Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:44
Static task
static1
Behavioral task
behavioral1
Sample
af12c1a05e2108674465d41a7a91c8f466d004ba9dde525f17bc5715a62e3fe3.exe
Resource
win10v2004-20241007-en
General
-
Target
af12c1a05e2108674465d41a7a91c8f466d004ba9dde525f17bc5715a62e3fe3.exe
-
Size
656KB
-
MD5
a0d87123b314ead24067acf661d2b8ec
-
SHA1
76d6604aef4a9f26ffeaad8026582df203cbf465
-
SHA256
af12c1a05e2108674465d41a7a91c8f466d004ba9dde525f17bc5715a62e3fe3
-
SHA512
d569e5c53f23398c8def55bff6e26813aa1797509d5d0f2c9b03fb53c5c2a25a6a3c02495ce75249205944f4feebfda5599f568998802cd36c3f1e3b0a7584f4
-
SSDEEP
12288:lMrny903VhjTxhdJOxTyP2Y/8NVNIVAmJcqOfniQ:uyiNdhCDY/dnzO6Q
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/1812-12-0x00000000021A0000-0x00000000021BA000-memory.dmp healer behavioral1/memory/1812-14-0x00000000025B0000-0x00000000025C8000-memory.dmp healer behavioral1/memory/1812-20-0x00000000025B0000-0x00000000025C2000-memory.dmp healer behavioral1/memory/1812-18-0x00000000025B0000-0x00000000025C2000-memory.dmp healer behavioral1/memory/1812-16-0x00000000025B0000-0x00000000025C2000-memory.dmp healer behavioral1/memory/1812-15-0x00000000025B0000-0x00000000025C2000-memory.dmp healer behavioral1/memory/1812-42-0x00000000025B0000-0x00000000025C2000-memory.dmp healer behavioral1/memory/1812-40-0x00000000025B0000-0x00000000025C2000-memory.dmp healer behavioral1/memory/1812-38-0x00000000025B0000-0x00000000025C2000-memory.dmp healer behavioral1/memory/1812-36-0x00000000025B0000-0x00000000025C2000-memory.dmp healer behavioral1/memory/1812-34-0x00000000025B0000-0x00000000025C2000-memory.dmp healer behavioral1/memory/1812-32-0x00000000025B0000-0x00000000025C2000-memory.dmp healer behavioral1/memory/1812-30-0x00000000025B0000-0x00000000025C2000-memory.dmp healer behavioral1/memory/1812-28-0x00000000025B0000-0x00000000025C2000-memory.dmp healer behavioral1/memory/1812-26-0x00000000025B0000-0x00000000025C2000-memory.dmp healer behavioral1/memory/1812-24-0x00000000025B0000-0x00000000025C2000-memory.dmp healer behavioral1/memory/1812-22-0x00000000025B0000-0x00000000025C2000-memory.dmp healer -
Healer family
-
Processes:
pr982759.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr982759.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr982759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr982759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr982759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr982759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr982759.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1080-2201-0x0000000005400000-0x0000000005432000-memory.dmp family_redline C:\Windows\Temp\1.exe family_redline behavioral1/memory/5024-2214-0x0000000000020000-0x000000000004E000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
qu352695.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation qu352695.exe -
Executes dropped EXE 3 IoCs
Processes:
pr982759.exequ352695.exe1.exepid process 1812 pr982759.exe 1080 qu352695.exe 5024 1.exe -
Processes:
pr982759.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr982759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr982759.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
af12c1a05e2108674465d41a7a91c8f466d004ba9dde525f17bc5715a62e3fe3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" af12c1a05e2108674465d41a7a91c8f466d004ba9dde525f17bc5715a62e3fe3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2472 1812 WerFault.exe pr982759.exe 5504 1080 WerFault.exe qu352695.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1.exeaf12c1a05e2108674465d41a7a91c8f466d004ba9dde525f17bc5715a62e3fe3.exepr982759.exequ352695.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af12c1a05e2108674465d41a7a91c8f466d004ba9dde525f17bc5715a62e3fe3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr982759.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu352695.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pr982759.exepid process 1812 pr982759.exe 1812 pr982759.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pr982759.exequ352695.exedescription pid process Token: SeDebugPrivilege 1812 pr982759.exe Token: SeDebugPrivilege 1080 qu352695.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
af12c1a05e2108674465d41a7a91c8f466d004ba9dde525f17bc5715a62e3fe3.exequ352695.exedescription pid process target process PID 452 wrote to memory of 1812 452 af12c1a05e2108674465d41a7a91c8f466d004ba9dde525f17bc5715a62e3fe3.exe pr982759.exe PID 452 wrote to memory of 1812 452 af12c1a05e2108674465d41a7a91c8f466d004ba9dde525f17bc5715a62e3fe3.exe pr982759.exe PID 452 wrote to memory of 1812 452 af12c1a05e2108674465d41a7a91c8f466d004ba9dde525f17bc5715a62e3fe3.exe pr982759.exe PID 452 wrote to memory of 1080 452 af12c1a05e2108674465d41a7a91c8f466d004ba9dde525f17bc5715a62e3fe3.exe qu352695.exe PID 452 wrote to memory of 1080 452 af12c1a05e2108674465d41a7a91c8f466d004ba9dde525f17bc5715a62e3fe3.exe qu352695.exe PID 452 wrote to memory of 1080 452 af12c1a05e2108674465d41a7a91c8f466d004ba9dde525f17bc5715a62e3fe3.exe qu352695.exe PID 1080 wrote to memory of 5024 1080 qu352695.exe 1.exe PID 1080 wrote to memory of 5024 1080 qu352695.exe 1.exe PID 1080 wrote to memory of 5024 1080 qu352695.exe 1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af12c1a05e2108674465d41a7a91c8f466d004ba9dde525f17bc5715a62e3fe3.exe"C:\Users\Admin\AppData\Local\Temp\af12c1a05e2108674465d41a7a91c8f466d004ba9dde525f17bc5715a62e3fe3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr982759.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr982759.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 10843⤵
- Program crash
PID:2472
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu352695.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu352695.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5024
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 9843⤵
- Program crash
PID:5504
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1812 -ip 18121⤵PID:1544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1080 -ip 10801⤵PID:5408
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD52f5e95bae6338a9237217fd9d66c1619
SHA17345525e8c91ca99ce658554dca6ee22edc845fb
SHA25645adf96b2ffd321bbfaeb234f2c7f4bbd4270a3da6fcec06a56f0d0e9528db59
SHA5123834a6b1f1e26374946d83f8296c673eb1c2744e8f665c23fb0e12d9dca25fbda85eaad80cba88627e52f61e85e07ec53bbed5281e279c90c613eb837a6d1d6b
-
Filesize
438KB
MD5bcc9bcea37b0ee7e048fcc8ec68b89db
SHA1fa6b0bed900af35aa644a7f6c65323af01114fee
SHA256c577e44873246a2250e39c72de31b6b9bf620499000c1b1bbd0c360d9062b5fd
SHA51255b06e7742b317c69e076e684bb7115be57bf600a4c8d5b41143f906941eedd8cf052abeb36e8760094fc4094f4689b8d02104e7f66f70cf84a37dc3ee05fa70
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1