97cf9b0f70f4b0bdd9165bfc2dddc770f6a5d3800b265845821be0d0a4b26e.exe"C:\Users\Admin\AppData\Local\Temp\fd97cf9b0f70f4b0bdd9165bfc2dddc770f6a5d3800b265845821be0d0a4b26e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un928469.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un928469.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8712.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8712.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 10044⤵
- Program crash
PID:1124
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5910.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5910.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4892
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 13724⤵
- Program crash
PID:5576
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si170791.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si170791.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4728 -ip 47281⤵PID:4020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1336 -ip 13361⤵PID:4600
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD52e77140d3268487bacba06ad470ced7c
SHA160005771c74c10782ecfb0ebcd5104aca6dd2c59
SHA256fddedf063b92342e105ee0d4cbb213da45b1f00ff5930a2918d6c613aa1a6ec0
SHA512d39dc31eef51933333224f8d481291b6ea0e369487f9db71c59c27f5fa0c79a57e57b18d421ffc8a719a4a132f3b62cac0d2e3a62f0c9e9b7ece2eebc9ceaf44
-
Filesize
633KB
MD5475b3d0044b14a73218c1adf32db5d5f
SHA19e4a447dfb09984657efed0e93bf2401611d9874
SHA2565a2c5704cbd20924e7861e280b254dfda4d55131c746b87252fc31af0ad7664b
SHA512fe4f6a354cd686392b817b3a4bde6fd10a76124cfe58cded887f820c2e17a3f00d1e9a38dfd8213bf06666d65ce6127e02a977fd7e077e042dc73310e6eccd17
-
Filesize
231KB
MD5aefab3d4e565ded3438a4b0ca2297803
SHA194c6299c5b47e472656fb46df0eff666f3cc22c3
SHA256139522c22f1a08b6d2d7c7547b2269f31a9cf38b436797e3d64761e36ecbec40
SHA512e251a9d549ae207f6acf533ba4db564b4d8ff306a52e1fa8bd88e5fcb5691695ab753ef08cd883b6983d5bf6363b48279533131b99009ba67eddfc27c4b17037
-
Filesize
414KB
MD53a9ee7e41a4dc46de748e2c8d70296b0
SHA1311236fff6c392b5842f64df629051d7eff44c50
SHA256634bfffb23e3c9e695f7b6afd18446e51c1a5db900fb1db2af86be7ea6ec1806
SHA51233317c855e3d37c524cf2b8722bf2c7b690efe87f85526be5b260721d0f9b38f01568f441f38a1685cc7a78123de956e7c4645a9fee503cf53615fbbf74c2844
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0