Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:48
Static task
static1
Behavioral task
behavioral1
Sample
d3b7e789dd40ff8457574e68d188bf3e90606057ed8992dbf739da795fb6cd57N.exe
Resource
win10v2004-20241007-en
General
-
Target
d3b7e789dd40ff8457574e68d188bf3e90606057ed8992dbf739da795fb6cd57N.exe
-
Size
530KB
-
MD5
cf8c96513753595e188e0aed4953c610
-
SHA1
7380e7c18a509a9ae513b4fc06dfc627928c7f93
-
SHA256
d3b7e789dd40ff8457574e68d188bf3e90606057ed8992dbf739da795fb6cd57
-
SHA512
200fcfb234ebe56d769d83f7ea4a4c3bbad1825b51db0c5de031ca1d3bdf3f1334d7f34c2d693f5437921728705066c29f61b137d0d813f0823f729e216d1d1b
-
SSDEEP
12288:9Mrwy908V7fu1nT3p2xY1Svjf7rSv2XF5yz:xyhc24kXDXF5yz
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b7c-5.dat healer behavioral1/memory/320-8-0x0000000000500000-0x000000000050A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr441762.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr441762.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr441762.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr441762.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr441762.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr441762.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/4424-2101-0x0000000005770000-0x00000000057A2000-memory.dmp family_redline behavioral1/files/0x000b000000023b79-2106.dat family_redline behavioral1/memory/3012-2114-0x0000000000390000-0x00000000003C0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ku760359.exe -
Executes dropped EXE 3 IoCs
pid Process 320 jr441762.exe 4424 ku760359.exe 3012 1.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr441762.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d3b7e789dd40ff8457574e68d188bf3e90606057ed8992dbf739da795fb6cd57N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2204 4424 WerFault.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d3b7e789dd40ff8457574e68d188bf3e90606057ed8992dbf739da795fb6cd57N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku760359.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 320 jr441762.exe 320 jr441762.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 320 jr441762.exe Token: SeDebugPrivilege 4424 ku760359.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4760 wrote to memory of 320 4760 d3b7e789dd40ff8457574e68d188bf3e90606057ed8992dbf739da795fb6cd57N.exe 83 PID 4760 wrote to memory of 320 4760 d3b7e789dd40ff8457574e68d188bf3e90606057ed8992dbf739da795fb6cd57N.exe 83 PID 4760 wrote to memory of 4424 4760 d3b7e789dd40ff8457574e68d188bf3e90606057ed8992dbf739da795fb6cd57N.exe 92 PID 4760 wrote to memory of 4424 4760 d3b7e789dd40ff8457574e68d188bf3e90606057ed8992dbf739da795fb6cd57N.exe 92 PID 4760 wrote to memory of 4424 4760 d3b7e789dd40ff8457574e68d188bf3e90606057ed8992dbf739da795fb6cd57N.exe 92 PID 4424 wrote to memory of 3012 4424 ku760359.exe 93 PID 4424 wrote to memory of 3012 4424 ku760359.exe 93 PID 4424 wrote to memory of 3012 4424 ku760359.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3b7e789dd40ff8457574e68d188bf3e90606057ed8992dbf739da795fb6cd57N.exe"C:\Users\Admin\AppData\Local\Temp\d3b7e789dd40ff8457574e68d188bf3e90606057ed8992dbf739da795fb6cd57N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr441762.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr441762.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku760359.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku760359.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 9923⤵
- Program crash
PID:2204
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4424 -ip 44241⤵PID:4372
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5ad75ca6ec8b6a9087ed85a88c0e04fea
SHA18e2a78c537bf1d8fd0d487837bd0baf9bbefe1d8
SHA2565b101583de60ad2876b768b8254ee40a792b649487fba6fcc2f3bbeb96d520eb
SHA51253b984c7605f4baf323849a50b7c7fe312161eb88eb10f0bb92a3e817b839c03bbb32e723daa8cfefdb6ff94ce9753b79eff67aeb77cc325a6cbb86204908823
-
Filesize
495KB
MD5750207b822afb581b0c1adef5099cfd2
SHA19358add7abfd23d55e93f655a050a0c360177498
SHA2562474bcd1774f17cc4f918cd7753da851f4cd17b9ad77a17e8dcdcf64b8663151
SHA5125308a583b698974cd109d21e315f30030dd636a3f4b9bf982e2a9364c8f5fbd701723d3930e6bbec52356c7829543c201092bc6e56c80dec6610d8eaa65e79f0
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0