Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 02:07
Static task
static1
Behavioral task
behavioral1
Sample
b31f93b079aa517c224c70573f72bd3388bf63ab9207d91be06184da2effc804.exe
Resource
win10v2004-20241007-en
General
-
Target
b31f93b079aa517c224c70573f72bd3388bf63ab9207d91be06184da2effc804.exe
-
Size
787KB
-
MD5
2bd696fece82bddca42e869a95fd375c
-
SHA1
f07b50131f06aa5732670c75f7dfeb9b352eec85
-
SHA256
b31f93b079aa517c224c70573f72bd3388bf63ab9207d91be06184da2effc804
-
SHA512
777cc9dee39eccd4318ad9653f03f738dd1bebfe456b027b6fc4f60b5f400c8f037dfbeec50ce3bba4246d37f1db4203c63b76a668e35c5359c8eeed6594ce3f
-
SSDEEP
12288:nMrey90xSj/AAHlgA5mfCkk/YlDJ+Ty4+OKqNRCuCD3aD1wdjfrxrLhby8ZqeLna:Ny3N5mCkk/YlDJsCbD3apwrlLoJUa
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/3508-19-0x0000000002360000-0x000000000237A000-memory.dmp healer behavioral1/memory/3508-21-0x00000000025F0000-0x0000000002608000-memory.dmp healer behavioral1/memory/3508-49-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3508-47-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3508-45-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3508-43-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3508-41-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3508-39-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3508-37-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3508-35-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3508-33-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3508-31-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3508-29-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3508-27-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3508-25-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3508-23-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3508-22-0x00000000025F0000-0x0000000002602000-memory.dmp healer -
Healer family
-
Processes:
pro2456.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro2456.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro2456.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro2456.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro2456.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro2456.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro2456.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/3444-2143-0x0000000005400000-0x0000000005432000-memory.dmp family_redline behavioral1/files/0x000c000000022719-2148.dat family_redline behavioral1/memory/2736-2156-0x00000000009A0000-0x00000000009D0000-memory.dmp family_redline behavioral1/files/0x0008000000023c8a-2166.dat family_redline behavioral1/memory/5628-2167-0x0000000000D70000-0x0000000000D9E000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
qu8936.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation qu8936.exe -
Executes dropped EXE 5 IoCs
Processes:
un756330.exepro2456.exequ8936.exe1.exesi072130.exepid Process 2160 un756330.exe 3508 pro2456.exe 3444 qu8936.exe 2736 1.exe 5628 si072130.exe -
Processes:
pro2456.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro2456.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro2456.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b31f93b079aa517c224c70573f72bd3388bf63ab9207d91be06184da2effc804.exeun756330.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b31f93b079aa517c224c70573f72bd3388bf63ab9207d91be06184da2effc804.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un756330.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 4088 3508 WerFault.exe 86 5888 3444 WerFault.exe 102 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
si072130.exeb31f93b079aa517c224c70573f72bd3388bf63ab9207d91be06184da2effc804.exeun756330.exepro2456.exequ8936.exe1.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language si072130.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b31f93b079aa517c224c70573f72bd3388bf63ab9207d91be06184da2effc804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un756330.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro2456.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu8936.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro2456.exepid Process 3508 pro2456.exe 3508 pro2456.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro2456.exequ8936.exedescription pid Process Token: SeDebugPrivilege 3508 pro2456.exe Token: SeDebugPrivilege 3444 qu8936.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
b31f93b079aa517c224c70573f72bd3388bf63ab9207d91be06184da2effc804.exeun756330.exequ8936.exedescription pid Process procid_target PID 3496 wrote to memory of 2160 3496 b31f93b079aa517c224c70573f72bd3388bf63ab9207d91be06184da2effc804.exe 85 PID 3496 wrote to memory of 2160 3496 b31f93b079aa517c224c70573f72bd3388bf63ab9207d91be06184da2effc804.exe 85 PID 3496 wrote to memory of 2160 3496 b31f93b079aa517c224c70573f72bd3388bf63ab9207d91be06184da2effc804.exe 85 PID 2160 wrote to memory of 3508 2160 un756330.exe 86 PID 2160 wrote to memory of 3508 2160 un756330.exe 86 PID 2160 wrote to memory of 3508 2160 un756330.exe 86 PID 2160 wrote to memory of 3444 2160 un756330.exe 102 PID 2160 wrote to memory of 3444 2160 un756330.exe 102 PID 2160 wrote to memory of 3444 2160 un756330.exe 102 PID 3444 wrote to memory of 2736 3444 qu8936.exe 103 PID 3444 wrote to memory of 2736 3444 qu8936.exe 103 PID 3444 wrote to memory of 2736 3444 qu8936.exe 103 PID 3496 wrote to memory of 5628 3496 b31f93b079aa517c224c70573f72bd3388bf63ab9207d91be06184da2effc804.exe 106 PID 3496 wrote to memory of 5628 3496 b31f93b079aa517c224c70573f72bd3388bf63ab9207d91be06184da2effc804.exe 106 PID 3496 wrote to memory of 5628 3496 b31f93b079aa517c224c70573f72bd3388bf63ab9207d91be06184da2effc804.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\b31f93b079aa517c224c70573f72bd3388bf63ab9207d91be06184da2effc804.exe"C:\Users\Admin\AppData\Local\Temp\b31f93b079aa517c224c70573f72bd3388bf63ab9207d91be06184da2effc804.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un756330.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un756330.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2456.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2456.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 10764⤵
- Program crash
PID:4088
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8936.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8936.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2736
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 15164⤵
- Program crash
PID:5888
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si072130.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si072130.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3508 -ip 35081⤵PID:4236
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3444 -ip 34441⤵PID:6072
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD54ee6ed61d703a91114893c122b30fd76
SHA19efd908908c2d3f2c180b4c1023d55ba51651974
SHA256f0f46440f151f372067f16d94785101db9e0015b1c403d299af8293e09916f1e
SHA512510bc9c419c4c8f56c92671ccea5d9cbc89c0491cedc65d3f7f7cd1268b24f7149a6b5acac3957a6adcf2f27b50817a22e3ff7bbf636ef365dbdec091db07409
-
Filesize
633KB
MD5413b9e245b6c5bc8239e4ec843d517b2
SHA1ba4332735614f58e52998208b8902582a00f810b
SHA256ed25b421e2f8a1934907847b2440d994a81a948e4f0507ae67d2b14e20494ce0
SHA512d6e61e92a7eb140e3eca6e044346f7f6c6055233a1524a4fbaffbb5c94caf6c5a04b28bc8d520911a6431ca1bceec053918438b700bedb23f2adf65ee9ebbc90
-
Filesize
230KB
MD5b899ceeded3f20cb34393c5084712ea1
SHA1e1a29019e2ba25715961a9bc72578d5aadf097e6
SHA25627cd234f256a3d943549ba4be946021809c9a5f0ee680d3791ca6953cb6eea4e
SHA51228dd1878b5563ff1257fe18a4b4f76fa5cf1a08106b24cd9b88ad0d541e5b3d85572e06f2ec39de3300d8ef9206712a1c42848d21464725d89e63dd7b206313a
-
Filesize
414KB
MD539f1521586cf8af12fdc3ccb4ebe5236
SHA1a0d2d32bcfbe832b7de3ff0f22e1181488e74a06
SHA2569e25eae278545d0075b758c6f617eed6a56c15b024eb251204b374cea5273331
SHA51274e9870b9812f742387d2a1e6249dea56f1e2d663c633e730635207bdd4439d943e49080ba8a7b2ba6d3ade12c12b54e15cb1a5675c1073ae7810b14ae931953
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0