Analysis
-
max time kernel
95s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 20:22
Static task
static1
Behavioral task
behavioral1
Sample
6d0a49344b67ccd2a7168bb95084ad3067d73ce7ce480b769a26e31c35ca17b5N.exe
Resource
win10v2004-20241007-en
General
-
Target
6d0a49344b67ccd2a7168bb95084ad3067d73ce7ce480b769a26e31c35ca17b5N.exe
-
Size
507KB
-
MD5
efc4ed4592d1057ec3547782cc7bad70
-
SHA1
60ebec17010204821077a2361210a35c519d7172
-
SHA256
6d0a49344b67ccd2a7168bb95084ad3067d73ce7ce480b769a26e31c35ca17b5
-
SHA512
f38cbe5ac362762d882d6db5afeeaa364c213c79ea4a9024e4f322158669bffb9b9033e8b1ec1d110284648a65f8de3f35edefdc3cdd9d72dd4ffccb2fd84380
-
SSDEEP
12288:CMr1y90Vu74Sinu5PzdN7q+JhqYs8vRQHdCH+9+zu4L7AUF:Hy2uGutdN++JK8vRc2+9+zRn
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b9d-5.dat healer behavioral1/memory/4796-7-0x0000000000A90000-0x0000000000A9A000-memory.dmp healer -
Healer family
-
Processes:
jr909183.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr909183.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr909183.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr909183.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr909183.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr909183.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr909183.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/4300-2100-0x0000000004D50000-0x0000000004D82000-memory.dmp family_redline behavioral1/files/0x000400000001e4d4-2105.dat family_redline behavioral1/memory/5812-2113-0x0000000000570000-0x00000000005A0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ku884057.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation ku884057.exe -
Executes dropped EXE 3 IoCs
Processes:
jr909183.exeku884057.exe1.exepid Process 4796 jr909183.exe 4300 ku884057.exe 5812 1.exe -
Processes:
jr909183.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr909183.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6d0a49344b67ccd2a7168bb95084ad3067d73ce7ce480b769a26e31c35ca17b5N.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6d0a49344b67ccd2a7168bb95084ad3067d73ce7ce480b769a26e31c35ca17b5N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 5644 4300 WerFault.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ku884057.exe1.exe6d0a49344b67ccd2a7168bb95084ad3067d73ce7ce480b769a26e31c35ca17b5N.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku884057.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d0a49344b67ccd2a7168bb95084ad3067d73ce7ce480b769a26e31c35ca17b5N.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jr909183.exepid Process 4796 jr909183.exe 4796 jr909183.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jr909183.exeku884057.exedescription pid Process Token: SeDebugPrivilege 4796 jr909183.exe Token: SeDebugPrivilege 4300 ku884057.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
6d0a49344b67ccd2a7168bb95084ad3067d73ce7ce480b769a26e31c35ca17b5N.exeku884057.exedescription pid Process procid_target PID 3456 wrote to memory of 4796 3456 6d0a49344b67ccd2a7168bb95084ad3067d73ce7ce480b769a26e31c35ca17b5N.exe 83 PID 3456 wrote to memory of 4796 3456 6d0a49344b67ccd2a7168bb95084ad3067d73ce7ce480b769a26e31c35ca17b5N.exe 83 PID 3456 wrote to memory of 4300 3456 6d0a49344b67ccd2a7168bb95084ad3067d73ce7ce480b769a26e31c35ca17b5N.exe 92 PID 3456 wrote to memory of 4300 3456 6d0a49344b67ccd2a7168bb95084ad3067d73ce7ce480b769a26e31c35ca17b5N.exe 92 PID 3456 wrote to memory of 4300 3456 6d0a49344b67ccd2a7168bb95084ad3067d73ce7ce480b769a26e31c35ca17b5N.exe 92 PID 4300 wrote to memory of 5812 4300 ku884057.exe 93 PID 4300 wrote to memory of 5812 4300 ku884057.exe 93 PID 4300 wrote to memory of 5812 4300 ku884057.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d0a49344b67ccd2a7168bb95084ad3067d73ce7ce480b769a26e31c35ca17b5N.exe"C:\Users\Admin\AppData\Local\Temp\6d0a49344b67ccd2a7168bb95084ad3067d73ce7ce480b769a26e31c35ca17b5N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr909183.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr909183.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku884057.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku884057.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5812
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 11963⤵
- Program crash
PID:5644
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4300 -ip 43001⤵PID:5688
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD530750e622ca049a1011e86a10bd77ee6
SHA123e2b1894d0197327257c90f1ccbf962d075241b
SHA25612aceb308b19b16a287f051e037668318a71081df2ff364a489e0b3c81f307db
SHA512ccea67e56b9ae2623aa840aca461d13a569e2c2ee47c98f8dacedb69ddb8377341d20b59bd9635f8f45a8b444857c8a646c59723db9061a5a7af44387550c815
-
Filesize
426KB
MD5223329305a510924448df7a3009a5320
SHA19e31e645a114a99ee2e1ef0859044ffa8661f96d
SHA25651d68dbfbbf10e3a5b45efc8993d83cd7aaaab864bb5fbb14bf98c99d3f7c143
SHA51222cb534dc27a01ebd8a98400d05cff283f49815695a8ced135221d0e9fa9b095b05d9fa3253287be594eaf78b7f17d33f9116704072819f37523a0e202e7a68e
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0