Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:27
Static task
static1
Behavioral task
behavioral1
Sample
db08ceb7774d4313593607d0940166a34b23f820b0c3ae6f0bf3fdf1efc9c1fb.exe
Resource
win10v2004-20241007-en
General
-
Target
db08ceb7774d4313593607d0940166a34b23f820b0c3ae6f0bf3fdf1efc9c1fb.exe
-
Size
814KB
-
MD5
79757af02d2983836ac7701cfd872e6c
-
SHA1
483c12e81cd65d013144a6fd3e6432b92e6dc656
-
SHA256
db08ceb7774d4313593607d0940166a34b23f820b0c3ae6f0bf3fdf1efc9c1fb
-
SHA512
4bfb486744e279f931967a2e3c84f3a2f2a431537d8a1fd8bc25ca036d2b29e4dd5623d95e2f2bba9d50c3e104e0b1ba5deafca6a42b83f6981e0ec649031353
-
SSDEEP
24576:zy1mvHd919R7YZbXVWVTbMyDkoUoM41Xeee:GIv99voqT1Ke
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/752-19-0x00000000026C0000-0x00000000026DA000-memory.dmp healer behavioral1/memory/752-21-0x0000000002710000-0x0000000002728000-memory.dmp healer behavioral1/memory/752-27-0x0000000002710000-0x0000000002722000-memory.dmp healer behavioral1/memory/752-47-0x0000000002710000-0x0000000002722000-memory.dmp healer behavioral1/memory/752-45-0x0000000002710000-0x0000000002722000-memory.dmp healer behavioral1/memory/752-43-0x0000000002710000-0x0000000002722000-memory.dmp healer behavioral1/memory/752-41-0x0000000002710000-0x0000000002722000-memory.dmp healer behavioral1/memory/752-49-0x0000000002710000-0x0000000002722000-memory.dmp healer behavioral1/memory/752-39-0x0000000002710000-0x0000000002722000-memory.dmp healer behavioral1/memory/752-37-0x0000000002710000-0x0000000002722000-memory.dmp healer behavioral1/memory/752-35-0x0000000002710000-0x0000000002722000-memory.dmp healer behavioral1/memory/752-33-0x0000000002710000-0x0000000002722000-memory.dmp healer behavioral1/memory/752-31-0x0000000002710000-0x0000000002722000-memory.dmp healer behavioral1/memory/752-29-0x0000000002710000-0x0000000002722000-memory.dmp healer behavioral1/memory/752-25-0x0000000002710000-0x0000000002722000-memory.dmp healer behavioral1/memory/752-23-0x0000000002710000-0x0000000002722000-memory.dmp healer behavioral1/memory/752-22-0x0000000002710000-0x0000000002722000-memory.dmp healer -
Healer family
-
Processes:
pro8116.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8116.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8116.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8116.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8116.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro8116.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8116.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/4084-2143-0x0000000005750000-0x0000000005782000-memory.dmp family_redline C:\Windows\Temp\1.exe family_redline behavioral1/memory/5188-2156-0x0000000000910000-0x0000000000940000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si421498.exe family_redline behavioral1/memory/1288-2167-0x0000000000820000-0x000000000084E000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
qu7488.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation qu7488.exe -
Executes dropped EXE 5 IoCs
Processes:
un923068.exepro8116.exequ7488.exe1.exesi421498.exepid process 4428 un923068.exe 752 pro8116.exe 4084 qu7488.exe 5188 1.exe 1288 si421498.exe -
Processes:
pro8116.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8116.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8116.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
db08ceb7774d4313593607d0940166a34b23f820b0c3ae6f0bf3fdf1efc9c1fb.exeun923068.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" db08ceb7774d4313593607d0940166a34b23f820b0c3ae6f0bf3fdf1efc9c1fb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un923068.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 1904 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4280 752 WerFault.exe pro8116.exe 5864 4084 WerFault.exe qu7488.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
qu7488.exe1.exesi421498.exedb08ceb7774d4313593607d0940166a34b23f820b0c3ae6f0bf3fdf1efc9c1fb.exeun923068.exepro8116.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu7488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language si421498.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db08ceb7774d4313593607d0940166a34b23f820b0c3ae6f0bf3fdf1efc9c1fb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un923068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro8116.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro8116.exepid process 752 pro8116.exe 752 pro8116.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro8116.exequ7488.exedescription pid process Token: SeDebugPrivilege 752 pro8116.exe Token: SeDebugPrivilege 4084 qu7488.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
db08ceb7774d4313593607d0940166a34b23f820b0c3ae6f0bf3fdf1efc9c1fb.exeun923068.exequ7488.exedescription pid process target process PID 3528 wrote to memory of 4428 3528 db08ceb7774d4313593607d0940166a34b23f820b0c3ae6f0bf3fdf1efc9c1fb.exe un923068.exe PID 3528 wrote to memory of 4428 3528 db08ceb7774d4313593607d0940166a34b23f820b0c3ae6f0bf3fdf1efc9c1fb.exe un923068.exe PID 3528 wrote to memory of 4428 3528 db08ceb7774d4313593607d0940166a34b23f820b0c3ae6f0bf3fdf1efc9c1fb.exe un923068.exe PID 4428 wrote to memory of 752 4428 un923068.exe pro8116.exe PID 4428 wrote to memory of 752 4428 un923068.exe pro8116.exe PID 4428 wrote to memory of 752 4428 un923068.exe pro8116.exe PID 4428 wrote to memory of 4084 4428 un923068.exe qu7488.exe PID 4428 wrote to memory of 4084 4428 un923068.exe qu7488.exe PID 4428 wrote to memory of 4084 4428 un923068.exe qu7488.exe PID 4084 wrote to memory of 5188 4084 qu7488.exe 1.exe PID 4084 wrote to memory of 5188 4084 qu7488.exe 1.exe PID 4084 wrote to memory of 5188 4084 qu7488.exe 1.exe PID 3528 wrote to memory of 1288 3528 db08ceb7774d4313593607d0940166a34b23f820b0c3ae6f0bf3fdf1efc9c1fb.exe si421498.exe PID 3528 wrote to memory of 1288 3528 db08ceb7774d4313593607d0940166a34b23f820b0c3ae6f0bf3fdf1efc9c1fb.exe si421498.exe PID 3528 wrote to memory of 1288 3528 db08ceb7774d4313593607d0940166a34b23f820b0c3ae6f0bf3fdf1efc9c1fb.exe si421498.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\db08ceb7774d4313593607d0940166a34b23f820b0c3ae6f0bf3fdf1efc9c1fb.exe"C:\Users\Admin\AppData\Local\Temp\db08ceb7774d4313593607d0940166a34b23f820b0c3ae6f0bf3fdf1efc9c1fb.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un923068.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un923068.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8116.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8116.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 10804⤵
- Program crash
PID:4280
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7488.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7488.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5188
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 13684⤵
- Program crash
PID:5864
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si421498.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si421498.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1288
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 752 -ip 7521⤵PID:2104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4084 -ip 40841⤵PID:5304
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1904
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD54c170de9445862e42a95e37e56d4c2a4
SHA12cbb804339b25d51718715c44c1d9f17e78d4fc3
SHA256453f9e8e0522830c92d3ced373dd3880c25e2e2563ea91879c7defa392a28778
SHA5128a48dbc3f2a3e6423d8628d4f1c76f754f270af5ba47ce7929baefd13866f04eafb6ef2a71be7c7a8bfccbd0fe226317c1227772e54e5104524df4faf8fe07d2
-
Filesize
661KB
MD56aa709db9721ebcea95016173847b913
SHA135f6371a415c8b280a50d3e860a1dca90c54c5a7
SHA25688a7f7f30fa954e111f1ec9b98eba1a79a0451a5108ae02eeb182f70168d567c
SHA5127784418d150a392005c397a61d891926c32cf94628e860257069e9b9059ef16909b9063f1d41123d9946af4f93184b6342f7fbd5c67c4e1f459de91ab3eb2725
-
Filesize
312KB
MD575bdd59545539c71d9aed8b4233ddf05
SHA13d1079ed02c02a67b4c6bed653008d55827c753b
SHA256dbf297c2cef81aa6c051dadb2c70856b634b0288e715e7597f2f04b4d9648d53
SHA512299be71af53e1a8061933e1ec91d9452acb45e7be86f8e00a4ed3b792984a7383e78573a33190c194daaa26d9fbcfde2084bf13825917181c9983c3e42474c8d
-
Filesize
495KB
MD50b82c1ee16013438479168dba6304175
SHA145ef07aa1a75d24c8defe7c811338884ab694645
SHA2569177e93ed2b96446a606a02b040f03c41003ee8edfc08fe3aa37da6934d96f4f
SHA512cb0279b50b1abb2ff477dbf3f107688fcb1fa87ac6d41a6e02b106cfd4ec8ccf3a22511dca9e4b73697c8210f07ba0ed48a2461258098ad1c3fc08981f1a19ea
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0