Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:25
Static task
static1
Behavioral task
behavioral1
Sample
67d9e17caa43849362bf848321c3e22280a79618c17534ed2aec9b7eb87cc933.exe
Resource
win10v2004-20241007-en
General
-
Target
67d9e17caa43849362bf848321c3e22280a79618c17534ed2aec9b7eb87cc933.exe
-
Size
787KB
-
MD5
e82ee480edd44f6da0c9d606725b78a2
-
SHA1
af6ec07b8b12cf637ccc42a7a5af8db4dfc1472f
-
SHA256
67d9e17caa43849362bf848321c3e22280a79618c17534ed2aec9b7eb87cc933
-
SHA512
9a15f4ad7ff2a561d60f263e78cb82574d1dc105e3d85179299c616417b52e2f710dd0885d5c437c2e6b15d0c3a8032fcb1521709595bd717e4895cc9a48040e
-
SSDEEP
12288:DMr6y90xXtQ09MJehCUq2Gpb+QJKpJMUh/t3ipgGVqVP8vQsWv6Yy:ZyUXO71BJMDHGEGQb8
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/804-19-0x00000000023B0000-0x00000000023CA000-memory.dmp healer behavioral1/memory/804-21-0x0000000002450000-0x0000000002468000-memory.dmp healer behavioral1/memory/804-25-0x0000000002450000-0x0000000002462000-memory.dmp healer behavioral1/memory/804-49-0x0000000002450000-0x0000000002462000-memory.dmp healer behavioral1/memory/804-47-0x0000000002450000-0x0000000002462000-memory.dmp healer behavioral1/memory/804-45-0x0000000002450000-0x0000000002462000-memory.dmp healer behavioral1/memory/804-23-0x0000000002450000-0x0000000002462000-memory.dmp healer behavioral1/memory/804-44-0x0000000002450000-0x0000000002462000-memory.dmp healer behavioral1/memory/804-41-0x0000000002450000-0x0000000002462000-memory.dmp healer behavioral1/memory/804-39-0x0000000002450000-0x0000000002462000-memory.dmp healer behavioral1/memory/804-37-0x0000000002450000-0x0000000002462000-memory.dmp healer behavioral1/memory/804-35-0x0000000002450000-0x0000000002462000-memory.dmp healer behavioral1/memory/804-33-0x0000000002450000-0x0000000002462000-memory.dmp healer behavioral1/memory/804-31-0x0000000002450000-0x0000000002462000-memory.dmp healer behavioral1/memory/804-29-0x0000000002450000-0x0000000002462000-memory.dmp healer behavioral1/memory/804-27-0x0000000002450000-0x0000000002462000-memory.dmp healer behavioral1/memory/804-22-0x0000000002450000-0x0000000002462000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro8295.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8295.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8295.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8295.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8295.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8295.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/1820-2143-0x0000000005400000-0x0000000005432000-memory.dmp family_redline behavioral1/files/0x0015000000023b30-2148.dat family_redline behavioral1/memory/2996-2156-0x0000000000A00000-0x0000000000A30000-memory.dmp family_redline behavioral1/files/0x0007000000023c72-2164.dat family_redline behavioral1/memory/2216-2167-0x0000000000720000-0x000000000074E000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation qu4918.exe -
Executes dropped EXE 5 IoCs
pid Process 3364 un781770.exe 804 pro8295.exe 1820 qu4918.exe 2996 1.exe 2216 si560726.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8295.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8295.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 67d9e17caa43849362bf848321c3e22280a79618c17534ed2aec9b7eb87cc933.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un781770.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5676 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4976 804 WerFault.exe 85 3704 1820 WerFault.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 67d9e17caa43849362bf848321c3e22280a79618c17534ed2aec9b7eb87cc933.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un781770.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro8295.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu4918.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language si560726.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 804 pro8295.exe 804 pro8295.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 804 pro8295.exe Token: SeDebugPrivilege 1820 qu4918.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4496 wrote to memory of 3364 4496 67d9e17caa43849362bf848321c3e22280a79618c17534ed2aec9b7eb87cc933.exe 83 PID 4496 wrote to memory of 3364 4496 67d9e17caa43849362bf848321c3e22280a79618c17534ed2aec9b7eb87cc933.exe 83 PID 4496 wrote to memory of 3364 4496 67d9e17caa43849362bf848321c3e22280a79618c17534ed2aec9b7eb87cc933.exe 83 PID 3364 wrote to memory of 804 3364 un781770.exe 85 PID 3364 wrote to memory of 804 3364 un781770.exe 85 PID 3364 wrote to memory of 804 3364 un781770.exe 85 PID 3364 wrote to memory of 1820 3364 un781770.exe 99 PID 3364 wrote to memory of 1820 3364 un781770.exe 99 PID 3364 wrote to memory of 1820 3364 un781770.exe 99 PID 1820 wrote to memory of 2996 1820 qu4918.exe 100 PID 1820 wrote to memory of 2996 1820 qu4918.exe 100 PID 1820 wrote to memory of 2996 1820 qu4918.exe 100 PID 4496 wrote to memory of 2216 4496 67d9e17caa43849362bf848321c3e22280a79618c17534ed2aec9b7eb87cc933.exe 103 PID 4496 wrote to memory of 2216 4496 67d9e17caa43849362bf848321c3e22280a79618c17534ed2aec9b7eb87cc933.exe 103 PID 4496 wrote to memory of 2216 4496 67d9e17caa43849362bf848321c3e22280a79618c17534ed2aec9b7eb87cc933.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\67d9e17caa43849362bf848321c3e22280a79618c17534ed2aec9b7eb87cc933.exe"C:\Users\Admin\AppData\Local\Temp\67d9e17caa43849362bf848321c3e22280a79618c17534ed2aec9b7eb87cc933.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un781770.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un781770.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8295.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8295.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 10804⤵
- Program crash
PID:4976
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4918.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4918.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2996
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 13764⤵
- Program crash
PID:3704
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si560726.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si560726.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2216
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 804 -ip 8041⤵PID:2412
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1820 -ip 18201⤵PID:3344
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:5676
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5281b865476d532d73897467d8f3d8bc8
SHA13c4df3624464993afae96af1cfe2b408652f191d
SHA2566b4804019799a243363af25366c72a15763b6d49e788377058bf6f5cbcce8276
SHA51267b486b7e7d12bd36fe8d6e665b6264c48e33f1487d60f5315a6ed29a84c11114580a97a921d88091ed10e6b8bc6cc2df31f9c5f65b8d294064c87dea4e0176d
-
Filesize
634KB
MD57a0ae4d73018b2152fd5e2a60bc870ef
SHA1c694f9801019e7bfde7e0ea81f1ee87623cf1caa
SHA25671d81e0eac3e19727f07346c0f6e125423ee46d2d3c8d678af6e569f5bdbb423
SHA5129a1f79f3d7cb75a439b699a4e26026b711c1ac33b2d61f8f861308020f1135fc9ff789a21152a565303359ef8ec7ddee90d059aeb8d5f8f1f5075866b1830eda
-
Filesize
231KB
MD53a8a317a0fb0ae1f853fc08bf15b80a3
SHA1ec8d7ebf3cf936b2453496b521eee7d2c6321390
SHA256cf92f821720824d3a18e9b7c2aa515fec96dba404cce51fc796e23b8d3571236
SHA512c38c848b0208b20708fb995fec7bdc2622613f596fd3ebdc7668bb39255b5f290a37e0edb9c1bacbbd2cb943359fb722b1a73aa1941b061d454c96f21a38690b
-
Filesize
415KB
MD5a773107341d465ed54e557a012e16e2b
SHA1f92b9dcc04eedd4a50aae1490dcb5e7931f5b296
SHA256accf82e580a8d9a3c24a70e7722f52e30e7037fc672a9c0aacde8623a9e26a52
SHA51217052911452058801d87591a2f21336ccfcad54542fe3475454eda82c759d8dbff36cf637f73c240117843620c602ced1d90aaa948d97ab827fbdfe7d14b70ca
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0