Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:25 UTC
Static task
static1
Behavioral task
behavioral1
Sample
a5f0fbc911d801092f455034c1ee2829e0a1296eaf7b8f39c16712b3367f96bb.exe
Resource
win10v2004-20241007-en
General
-
Target
a5f0fbc911d801092f455034c1ee2829e0a1296eaf7b8f39c16712b3367f96bb.exe
-
Size
685KB
-
MD5
4eeee85e0ca5766cb674427e41216cc8
-
SHA1
b6f7ab335ca8a58d90f2b5b4d4c99c530a74e956
-
SHA256
a5f0fbc911d801092f455034c1ee2829e0a1296eaf7b8f39c16712b3367f96bb
-
SHA512
ca47b3c1f03a5ca1b6c36ac3bc5feaf23ae57e4d7a658b56b933c09deea1f1a7d6f09f0d06e6cca5fcc14c41008cdec0564d807ac03bc26ec164f0ab93934dff
-
SSDEEP
12288:LMrxy90QKULNUEzjI1u5p9o54pIjwbyODQEJ2xANNKJvfeUp9GphP0yQ:Oybdg1+gG7DhGAKJvfN9aP0n
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c62-12.dat healer behavioral1/memory/2280-15-0x00000000003F0000-0x00000000003FA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr878460.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr878460.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr878460.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr878460.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr878460.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr878460.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/5068-2105-0x0000000005740000-0x0000000005772000-memory.dmp family_redline behavioral1/files/0x000f000000023b24-2110.dat family_redline behavioral1/memory/5224-2118-0x0000000000D70000-0x0000000000DA0000-memory.dmp family_redline behavioral1/files/0x0007000000023c60-2128.dat family_redline behavioral1/memory/420-2129-0x0000000000CF0000-0x0000000000D1E000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation ku377860.exe -
Executes dropped EXE 5 IoCs
pid Process 3088 ziYO4816.exe 2280 jr878460.exe 5068 ku377860.exe 5224 1.exe 420 lr250953.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr878460.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a5f0fbc911d801092f455034c1ee2829e0a1296eaf7b8f39c16712b3367f96bb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziYO4816.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3656 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5660 5068 WerFault.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5f0fbc911d801092f455034c1ee2829e0a1296eaf7b8f39c16712b3367f96bb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziYO4816.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku377860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lr250953.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2280 jr878460.exe 2280 jr878460.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2280 jr878460.exe Token: SeDebugPrivilege 5068 ku377860.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 116 wrote to memory of 3088 116 a5f0fbc911d801092f455034c1ee2829e0a1296eaf7b8f39c16712b3367f96bb.exe 84 PID 116 wrote to memory of 3088 116 a5f0fbc911d801092f455034c1ee2829e0a1296eaf7b8f39c16712b3367f96bb.exe 84 PID 116 wrote to memory of 3088 116 a5f0fbc911d801092f455034c1ee2829e0a1296eaf7b8f39c16712b3367f96bb.exe 84 PID 3088 wrote to memory of 2280 3088 ziYO4816.exe 85 PID 3088 wrote to memory of 2280 3088 ziYO4816.exe 85 PID 3088 wrote to memory of 5068 3088 ziYO4816.exe 93 PID 3088 wrote to memory of 5068 3088 ziYO4816.exe 93 PID 3088 wrote to memory of 5068 3088 ziYO4816.exe 93 PID 5068 wrote to memory of 5224 5068 ku377860.exe 94 PID 5068 wrote to memory of 5224 5068 ku377860.exe 94 PID 5068 wrote to memory of 5224 5068 ku377860.exe 94 PID 116 wrote to memory of 420 116 a5f0fbc911d801092f455034c1ee2829e0a1296eaf7b8f39c16712b3367f96bb.exe 98 PID 116 wrote to memory of 420 116 a5f0fbc911d801092f455034c1ee2829e0a1296eaf7b8f39c16712b3367f96bb.exe 98 PID 116 wrote to memory of 420 116 a5f0fbc911d801092f455034c1ee2829e0a1296eaf7b8f39c16712b3367f96bb.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5f0fbc911d801092f455034c1ee2829e0a1296eaf7b8f39c16712b3367f96bb.exe"C:\Users\Admin\AppData\Local\Temp\a5f0fbc911d801092f455034c1ee2829e0a1296eaf7b8f39c16712b3367f96bb.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYO4816.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYO4816.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr878460.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr878460.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku377860.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku377860.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5224
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 13844⤵
- Program crash
PID:5660
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr250953.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr250953.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:420
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5068 -ip 50681⤵PID:5576
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3656
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request66.208.201.84.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request211.143.182.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
104 B 2
-
104 B 2
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
71.31.126.40.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 132 B 1 1
DNS Request
66.208.201.84.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
211.143.182.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD517152d58df9dba6b55d1b99f68126601
SHA15fcbb83e7e2bddd6caefa4aac1e7540fab6c4e73
SHA256bd2749bb04f20ea243646fbb683ba733d4b2bf113f91ca2b1959fa0fe06caa4f
SHA51224630b4d08fe9cc10ab768804c9bdb68c2a0f7ebcffd70a5a43e099be4634637964813007331c7a94f040a6c7ed9d35ee5be5f4cf2d1630effbf1d797c3f7a33
-
Filesize
530KB
MD5114017cbdcbde62bbe0f947fad4e8fa5
SHA15b6cd83523915ee62f5da54a0d60de153d04e6be
SHA25673d4f1485fa87bbb4002f1ac3b7ebe69ac60e9e8828b3e0850ff4200fcba14e2
SHA51233bace48b8ef4be9165336e4bf547168d6d9ac04f89ecd8783e8d1ad4eb7fb345cee13b1cee25d84457602618125379229c86acd9a0f76fedd2bacf49d481a0b
-
Filesize
12KB
MD595df5b36ae25e01bb738c7d6ea2a6055
SHA17f8792a4465884b2c7de22c8e661e6328eb12c3c
SHA256f14b16918bb2ae493be02645953afae559c6aa6f0f0f3f633e361458441e75b4
SHA51276154fb9baeb87da3f7c82eba46dca63e99aa6ea17ea59187a17fc44ea5fc50546d718fb300b07cbc9d56148a47b9533cb8bf94653b9e75cd3bf228a24809f48
-
Filesize
495KB
MD5bf44e0c6406210ef2f432fcc760525e7
SHA11f5dfb50a98ac0779a12d09d49da86f138887319
SHA256bc36c798f0072c3dd399c31125ca0b75254ffbdceb63874365831ef01add0e42
SHA512a14eff46420993fe7528ee104ad3f7790353a95b8151c53e09c2b0a76bddd6e4269eec71c3742815449be96bc8e05cd4dfd293b61bc2fec66e448c442c5cb229
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0