Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:28
Static task
static1
Behavioral task
behavioral1
Sample
bd98eb56b0ac6c5aa830c31a3db42003f3a797c54c3046a7fa0a97a9d2170a7d.exe
Resource
win10v2004-20241007-en
General
-
Target
bd98eb56b0ac6c5aa830c31a3db42003f3a797c54c3046a7fa0a97a9d2170a7d.exe
-
Size
659KB
-
MD5
e4ebc93dd838d20e977d1bab0f2f699d
-
SHA1
db614edecad5b7d02d3f3adda025d1f2880c7274
-
SHA256
bd98eb56b0ac6c5aa830c31a3db42003f3a797c54c3046a7fa0a97a9d2170a7d
-
SHA512
d812f668bd71c166e45b127a4ed1733530456fe92fdb97a617af9c48af26f8c8f6662bdaf3df734e82610b6bc8f7f01f6c8bacbe0df80a11e78fea3f824b3dbb
-
SSDEEP
12288:LMr+y9095PhnmEoFxzSGQ9ohUbhGcQKCA0o5RHgUUtJgX:Ryg5PYPGeEf/5vHnUtE
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4872-19-0x0000000002380000-0x000000000239A000-memory.dmp healer behavioral1/memory/4872-21-0x0000000002430000-0x0000000002448000-memory.dmp healer behavioral1/memory/4872-41-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/4872-49-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/4872-47-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/4872-45-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/4872-44-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/4872-40-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/4872-38-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/4872-35-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/4872-34-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/4872-31-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/4872-29-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/4872-27-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/4872-25-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/4872-23-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/4872-22-0x0000000002430000-0x0000000002442000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro1811.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro1811.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro1811.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro1811.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro1811.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro1811.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2256-60-0x00000000023D0000-0x0000000002416000-memory.dmp family_redline behavioral1/memory/2256-61-0x00000000025A0000-0x00000000025E4000-memory.dmp family_redline behavioral1/memory/2256-65-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/2256-62-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/2256-73-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/2256-95-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/2256-94-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/2256-89-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/2256-87-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/2256-85-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/2256-83-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/2256-79-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/2256-77-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/2256-75-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/2256-71-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/2256-69-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/2256-67-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/2256-63-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/2256-91-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/2256-81-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3440 un971517.exe 4872 pro1811.exe 2256 qu4950.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro1811.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro1811.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bd98eb56b0ac6c5aa830c31a3db42003f3a797c54c3046a7fa0a97a9d2170a7d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un971517.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4744 4872 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd98eb56b0ac6c5aa830c31a3db42003f3a797c54c3046a7fa0a97a9d2170a7d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un971517.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro1811.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu4950.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4872 pro1811.exe 4872 pro1811.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4872 pro1811.exe Token: SeDebugPrivilege 2256 qu4950.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2328 wrote to memory of 3440 2328 bd98eb56b0ac6c5aa830c31a3db42003f3a797c54c3046a7fa0a97a9d2170a7d.exe 84 PID 2328 wrote to memory of 3440 2328 bd98eb56b0ac6c5aa830c31a3db42003f3a797c54c3046a7fa0a97a9d2170a7d.exe 84 PID 2328 wrote to memory of 3440 2328 bd98eb56b0ac6c5aa830c31a3db42003f3a797c54c3046a7fa0a97a9d2170a7d.exe 84 PID 3440 wrote to memory of 4872 3440 un971517.exe 85 PID 3440 wrote to memory of 4872 3440 un971517.exe 85 PID 3440 wrote to memory of 4872 3440 un971517.exe 85 PID 3440 wrote to memory of 2256 3440 un971517.exe 96 PID 3440 wrote to memory of 2256 3440 un971517.exe 96 PID 3440 wrote to memory of 2256 3440 un971517.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd98eb56b0ac6c5aa830c31a3db42003f3a797c54c3046a7fa0a97a9d2170a7d.exe"C:\Users\Admin\AppData\Local\Temp\bd98eb56b0ac6c5aa830c31a3db42003f3a797c54c3046a7fa0a97a9d2170a7d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un971517.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un971517.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1811.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1811.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4872 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 10804⤵
- Program crash
PID:4744
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4950.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4950.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4872 -ip 48721⤵PID:2940
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
516KB
MD50c8f7893925450bf50b0eaab59ba6554
SHA138ef02392fdcbae3845c7bd0aa19f6e0e8ca05f0
SHA25673fa168f605b8f15ecfbc3b2222d7037e2a30d30865b879c1171cc53ff8b6548
SHA51202aa1a7a4e0c157a5b4ad8615b7cb42487195e8de8573391198c1e572e72c1c86dc30a1d0e200c707e569a5c69a2eb4055074ca575d83f2c56990a798ec96562
-
Filesize
236KB
MD5886bb83a6e18a460bf43effbf241befe
SHA1e315cdd741e72ff8c353fdc11b9bb31cd111b344
SHA25626313a04f988cbabeaae163e721edd39a9d9bcc8d514e1cc682552a9f77ba083
SHA5128d8d866d83b373dc38e3e370d1eabaddc879a5ac84f22afa347633e714092423760e24c91d54288eaedcb0f34f090548fb868cd89c29a97f4584c8404202b361
-
Filesize
294KB
MD5e677da944e859e2330033e11c3cf48e7
SHA14d79bc430d2ff468485dd48cef31b2173e2e0fe1
SHA2562d451e7aa85e6fb4f167902d09680c1283756a5944cda3154b5f09a6dd8919c4
SHA51277977b5319d30fca4a4ebc6ffb75c83b5202de8d881b9bea88e650b791b588e02d1d58bb30e36003290e90985dba3b11e495ba6ef9d5e53149ddf8256fd143a9