Analysis
-
max time kernel
135s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:28
Static task
static1
Behavioral task
behavioral1
Sample
161d8cd3f6f30ed7eeb5db8ca2b4d3d5b0e19f721175e3dbf5c04ee1155626f8.exe
Resource
win10v2004-20241007-en
General
-
Target
161d8cd3f6f30ed7eeb5db8ca2b4d3d5b0e19f721175e3dbf5c04ee1155626f8.exe
-
Size
1.2MB
-
MD5
65f47713a73156d69e3a5f3c6fdeab55
-
SHA1
ddddadb3ac1b1d49d9bd42ef3bc782536d5acd81
-
SHA256
161d8cd3f6f30ed7eeb5db8ca2b4d3d5b0e19f721175e3dbf5c04ee1155626f8
-
SHA512
aa36ee2f52f8e17e938b9db662b05eb155f4ad405c30eedb9e1f83c87c9540ce8db06bdca08071628bb48fb23ce493df8c133d26819a0f58f5e94df80a040caa
-
SSDEEP
24576:XybGVqieoRM9QatlZEefRs+8Ssc3z2Sl33eP50CnKR1oa:ibGkieoOdjXf+PZc3z2y3jV
Malware Config
Extracted
redline
masta
185.161.248.75:4132
-
auth_value
57f23b6b74d0f680c5a0c8ac9f52bd75
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2920-22-0x0000000000400000-0x000000000040A000-memory.dmp healer -
Healer family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0915936.exe family_redline behavioral1/memory/3940-28-0x0000000000AB0000-0x0000000000ADA000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
Processes:
v7991367.exev4206827.exea1662229.exea1662229.exeb0915936.exepid process 1360 v7991367.exe 1336 v4206827.exe 2908 a1662229.exe 2920 a1662229.exe 3940 b0915936.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
161d8cd3f6f30ed7eeb5db8ca2b4d3d5b0e19f721175e3dbf5c04ee1155626f8.exev7991367.exev4206827.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 161d8cd3f6f30ed7eeb5db8ca2b4d3d5b0e19f721175e3dbf5c04ee1155626f8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v7991367.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v4206827.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a1662229.exedescription pid process target process PID 2908 set thread context of 2920 2908 a1662229.exe a1662229.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 736 2920 WerFault.exe a1662229.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a1662229.exeb0915936.exe161d8cd3f6f30ed7eeb5db8ca2b4d3d5b0e19f721175e3dbf5c04ee1155626f8.exev7991367.exev4206827.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1662229.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0915936.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 161d8cd3f6f30ed7eeb5db8ca2b4d3d5b0e19f721175e3dbf5c04ee1155626f8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v7991367.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v4206827.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a1662229.exedescription pid process Token: SeDebugPrivilege 2908 a1662229.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
161d8cd3f6f30ed7eeb5db8ca2b4d3d5b0e19f721175e3dbf5c04ee1155626f8.exev7991367.exev4206827.exea1662229.exedescription pid process target process PID 5040 wrote to memory of 1360 5040 161d8cd3f6f30ed7eeb5db8ca2b4d3d5b0e19f721175e3dbf5c04ee1155626f8.exe v7991367.exe PID 5040 wrote to memory of 1360 5040 161d8cd3f6f30ed7eeb5db8ca2b4d3d5b0e19f721175e3dbf5c04ee1155626f8.exe v7991367.exe PID 5040 wrote to memory of 1360 5040 161d8cd3f6f30ed7eeb5db8ca2b4d3d5b0e19f721175e3dbf5c04ee1155626f8.exe v7991367.exe PID 1360 wrote to memory of 1336 1360 v7991367.exe v4206827.exe PID 1360 wrote to memory of 1336 1360 v7991367.exe v4206827.exe PID 1360 wrote to memory of 1336 1360 v7991367.exe v4206827.exe PID 1336 wrote to memory of 2908 1336 v4206827.exe a1662229.exe PID 1336 wrote to memory of 2908 1336 v4206827.exe a1662229.exe PID 1336 wrote to memory of 2908 1336 v4206827.exe a1662229.exe PID 2908 wrote to memory of 2920 2908 a1662229.exe a1662229.exe PID 2908 wrote to memory of 2920 2908 a1662229.exe a1662229.exe PID 2908 wrote to memory of 2920 2908 a1662229.exe a1662229.exe PID 2908 wrote to memory of 2920 2908 a1662229.exe a1662229.exe PID 2908 wrote to memory of 2920 2908 a1662229.exe a1662229.exe PID 2908 wrote to memory of 2920 2908 a1662229.exe a1662229.exe PID 2908 wrote to memory of 2920 2908 a1662229.exe a1662229.exe PID 2908 wrote to memory of 2920 2908 a1662229.exe a1662229.exe PID 1336 wrote to memory of 3940 1336 v4206827.exe b0915936.exe PID 1336 wrote to memory of 3940 1336 v4206827.exe b0915936.exe PID 1336 wrote to memory of 3940 1336 v4206827.exe b0915936.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\161d8cd3f6f30ed7eeb5db8ca2b4d3d5b0e19f721175e3dbf5c04ee1155626f8.exe"C:\Users\Admin\AppData\Local\Temp\161d8cd3f6f30ed7eeb5db8ca2b4d3d5b0e19f721175e3dbf5c04ee1155626f8.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7991367.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7991367.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4206827.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4206827.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1662229.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1662229.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1662229.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1662229.exe5⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1526⤵
- Program crash
PID:736
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0915936.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0915936.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3940
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2920 -ip 29201⤵PID:4888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
866KB
MD5f4762881f078d5c21f0f9715c4843746
SHA16e6f570940a1051e65138805f6e99c6191c3b1a9
SHA2566db1b49f8a24fac10b674b3396ddb9f594c034327b05b22de45376f61f353831
SHA512f058f2824f68c976bfceb65f8cde4907ffe2538543f0d397c790c2385db953ffc340c18aee75a0a4303efea02640fbd92afccd32eee056d339e4d2984c152053
-
Filesize
423KB
MD57639aac5971bc790c80abfd97048c430
SHA15a3d2e5360dd206654766cb1bca4888772e32ee1
SHA2564f053785a6af154ac47a3b49c80d3adb15b96ca6c5f0e04e9bdf7a642b49da40
SHA512f672e6a8032e29272cc1d23a0cb3ee202699d2cbfa492a6f6ee805b9ad8a8752bef3a6ed42193f585d659e03f3bf4886bab1e0859ae48f93e9ffc2668439fd8e
-
Filesize
770KB
MD57cf887377189a181b6d6cba0f2483d5e
SHA11028d3df2daddfa7646319af46435c5d7d1827c6
SHA2564f20b2784fabd837b853300bd10cc7df627406c3ee1dc03c56136312b9b38444
SHA5125890088a05f8d06e3b367f6ab586c527bfd6d04a7078b5b90067af8664e94893f45add4578e4ac12f19550aae6772d87671ad92d60f2c12dd062988db2d40c7a
-
Filesize
145KB
MD52b078bffa8ba7486b5de4371d05e1f59
SHA1cd2535d751fcd9fd8ce32a341cbe6087ff5e4006
SHA256a53973d809deaf13c4140223db81f6b49aa11e0c5430b838c4116cdf86c83a3c
SHA512f0ffbf1ebc2536ed282f850b02b03c7e5d03781de416e4917fd13a195de5b490c775d4c697e2219191a30f2be93713976e450148a222db7ec2409289b9751b05