Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:35
Static task
static1
Behavioral task
behavioral1
Sample
f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b.exe
Resource
win10v2004-20241007-en
General
-
Target
f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b.exe
-
Size
1.0MB
-
MD5
ccc0e02304d59945e0e89828bb90ee8c
-
SHA1
14eb412ec9a39d1ebecb1ce716a8ec020af927ae
-
SHA256
f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b
-
SHA512
d67af69e7967fd6bc504ce41b55f0727e14bfe8b3268ccb85b12bdc4fbfa41f9d9eb09de85eeb6e43fcc98fdf14c2606399136176ce5c7e28d57ab364469a02e
-
SSDEEP
24576:+ym14i3zV71y36LdxX7ZrA/IXc+81ZVk0:Nm1B7HdxXdrAwXcfBk
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
dezik
77.91.124.145:4125
-
auth_value
afab3a79f84bd5003ef2824211bcf14e
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/1472-25-0x0000000002460000-0x000000000247A000-memory.dmp healer behavioral1/memory/1472-27-0x00000000025F0000-0x0000000002608000-memory.dmp healer behavioral1/memory/1472-37-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1472-55-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1472-53-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1472-51-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1472-49-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1472-47-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1472-45-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1472-43-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1472-41-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1472-39-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1472-31-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1472-29-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1472-28-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1472-35-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1472-33-0x00000000025F0000-0x0000000002602000-memory.dmp healer -
Healer family
-
Processes:
pr074599.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr074599.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr074599.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr074599.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr074599.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr074599.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr074599.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/3448-2149-0x0000000005440000-0x0000000005472000-memory.dmp family_redline behavioral1/files/0x0014000000023a1d-2154.dat family_redline behavioral1/memory/3180-2162-0x0000000000190000-0x00000000001C0000-memory.dmp family_redline behavioral1/files/0x000a000000023b75-2171.dat family_redline behavioral1/memory/5712-2173-0x0000000000210000-0x000000000023E000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
qu317361.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation qu317361.exe -
Executes dropped EXE 6 IoCs
Processes:
un143007.exeun718758.exepr074599.exequ317361.exe1.exerk168397.exepid Process 3728 un143007.exe 4076 un718758.exe 1472 pr074599.exe 3448 qu317361.exe 3180 1.exe 5712 rk168397.exe -
Processes:
pr074599.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr074599.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr074599.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b.exeun143007.exeun718758.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un143007.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un718758.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 3016 1472 WerFault.exe 85 5856 3448 WerFault.exe 100 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b.exeun143007.exeun718758.exepr074599.exequ317361.exe1.exerk168397.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un143007.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un718758.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr074599.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu317361.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk168397.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pr074599.exepid Process 1472 pr074599.exe 1472 pr074599.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pr074599.exequ317361.exedescription pid Process Token: SeDebugPrivilege 1472 pr074599.exe Token: SeDebugPrivilege 3448 qu317361.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b.exeun143007.exeun718758.exequ317361.exedescription pid Process procid_target PID 4992 wrote to memory of 3728 4992 f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b.exe 83 PID 4992 wrote to memory of 3728 4992 f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b.exe 83 PID 4992 wrote to memory of 3728 4992 f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b.exe 83 PID 3728 wrote to memory of 4076 3728 un143007.exe 84 PID 3728 wrote to memory of 4076 3728 un143007.exe 84 PID 3728 wrote to memory of 4076 3728 un143007.exe 84 PID 4076 wrote to memory of 1472 4076 un718758.exe 85 PID 4076 wrote to memory of 1472 4076 un718758.exe 85 PID 4076 wrote to memory of 1472 4076 un718758.exe 85 PID 4076 wrote to memory of 3448 4076 un718758.exe 100 PID 4076 wrote to memory of 3448 4076 un718758.exe 100 PID 4076 wrote to memory of 3448 4076 un718758.exe 100 PID 3448 wrote to memory of 3180 3448 qu317361.exe 101 PID 3448 wrote to memory of 3180 3448 qu317361.exe 101 PID 3448 wrote to memory of 3180 3448 qu317361.exe 101 PID 3728 wrote to memory of 5712 3728 un143007.exe 104 PID 3728 wrote to memory of 5712 3728 un143007.exe 104 PID 3728 wrote to memory of 5712 3728 un143007.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b.exe"C:\Users\Admin\AppData\Local\Temp\f75d7dc119562a4147c0b2b851f23a5ea602f8afc69b01431f6326badada222b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un143007.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un143007.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un718758.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un718758.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr074599.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr074599.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 10845⤵
- Program crash
PID:3016
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu317361.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu317361.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3180
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 15245⤵
- Program crash
PID:5856
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk168397.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk168397.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5712
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1472 -ip 14721⤵PID:3604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3448 -ip 34481⤵PID:6000
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
801KB
MD5e06742773d31085198854f575b1836f8
SHA16e932fc5f974b51d61cd62b948663eef7f29f96a
SHA25670e8e6132c436aa1383d9659c75e7c6c2df99e4122eb655792ea8f6d6c43e35d
SHA51216f60d6edd227a0fcf8028c5524c4bba70e403854eaccebdfacb68ab29686ef8da9a7a1b8b14d3af640a1ee142b61d67f253d3f502343e942448523e45fe5700
-
Filesize
168KB
MD5c5ab4a92d7b28c9e63598bf2eeade8e2
SHA1e436d4127b8b2ab606d9815543b0d13c5d3b9c83
SHA2569fdf95fef12de09adfacb495304be004bdd286c24f5c65e4b476a9b77e3d16fb
SHA512ebab87641725b6d1849969abce588c4e6d957da11492b24bd37ca88ca9f010cd53d054116ce67a46cc6f82622f99779a4bbfbd28c9b62eb545396ab56372cf86
-
Filesize
648KB
MD5dfcad12707a38edf22439b2cb99a9547
SHA14d61ed35d4d327b63cf30fc79e6d27d775b7341e
SHA25600d62480c93aba85cbbbd1d52e28f9e6d7ba949ae6f3243763e8606ac67bb65f
SHA512cf972f2325cfcf0bc1ccf56f1ab1f6553eaf70828621dd817ec920684d3cc84a309d4dff72bb361b215f96cfbdbb96e26a5545cf9e21ad1e2e9cf24e7a12b3f8
-
Filesize
242KB
MD5a9cd83a7e7d6417bb347e00d2dd3fbbd
SHA15eabe660a1e8d7e1aee3bede29da6cd4da5c616d
SHA256f9a1dd637e9227a995968d8809e73094a2642f2bdbb086d6196b0c36ba2be873
SHA5129338087c81bf8cc8b20a668381d7ef3da8627fc6c7d517235e281cad30e78da4d428721b95c0cde7bde35c4c141e9f39d7f4097fd46ba32dd18c09df9c5c29e3
-
Filesize
427KB
MD53953945d244f0372c5897744aed4f964
SHA104c58f273c37b63292311b94f2573e903964e05f
SHA256a1758069b120f8bbceeda056b3a9cf8b53e6db8233d38594b915295c5ce7114d
SHA51249b6e2cfe78c8d201f803d1e729ef4985a5b641ab7b0f2da429c5dfd364977aa50e03dc81d3650e5526ada2c16cb4cc4fe63de86e82cc46262bb432f8bbd92c9
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0