Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:15
Static task
static1
Behavioral task
behavioral1
Sample
2e35ffa75c2d37dc04c9c62bb28ffa946e310c93969616325c83d6ce29348972.exe
Resource
win10v2004-20241007-en
General
-
Target
2e35ffa75c2d37dc04c9c62bb28ffa946e310c93969616325c83d6ce29348972.exe
-
Size
794KB
-
MD5
c5e49ec128d56dcdb670c2917e13815d
-
SHA1
6f9fd8fc360284a07a4a312b05e1937e57ecb2d7
-
SHA256
2e35ffa75c2d37dc04c9c62bb28ffa946e310c93969616325c83d6ce29348972
-
SHA512
e70527924ec3e3871ba92595d5536ed12e99b84a477e08826c21f7abbbb059e692e3a81c2961d0e3d47afc4dccfbf8f271b4fc5352fae0be2481c185ec3f2103
-
SSDEEP
24576:OyqBxT6Z6eLwNlZUIxfwda69vEvQycPU:dqBxqg74d+Qd
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2348-19-0x0000000002060000-0x000000000207A000-memory.dmp healer behavioral1/memory/2348-21-0x00000000025F0000-0x0000000002608000-memory.dmp healer behavioral1/memory/2348-49-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/2348-47-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/2348-46-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/2348-43-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/2348-41-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/2348-39-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/2348-37-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/2348-35-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/2348-33-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/2348-31-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/2348-29-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/2348-27-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/2348-25-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/2348-23-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/2348-22-0x00000000025F0000-0x0000000002602000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9203.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro9203.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/1368-2143-0x0000000005400000-0x0000000005432000-memory.dmp family_redline behavioral1/files/0x0010000000023b2f-2148.dat family_redline behavioral1/memory/1572-2156-0x0000000000380000-0x00000000003B0000-memory.dmp family_redline behavioral1/files/0x0007000000023c66-2164.dat family_redline behavioral1/memory/5400-2167-0x0000000000380000-0x00000000003AE000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation qu6932.exe -
Executes dropped EXE 5 IoCs
pid Process 1708 un554708.exe 2348 pro9203.exe 1368 qu6932.exe 1572 1.exe 5400 si446947.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9203.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9203.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2e35ffa75c2d37dc04c9c62bb28ffa946e310c93969616325c83d6ce29348972.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un554708.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4476 2348 WerFault.exe 85 3024 1368 WerFault.exe 101 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu6932.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language si446947.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2e35ffa75c2d37dc04c9c62bb28ffa946e310c93969616325c83d6ce29348972.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un554708.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro9203.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2348 pro9203.exe 2348 pro9203.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2348 pro9203.exe Token: SeDebugPrivilege 1368 qu6932.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3652 wrote to memory of 1708 3652 2e35ffa75c2d37dc04c9c62bb28ffa946e310c93969616325c83d6ce29348972.exe 83 PID 3652 wrote to memory of 1708 3652 2e35ffa75c2d37dc04c9c62bb28ffa946e310c93969616325c83d6ce29348972.exe 83 PID 3652 wrote to memory of 1708 3652 2e35ffa75c2d37dc04c9c62bb28ffa946e310c93969616325c83d6ce29348972.exe 83 PID 1708 wrote to memory of 2348 1708 un554708.exe 85 PID 1708 wrote to memory of 2348 1708 un554708.exe 85 PID 1708 wrote to memory of 2348 1708 un554708.exe 85 PID 1708 wrote to memory of 1368 1708 un554708.exe 101 PID 1708 wrote to memory of 1368 1708 un554708.exe 101 PID 1708 wrote to memory of 1368 1708 un554708.exe 101 PID 1368 wrote to memory of 1572 1368 qu6932.exe 102 PID 1368 wrote to memory of 1572 1368 qu6932.exe 102 PID 1368 wrote to memory of 1572 1368 qu6932.exe 102 PID 3652 wrote to memory of 5400 3652 2e35ffa75c2d37dc04c9c62bb28ffa946e310c93969616325c83d6ce29348972.exe 105 PID 3652 wrote to memory of 5400 3652 2e35ffa75c2d37dc04c9c62bb28ffa946e310c93969616325c83d6ce29348972.exe 105 PID 3652 wrote to memory of 5400 3652 2e35ffa75c2d37dc04c9c62bb28ffa946e310c93969616325c83d6ce29348972.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e35ffa75c2d37dc04c9c62bb28ffa946e310c93969616325c83d6ce29348972.exe"C:\Users\Admin\AppData\Local\Temp\2e35ffa75c2d37dc04c9c62bb28ffa946e310c93969616325c83d6ce29348972.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un554708.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un554708.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9203.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9203.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 10844⤵
- Program crash
PID:4476
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6932.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6932.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 13844⤵
- Program crash
PID:3024
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si446947.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si446947.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5400
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2348 -ip 23481⤵PID:1052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1368 -ip 13681⤵PID:4472
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5144e6b7c317912de25756738725d76ed
SHA1789e8450190343b6f125eda04491e2b73fd72d91
SHA2567887727e5d302b7414f72d1baa27bdf7d8b4e167a3c0c72b81857d71b0b34897
SHA512f364083ff1a43eff066a3d8c4c91e5214f686c9650dcb07444180c1b59e72666970c48393a99e3efbf1a0ec916ca0249c4c1511eb87a5bcc68267e74858667df
-
Filesize
641KB
MD5da3d6ef360456a38e424b8bc3bacb53d
SHA12b1dbd8274e21232746f82613de547c00541c9c0
SHA2567bb6f32f416f077222908e175e80dd9ec4c4919c92c33487f74d35bd9752e69e
SHA512177f9f61275f5ba1a9d4bec7f3903c9130f2b2c51197203324f8f1e63e3685243cbc9d89ddca09504a43f4d0378cd015744789a4af06e4d868e277d898cb08b5
-
Filesize
241KB
MD5329d1ca0566bf46ccd6028454fb6ccd8
SHA106f8bdd2ceff2f3b29799a051394c1713a8ff7ee
SHA256e83a04c7871a0ff63a14dedeaacc18d29c9803e613abe373919bdf122ff0a11d
SHA51264737851920840842e55068d4948f488a6653ee7bfc628c588850a73cbc77c5481792da53bbf36855d20d74bacdfa192d618f266cc0f633addd72c8b1303e3dc
-
Filesize
424KB
MD5ca0204166b77e8b7a9b66ddc0d836420
SHA1bbfe6471e8ce7a415120cbf8d1ff7ae0d7920520
SHA256a476c0b50de522f764fa5b73182858de4e38f10f2afc11f9181ddf73da38bf76
SHA5123cb32be10a24ae162de8d949de95770dfb5084008a69bae7bb506589ddcde05ba171d4be1b072ce14c17c3ff33b48b9d33ff8d7694ac11958dfb130b29f6ac47
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0