Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:49
Static task
static1
Behavioral task
behavioral1
Sample
e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe
Resource
win10v2004-20241007-en
General
-
Target
e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe
-
Size
651KB
-
MD5
27f37bdad06c8547138564bc06264b6b
-
SHA1
5c1f273f032032ad11d56e26a15b1edbe639eff7
-
SHA256
e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623
-
SHA512
bf934514c5d60d64de05651d1fcaa0594f9fda3a2e075f0273eb1ccf8c036def54a5961cbedbd51398e2a760f4fe1a5afd4f164107be3052891309fb5148022a
-
SSDEEP
12288:iMrLy90MIUv54fJ2VpazeQdma+zb7tB7A5mzZ4lh5o2auIYO:xyNAIV0Fma+zbfOmVTwO
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b9d-12.dat healer behavioral1/memory/4516-15-0x0000000000250000-0x000000000025A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr905985.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr905985.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr905985.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr905985.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr905985.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr905985.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/1944-2104-0x0000000005550000-0x0000000005582000-memory.dmp family_redline behavioral1/files/0x000400000001e4d4-2109.dat family_redline behavioral1/memory/4428-2117-0x00000000001F0000-0x0000000000220000-memory.dmp family_redline behavioral1/files/0x000a000000023b9b-2126.dat family_redline behavioral1/memory/4236-2128-0x0000000000AA0000-0x0000000000ACE000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation ku366032.exe -
Executes dropped EXE 5 IoCs
pid Process 1660 zidM9435.exe 4516 jr905985.exe 1944 ku366032.exe 4428 1.exe 4236 lr163851.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr905985.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zidM9435.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2616 1944 WerFault.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lr163851.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zidM9435.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku366032.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4516 jr905985.exe 4516 jr905985.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4516 jr905985.exe Token: SeDebugPrivilege 1944 ku366032.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3324 wrote to memory of 1660 3324 e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe 83 PID 3324 wrote to memory of 1660 3324 e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe 83 PID 3324 wrote to memory of 1660 3324 e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe 83 PID 1660 wrote to memory of 4516 1660 zidM9435.exe 84 PID 1660 wrote to memory of 4516 1660 zidM9435.exe 84 PID 1660 wrote to memory of 1944 1660 zidM9435.exe 93 PID 1660 wrote to memory of 1944 1660 zidM9435.exe 93 PID 1660 wrote to memory of 1944 1660 zidM9435.exe 93 PID 1944 wrote to memory of 4428 1944 ku366032.exe 94 PID 1944 wrote to memory of 4428 1944 ku366032.exe 94 PID 1944 wrote to memory of 4428 1944 ku366032.exe 94 PID 3324 wrote to memory of 4236 3324 e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe 98 PID 3324 wrote to memory of 4236 3324 e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe 98 PID 3324 wrote to memory of 4236 3324 e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe"C:\Users\Admin\AppData\Local\Temp\e85f1bbc6036b51cbdd369617718b599b1dfc2b0c3edbc50f468944a83612623.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidM9435.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr905985.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku366032.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4428
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 13804⤵
- Program crash
PID:2616
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr163851.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr163851.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4236
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1944 -ip 19441⤵PID:2892
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5403d894c45f0d384cec5dca0cec06bd9
SHA133014a4321c8b6e120f47b1d89314853ad0239d4
SHA256e77cc69ef7c57c5d40e30ca5075fb7f129633fbd1de602f2bdc96298dde723e7
SHA512a11219a268291a3255e081b47c7dfe2af23cb16a067087198c840b72d9e22de773b7d54e4d822c6ebdf2b662de2e197639d8060605e79558cd836be69edbf3fc
-
Filesize
496KB
MD5f7ebbc4c52f0ade16b33bc23be0db045
SHA11474a26eee3ffacc267fb7ee7e9bb5502c8ac454
SHA25636f9addac891ee2cc262eeac725de41ce3a57a2be160b174182eca981303266d
SHA5121f5c18277728747f2e4ff1aedc7ce7851d06642afb3056987c1c4fd12435e5298ca5c6cb3aab090eab6060d9e9d7d7724ddd81907ff1c7d78fe4f0c634ff367b
-
Filesize
11KB
MD563e82dedacf4746ece8ab970e4554ed7
SHA14618d8b778cab80c6f8b36d9b913b5db97ebd7c8
SHA25697dfa4d777fc85f88bb2313b98ffc7b076279f1c9a1ab2f43f13ef3f4fcdd408
SHA512d31eb702b340522ef242246c49538e44ec933c9f0aaddad725681eb19d5b4b6afe2f1f06a6f1e0dfcd9fe8c005f817dc395a1a2ac2db92eafe84d6c134030b31
-
Filesize
414KB
MD540fc922d2a6ec7f62f53ecad05f1b820
SHA17c1e80f0a41438fd430ad275fad4e40f1a786721
SHA2563c1da8b14ca4bc89b4efe0b019f33a96214bd9a11bd54806a0150662da200d2b
SHA512513a43f00553a8749405e9ea119489f070f61e06d9edfb8d5532b5e4a3457ed028afa9a5e2918c9653c627ba8b3fa431f520338433a5dc5e46e5f90c107f80b1
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0