Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:23
Static task
static1
Behavioral task
behavioral1
Sample
77fda6047aa2ee062e16f5d64c7d7b400e8e6c57cc52f4a08a1092a802ca119f.exe
Resource
win10v2004-20241007-en
General
-
Target
77fda6047aa2ee062e16f5d64c7d7b400e8e6c57cc52f4a08a1092a802ca119f.exe
-
Size
851KB
-
MD5
b5400b3c5afbec5b7ec646aadde072c1
-
SHA1
4d92db7b95b7edec5b9682728d4356371c985640
-
SHA256
77fda6047aa2ee062e16f5d64c7d7b400e8e6c57cc52f4a08a1092a802ca119f
-
SHA512
7e7251693c19422796e44f7c4786c1152bf00f8244bfaf86049801890047407446c46ae392c227157f0629978447e48cfddc75a254ab00b582beebee3ccbca60
-
SSDEEP
12288:LMrKy90TuBlHc/XwzmOlpDZQB25Na1MWRx3zVXPgewpPGgEwExQkVUt1oEodnihI:JyUQI6pDGsYR7YewBDEwEykVUtH+d
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x0008000000023c8d-19.dat healer behavioral1/memory/4660-22-0x00000000003E0000-0x00000000003EA000-memory.dmp healer behavioral1/memory/4012-29-0x00000000049B0000-0x00000000049CA000-memory.dmp healer behavioral1/memory/4012-31-0x0000000004BB0000-0x0000000004BC8000-memory.dmp healer behavioral1/memory/4012-32-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/4012-41-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/4012-57-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/4012-55-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/4012-53-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/4012-51-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/4012-49-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/4012-48-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/4012-45-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/4012-39-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/4012-37-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/4012-35-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/4012-33-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/4012-43-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/4012-59-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c99FX08.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b8088SN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b8088SN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b8088SN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b8088SN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b8088SN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c99FX08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b8088SN.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c99FX08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c99FX08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c99FX08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c99FX08.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4368-67-0x0000000004AB0000-0x0000000004AF6000-memory.dmp family_redline behavioral1/memory/4368-68-0x0000000004BB0000-0x0000000004BF4000-memory.dmp family_redline behavioral1/memory/4368-69-0x0000000004BB0000-0x0000000004BEE000-memory.dmp family_redline behavioral1/memory/4368-82-0x0000000004BB0000-0x0000000004BEE000-memory.dmp family_redline behavioral1/memory/4368-100-0x0000000004BB0000-0x0000000004BEE000-memory.dmp family_redline behavioral1/memory/4368-98-0x0000000004BB0000-0x0000000004BEE000-memory.dmp family_redline behavioral1/memory/4368-96-0x0000000004BB0000-0x0000000004BEE000-memory.dmp family_redline behavioral1/memory/4368-94-0x0000000004BB0000-0x0000000004BEE000-memory.dmp family_redline behavioral1/memory/4368-92-0x0000000004BB0000-0x0000000004BEE000-memory.dmp family_redline behavioral1/memory/4368-90-0x0000000004BB0000-0x0000000004BEE000-memory.dmp family_redline behavioral1/memory/4368-88-0x0000000004BB0000-0x0000000004BEE000-memory.dmp family_redline behavioral1/memory/4368-84-0x0000000004BB0000-0x0000000004BEE000-memory.dmp family_redline behavioral1/memory/4368-80-0x0000000004BB0000-0x0000000004BEE000-memory.dmp family_redline behavioral1/memory/4368-78-0x0000000004BB0000-0x0000000004BEE000-memory.dmp family_redline behavioral1/memory/4368-76-0x0000000004BB0000-0x0000000004BEE000-memory.dmp family_redline behavioral1/memory/4368-74-0x0000000004BB0000-0x0000000004BEE000-memory.dmp family_redline behavioral1/memory/4368-72-0x0000000004BB0000-0x0000000004BEE000-memory.dmp family_redline behavioral1/memory/4368-70-0x0000000004BB0000-0x0000000004BEE000-memory.dmp family_redline behavioral1/memory/4368-102-0x0000000004BB0000-0x0000000004BEE000-memory.dmp family_redline behavioral1/memory/4368-86-0x0000000004BB0000-0x0000000004BEE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 2448 tice9306.exe 4468 tice6912.exe 4660 b8088SN.exe 4012 c99FX08.exe 4368 dWDNz94.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c99FX08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b8088SN.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c99FX08.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 77fda6047aa2ee062e16f5d64c7d7b400e8e6c57cc52f4a08a1092a802ca119f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tice9306.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" tice6912.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 720 4012 WerFault.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c99FX08.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dWDNz94.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77fda6047aa2ee062e16f5d64c7d7b400e8e6c57cc52f4a08a1092a802ca119f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tice9306.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tice6912.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4660 b8088SN.exe 4660 b8088SN.exe 4012 c99FX08.exe 4012 c99FX08.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4660 b8088SN.exe Token: SeDebugPrivilege 4012 c99FX08.exe Token: SeDebugPrivilege 4368 dWDNz94.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1960 wrote to memory of 2448 1960 77fda6047aa2ee062e16f5d64c7d7b400e8e6c57cc52f4a08a1092a802ca119f.exe 85 PID 1960 wrote to memory of 2448 1960 77fda6047aa2ee062e16f5d64c7d7b400e8e6c57cc52f4a08a1092a802ca119f.exe 85 PID 1960 wrote to memory of 2448 1960 77fda6047aa2ee062e16f5d64c7d7b400e8e6c57cc52f4a08a1092a802ca119f.exe 85 PID 2448 wrote to memory of 4468 2448 tice9306.exe 86 PID 2448 wrote to memory of 4468 2448 tice9306.exe 86 PID 2448 wrote to memory of 4468 2448 tice9306.exe 86 PID 4468 wrote to memory of 4660 4468 tice6912.exe 87 PID 4468 wrote to memory of 4660 4468 tice6912.exe 87 PID 4468 wrote to memory of 4012 4468 tice6912.exe 94 PID 4468 wrote to memory of 4012 4468 tice6912.exe 94 PID 4468 wrote to memory of 4012 4468 tice6912.exe 94 PID 2448 wrote to memory of 4368 2448 tice9306.exe 98 PID 2448 wrote to memory of 4368 2448 tice9306.exe 98 PID 2448 wrote to memory of 4368 2448 tice9306.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\77fda6047aa2ee062e16f5d64c7d7b400e8e6c57cc52f4a08a1092a802ca119f.exe"C:\Users\Admin\AppData\Local\Temp\77fda6047aa2ee062e16f5d64c7d7b400e8e6c57cc52f4a08a1092a802ca119f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9306.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9306.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6912.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6912.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8088SN.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8088SN.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c99FX08.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c99FX08.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 9805⤵
- Program crash
PID:720
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dWDNz94.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dWDNz94.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4368
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4012 -ip 40121⤵PID:512
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
707KB
MD57b7cdf86b66b221fb9b584b6f17e6efd
SHA1ade0a6633016277a4b7fa4eab4317839470edcda
SHA25659e6cd7d76fa677b46fdf7c100eb5950d0d81949369eab6ab437732ded3ccd5f
SHA51277c053eb08085aba498d27da1e3e9b42cc411b5588678bfbaf011fb71a9d7de2ce5b1bab5706db8482d7fad2a1e1bfc981e7c7aa47ba73fc86e8d7c3cf9dd4b5
-
Filesize
391KB
MD5301faf9c7cc2627a8ca2cfaff8908138
SHA1e11c6dfd3d7616019ab72590df34a31dfed0654e
SHA256eaf93783b1ad4191fa9112faa7d3e4b2813435135c3bd9d8016cb6a33742b4ae
SHA51250c9a0c56ffe1f0459ee7eb943cdd2af40c1b37a0f8617b0f6051ccec90d77a41900f40fcb8f0e569ed0094ade1b3b5dd750b6ef2c52d1760084f40c306ed669
-
Filesize
353KB
MD5d504eaaa840b5946f5fca2c0a641c6f5
SHA114c8b98386d6d5364a7eca9b148b60130ceaba36
SHA256a5c53a2b657625b64af88b6e95f778359b85a0b5b3793bc9c2d97844be375cc2
SHA512cbd6a70604c91d018c97143b4f9bff62cd8a38e3e24379a3a3bdd9f3686a7bdad5ab2b118cea17536c58e9c5553360948fb56494916c161995ff54a55c4bb927
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
333KB
MD5e7a8a02ad8b37e32bb1a2ad42970d63e
SHA1c3992bab2448494c4c0d224693a3c9e7667559be
SHA25677b111d04a498b5d2fb532749786557bf13314deda248e5beef68eaa1a9e5ae5
SHA512b2a0c64fce46cf9e77c00831aeca92dabfee5919cf580fdfd34f81faccf7803ade4a7d2279c3f4e33749db4649df2dc2f6163a201048c4ad8ace332169b8031c