Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
0d732568b5f5e162d942b59086f5894d6fba992c7a6bbfd1624a3193a0d30868.exe
Resource
win10v2004-20241007-en
General
-
Target
0d732568b5f5e162d942b59086f5894d6fba992c7a6bbfd1624a3193a0d30868.exe
-
Size
660KB
-
MD5
4a69e8acfc6f931545d7371314124162
-
SHA1
2ff6dfb22357102cee2038df8268964328611afd
-
SHA256
0d732568b5f5e162d942b59086f5894d6fba992c7a6bbfd1624a3193a0d30868
-
SHA512
a855bca6fbc502be7576c4b09955401e599f82df3e34784bb0974ce5158b8e1b676698e6cd40494f6b95fbd9b326ea07c9e0364f25879cd1ec88b2839b7ae5a5
-
SSDEEP
12288:IMray90IxtQu9uMRUkgZtTi+ZN2IhwTer8v51zhyFxQe0yfn0:SyNkouWGZtTicwK8v51zhyFOyf0
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
dozt
77.91.124.145:4125
-
auth_value
857bdfe4fa14711025859d89f18b32cb
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr420419.exe healer behavioral1/memory/1908-15-0x0000000000280000-0x000000000028A000-memory.dmp healer -
Healer family
-
Processes:
jr420419.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr420419.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr420419.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr420419.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr420419.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr420419.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr420419.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/4336-2105-0x0000000005530000-0x0000000005562000-memory.dmp family_redline C:\Windows\Temp\1.exe family_redline behavioral1/memory/5740-2118-0x0000000000BE0000-0x0000000000C10000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr244557.exe family_redline behavioral1/memory/5916-2129-0x0000000000080000-0x00000000000B0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ku403694.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation ku403694.exe -
Executes dropped EXE 5 IoCs
Processes:
ziop7536.exejr420419.exeku403694.exe1.exelr244557.exepid process 3120 ziop7536.exe 1908 jr420419.exe 4336 ku403694.exe 5740 1.exe 5916 lr244557.exe -
Processes:
jr420419.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr420419.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
0d732568b5f5e162d942b59086f5894d6fba992c7a6bbfd1624a3193a0d30868.exeziop7536.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0d732568b5f5e162d942b59086f5894d6fba992c7a6bbfd1624a3193a0d30868.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziop7536.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5848 4336 WerFault.exe ku403694.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0d732568b5f5e162d942b59086f5894d6fba992c7a6bbfd1624a3193a0d30868.exeziop7536.exeku403694.exe1.exelr244557.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0d732568b5f5e162d942b59086f5894d6fba992c7a6bbfd1624a3193a0d30868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziop7536.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku403694.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lr244557.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jr420419.exepid process 1908 jr420419.exe 1908 jr420419.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jr420419.exeku403694.exedescription pid process Token: SeDebugPrivilege 1908 jr420419.exe Token: SeDebugPrivilege 4336 ku403694.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
0d732568b5f5e162d942b59086f5894d6fba992c7a6bbfd1624a3193a0d30868.exeziop7536.exeku403694.exedescription pid process target process PID 3696 wrote to memory of 3120 3696 0d732568b5f5e162d942b59086f5894d6fba992c7a6bbfd1624a3193a0d30868.exe ziop7536.exe PID 3696 wrote to memory of 3120 3696 0d732568b5f5e162d942b59086f5894d6fba992c7a6bbfd1624a3193a0d30868.exe ziop7536.exe PID 3696 wrote to memory of 3120 3696 0d732568b5f5e162d942b59086f5894d6fba992c7a6bbfd1624a3193a0d30868.exe ziop7536.exe PID 3120 wrote to memory of 1908 3120 ziop7536.exe jr420419.exe PID 3120 wrote to memory of 1908 3120 ziop7536.exe jr420419.exe PID 3120 wrote to memory of 4336 3120 ziop7536.exe ku403694.exe PID 3120 wrote to memory of 4336 3120 ziop7536.exe ku403694.exe PID 3120 wrote to memory of 4336 3120 ziop7536.exe ku403694.exe PID 4336 wrote to memory of 5740 4336 ku403694.exe 1.exe PID 4336 wrote to memory of 5740 4336 ku403694.exe 1.exe PID 4336 wrote to memory of 5740 4336 ku403694.exe 1.exe PID 3696 wrote to memory of 5916 3696 0d732568b5f5e162d942b59086f5894d6fba992c7a6bbfd1624a3193a0d30868.exe lr244557.exe PID 3696 wrote to memory of 5916 3696 0d732568b5f5e162d942b59086f5894d6fba992c7a6bbfd1624a3193a0d30868.exe lr244557.exe PID 3696 wrote to memory of 5916 3696 0d732568b5f5e162d942b59086f5894d6fba992c7a6bbfd1624a3193a0d30868.exe lr244557.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d732568b5f5e162d942b59086f5894d6fba992c7a6bbfd1624a3193a0d30868.exe"C:\Users\Admin\AppData\Local\Temp\0d732568b5f5e162d942b59086f5894d6fba992c7a6bbfd1624a3193a0d30868.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziop7536.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziop7536.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr420419.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr420419.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku403694.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku403694.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5740 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 15284⤵
- Program crash
PID:5848 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr244557.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr244557.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4336 -ip 43361⤵PID:5828
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD57ff6712a1a6dd2bc283d022b20d4a73e
SHA1798733e2975ad2c6394201c642621711082645f9
SHA256d24d6b56f4663d981afdfb49090846659f4e11bd30c41f1c2833f7225e100299
SHA512441b8d60a47e42b609a57527c8e2d4781eb8969101c2a3ea7c2639a20fa9af54f75cec116cc7de433a44e906b52a73d3ebfa34cf12ac9968f74ab247974ccd0a
-
Filesize
506KB
MD54e9fea95c70cf766bb9228c9195ae683
SHA1bee5f98bd0281a50bd0a20e152e892715a52dbc7
SHA25631928ba76933167df802a79bbd39dbbbed2da7799b19eef6b0d4ab6172bf7b79
SHA5122fd3a939026e43b7354349cd47778c6b1259217964b26a8f3db755e8fa2cf955999508c915e6ef3196bd783d34b13efa9c991f83df3b49c9fc461987d564184e
-
Filesize
14KB
MD5dcb9db82b7e25cc92a8d682b1723c7ff
SHA1834c7b52ac01182272f9e08110da4226a9d3f4b9
SHA2560f54420130ec5c3a40d47b0083d7317731bcbca05d385850b8589cd923269113
SHA5128c073f9bfc9898ca0b208965e8abfb38983e6f12cffbf69506082cfb15a37a697e50a3c83f0c3c3939a75cf4701c76ca36bdc99817328a8c91b9ba80a72fd3a1
-
Filesize
426KB
MD5e3e0483ee60ead6814494b8c232a319f
SHA16d36fa269d2fb326a5fec0e0b7c62ed43a24d960
SHA2568023537967a11d052e3b7d7dc929f4282a5eff91be05e001788a4a8ae884b38e
SHA512ccc4696c602140023269d119914ba3ad03a5d9fe3c190c9e2b516be4b7ab95d8f473e8feb683d4ccbce1b5013c583e3478b2cb7f03ef12a6d51c17902fe04949
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0