Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:40
Static task
static1
Behavioral task
behavioral1
Sample
c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe
Resource
win10v2004-20241007-en
General
-
Target
c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe
-
Size
660KB
-
MD5
a93b70ec975d5a9cd6a3b0ff61ee5a26
-
SHA1
683a62d5f0c0a14d85cd8e85b90fbf1117753cbe
-
SHA256
c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545
-
SHA512
2aedcf6da35d89eae39ced624fd5637f242ca8d21af64161d77d57ab8e5586acfe0ccd76fabac55c50b9ef12c955e8d92859dde507cab0f0da8c8b1cda8f7d6a
-
SSDEEP
12288:cMrGy90Do1JpEEa5d32cC2MO0Jx2ohwTet8y51ovymM1/ITg/h1pDwDNY:Cy8o1ZydmjLwS8y51ovymoUs1pkO
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
dozt
77.91.124.145:4125
-
auth_value
857bdfe4fa14711025859d89f18b32cb
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939039.exe healer behavioral1/memory/1260-15-0x00000000002A0000-0x00000000002AA000-memory.dmp healer -
Healer family
-
Processes:
jr939039.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr939039.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr939039.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr939039.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr939039.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr939039.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr939039.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/3572-2105-0x0000000005540000-0x0000000005572000-memory.dmp family_redline C:\Windows\Temp\1.exe family_redline behavioral1/memory/3792-2118-0x0000000000B90000-0x0000000000BC0000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr013880.exe family_redline behavioral1/memory/1180-2129-0x00000000000C0000-0x00000000000F0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ku948999.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation ku948999.exe -
Executes dropped EXE 5 IoCs
Processes:
ziLJ5835.exejr939039.exeku948999.exe1.exelr013880.exepid process 4424 ziLJ5835.exe 1260 jr939039.exe 3572 ku948999.exe 3792 1.exe 1180 lr013880.exe -
Processes:
jr939039.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr939039.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exeziLJ5835.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziLJ5835.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 968 3572 WerFault.exe ku948999.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exeziLJ5835.exeku948999.exe1.exelr013880.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziLJ5835.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku948999.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lr013880.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jr939039.exepid process 1260 jr939039.exe 1260 jr939039.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jr939039.exeku948999.exedescription pid process Token: SeDebugPrivilege 1260 jr939039.exe Token: SeDebugPrivilege 3572 ku948999.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exeziLJ5835.exeku948999.exedescription pid process target process PID 4412 wrote to memory of 4424 4412 c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe ziLJ5835.exe PID 4412 wrote to memory of 4424 4412 c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe ziLJ5835.exe PID 4412 wrote to memory of 4424 4412 c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe ziLJ5835.exe PID 4424 wrote to memory of 1260 4424 ziLJ5835.exe jr939039.exe PID 4424 wrote to memory of 1260 4424 ziLJ5835.exe jr939039.exe PID 4424 wrote to memory of 3572 4424 ziLJ5835.exe ku948999.exe PID 4424 wrote to memory of 3572 4424 ziLJ5835.exe ku948999.exe PID 4424 wrote to memory of 3572 4424 ziLJ5835.exe ku948999.exe PID 3572 wrote to memory of 3792 3572 ku948999.exe 1.exe PID 3572 wrote to memory of 3792 3572 ku948999.exe 1.exe PID 3572 wrote to memory of 3792 3572 ku948999.exe 1.exe PID 4412 wrote to memory of 1180 4412 c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe lr013880.exe PID 4412 wrote to memory of 1180 4412 c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe lr013880.exe PID 4412 wrote to memory of 1180 4412 c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe lr013880.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe"C:\Users\Admin\AppData\Local\Temp\c7a837ea07268c206368d149f5c822e3894598d3ec5ba5825268fe75e8a0a545.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLJ5835.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLJ5835.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939039.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr939039.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku948999.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku948999.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 13804⤵
- Program crash
PID:968 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr013880.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr013880.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3572 -ip 35721⤵PID:1892
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD5c057efa5266deaab6a9a3cfc05518a95
SHA1fa6b3f0dc81e6f079cfef64ff949e3beafa05b0c
SHA256a48aa0efd519e429a269f861dd95a7707b32401e1945b630680e07d9eac2cf22
SHA512cf91b51ba07aa514fc9415e1d451947b0956d6ee78fb8410b78e9a12201850ed2e6c0d1e92eff380740c11f8a3f435c8a1bbcb80a6ef390a8a7970c1e5f73a92
-
Filesize
506KB
MD58777b8a90bfd45422580cd761bee0819
SHA1dfd3ebb11d7ea9b631422d0fd7608592d9cd07eb
SHA2560515d8ba2972c3a44e6b785d03e4bdb2c347270c03604d0f7dcd9788de1750f8
SHA5121d2be0e9277b665c80b4b5f0f3077bd9178b2829376822667c4c6f8c878ca3da4d88e3ea940b9c1c0ecc642a089069015b52c395fa4f57ae0bb45c9564565ddf
-
Filesize
13KB
MD53f0a55791ca73bb4b286cb752b7e89a3
SHA1085f476e3c846a3bf14c67d18a1820d08ae17eaa
SHA256d28c5efafe7f3533f4ea3f04004f79911ef694142195ea89a72053f81e92c561
SHA512a4f3975acf6cbf0b5b4bd69ffe4f65ef554db111c4a8686d589da89a674aa915ed4389b64879e892dbb5db61b0f56ed3c92133d9cc0cd23ae067d2ba68d66d87
-
Filesize
426KB
MD5dcdde54f2111075067d4af98d5b753d2
SHA14d5d071abc6bcb89f50d081e67fd24369f5c6458
SHA2569cd1d4c463a5dc6149b269adb26cc2c9a7577c8e7835dcec550af821b35cc259
SHA5124e1a052d26a234fe2f2277b593c7e851ffa3c2c3e75c80f596863f93dac7c5d7e95f10364b86c966a5ec4380bbf038d899fe0acabeead1b75cc598f7450360f4
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0