Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:37
Static task
static1
Behavioral task
behavioral1
Sample
d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe
Resource
win10v2004-20241007-en
General
-
Target
d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe
-
Size
660KB
-
MD5
a1868839dfa3db298827f2f0aa159c2d
-
SHA1
b97940ceeff790552d1274eb41e1071cbee7948d
-
SHA256
d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466
-
SHA512
f6a41544c222d1473337f0c8cafa93596bf87fd492ac4f6884543a52ee5a8171bdc72a3828c86950b582f872ed8ee971fc172e484dfee81169f5ea94a04af611
-
SSDEEP
12288:vMrWy90QP0g7aw+kaY6oACkrI2zhwTe78M513cykrTDJoy9l3N7:dyXaw/wwS8M513cykXqq59
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
dozt
77.91.124.145:4125
-
auth_value
857bdfe4fa14711025859d89f18b32cb
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe healer behavioral1/memory/4264-15-0x00000000007B0000-0x00000000007BA000-memory.dmp healer -
Healer family
-
Processes:
jr531728.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr531728.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr531728.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr531728.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr531728.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr531728.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr531728.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2320-2105-0x0000000005540000-0x0000000005572000-memory.dmp family_redline C:\Windows\Temp\1.exe family_redline behavioral1/memory/6640-2118-0x0000000000BE0000-0x0000000000C10000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412176.exe family_redline behavioral1/memory/4220-2129-0x0000000000AF0000-0x0000000000B20000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ku053516.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation ku053516.exe -
Executes dropped EXE 5 IoCs
Processes:
ziZk7286.exejr531728.exeku053516.exe1.exelr412176.exepid process 2512 ziZk7286.exe 4264 jr531728.exe 2320 ku053516.exe 6640 1.exe 4220 lr412176.exe -
Processes:
jr531728.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr531728.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exeziZk7286.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziZk7286.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 7020 2320 WerFault.exe ku053516.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ku053516.exe1.exelr412176.exed6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exeziZk7286.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku053516.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lr412176.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziZk7286.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jr531728.exepid process 4264 jr531728.exe 4264 jr531728.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jr531728.exeku053516.exedescription pid process Token: SeDebugPrivilege 4264 jr531728.exe Token: SeDebugPrivilege 2320 ku053516.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exeziZk7286.exeku053516.exedescription pid process target process PID 1112 wrote to memory of 2512 1112 d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe ziZk7286.exe PID 1112 wrote to memory of 2512 1112 d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe ziZk7286.exe PID 1112 wrote to memory of 2512 1112 d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe ziZk7286.exe PID 2512 wrote to memory of 4264 2512 ziZk7286.exe jr531728.exe PID 2512 wrote to memory of 4264 2512 ziZk7286.exe jr531728.exe PID 2512 wrote to memory of 2320 2512 ziZk7286.exe ku053516.exe PID 2512 wrote to memory of 2320 2512 ziZk7286.exe ku053516.exe PID 2512 wrote to memory of 2320 2512 ziZk7286.exe ku053516.exe PID 2320 wrote to memory of 6640 2320 ku053516.exe 1.exe PID 2320 wrote to memory of 6640 2320 ku053516.exe 1.exe PID 2320 wrote to memory of 6640 2320 ku053516.exe 1.exe PID 1112 wrote to memory of 4220 1112 d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe lr412176.exe PID 1112 wrote to memory of 4220 1112 d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe lr412176.exe PID 1112 wrote to memory of 4220 1112 d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe lr412176.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe"C:\Users\Admin\AppData\Local\Temp\d6dc154ee4f7deb5d6ea4d517ef696b6da3819a06e91b574b1382cb36bd29466.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZk7286.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr531728.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku053516.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6640 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 11524⤵
- Program crash
PID:7020 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412176.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr412176.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2320 -ip 23201⤵PID:6896
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD5b2a714faf69503233508cce8cda1e251
SHA1af306d5ae311826c4b19d26d696a21681238cbf9
SHA256b5e216028f1cde2ad3dea20dd34fa5678161edbc5029bcb9a52fa217ff073d35
SHA51225bf24a0b060b650160ee63bfb10dfbfa578694240ef685c63e10aa907604f1b8f388a0bf63fffbd84b55db0fbecfd63fbaa71d458789779a4667f049f6b4c35
-
Filesize
506KB
MD5faa38678142a9c6ebb9b880126a3ccc2
SHA1b42b7f24f6b77579ed759c5f0de3c64ef1b4e745
SHA256f864bf06db4bab702b2388ed7cac5ebda510b1dae9f5e47173e293c78aa4f548
SHA5121e8c70148de394d5718d477083af5363a7e8987f0c42d3094133628de4cb290ed08ade1f42612f58a2f9c9056290693ffd84db59f5e2ab7befc93e04e1368aef
-
Filesize
14KB
MD545346337d024cda0ef18ef2cb4da67f6
SHA1c3175487f29b84910512b414e6d0fc2d43328d07
SHA25659e31739f6e1b95f9ce566b5231c93cabd69c1ce2831e33e1be9532d5e43ee1d
SHA512d324bc0579966b4775742e9a469cb6728aab5f371b7dcb560a4e34af16e75b8bcb01034d52835063052e8ee2bbf3b3b6c350b5718c1df036e3c8d154d6706dd9
-
Filesize
426KB
MD570d8ecf871ee7c8ede9bf4efaf95df7b
SHA148421b6f2b9baeefc07022a62f20479f282e0308
SHA256714a62b6cccb6e1bfe3e1f9c4e7163bd01f3ee7eef18e612d4cce3826dc68636
SHA512d1f243b8a401ab6f03aecd1916f89d922411b8566634f89f88931d6d3734c75a815db90b808a3f2298cac5f2ab610c2570cfb094b400c1e7c5791fbc51d61474
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0