Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:28
Static task
static1
Behavioral task
behavioral1
Sample
614a7bc3cc3a78328199db7a3a1afbb2e5259be67d6ec422b0aff8b0d079268c.exe
Resource
win10v2004-20241007-en
General
-
Target
614a7bc3cc3a78328199db7a3a1afbb2e5259be67d6ec422b0aff8b0d079268c.exe
-
Size
686KB
-
MD5
77a66b0ea38c48301dad41a6fa3a817a
-
SHA1
eddfbca45d81c61db14808c3b46332377e92388e
-
SHA256
614a7bc3cc3a78328199db7a3a1afbb2e5259be67d6ec422b0aff8b0d079268c
-
SHA512
07644d2f25542febb07e09e4dc1e19a1d5c9a842ce4a43f8840fd109d6beae2e5baac45c752c2014b0ce1e3b9065ffdf9022cd5c31f18996204d88415bcad20e
-
SSDEEP
12288:7Mruy90o5arq0rpW9/QgZu1+HzWwkQkjBlFKKtHlMCQT:lyTcrqmW9HlTWwBkjBlowLQT
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2144-19-0x0000000002590000-0x00000000025AA000-memory.dmp healer behavioral1/memory/2144-21-0x00000000025E0000-0x00000000025F8000-memory.dmp healer behavioral1/memory/2144-23-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/2144-27-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/2144-49-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/2144-47-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/2144-45-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/2144-43-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/2144-41-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/2144-39-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/2144-37-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/2144-33-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/2144-31-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/2144-29-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/2144-25-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/2144-35-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/2144-22-0x00000000025E0000-0x00000000025F2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7192.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7192.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7192.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro7192.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7192.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7192.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3488-60-0x00000000027F0000-0x0000000002836000-memory.dmp family_redline behavioral1/memory/3488-61-0x00000000052B0000-0x00000000052F4000-memory.dmp family_redline behavioral1/memory/3488-62-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/3488-63-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/3488-95-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/3488-94-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/3488-91-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/3488-89-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/3488-87-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/3488-85-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/3488-83-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/3488-82-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/3488-79-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/3488-77-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/3488-75-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/3488-73-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/3488-71-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/3488-69-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/3488-67-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline behavioral1/memory/3488-65-0x00000000052B0000-0x00000000052EE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3816 un818804.exe 2144 pro7192.exe 3488 qu2617.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro7192.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7192.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 614a7bc3cc3a78328199db7a3a1afbb2e5259be67d6ec422b0aff8b0d079268c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un818804.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 880 2144 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 614a7bc3cc3a78328199db7a3a1afbb2e5259be67d6ec422b0aff8b0d079268c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un818804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro7192.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu2617.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2144 pro7192.exe 2144 pro7192.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2144 pro7192.exe Token: SeDebugPrivilege 3488 qu2617.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3780 wrote to memory of 3816 3780 614a7bc3cc3a78328199db7a3a1afbb2e5259be67d6ec422b0aff8b0d079268c.exe 86 PID 3780 wrote to memory of 3816 3780 614a7bc3cc3a78328199db7a3a1afbb2e5259be67d6ec422b0aff8b0d079268c.exe 86 PID 3780 wrote to memory of 3816 3780 614a7bc3cc3a78328199db7a3a1afbb2e5259be67d6ec422b0aff8b0d079268c.exe 86 PID 3816 wrote to memory of 2144 3816 un818804.exe 87 PID 3816 wrote to memory of 2144 3816 un818804.exe 87 PID 3816 wrote to memory of 2144 3816 un818804.exe 87 PID 3816 wrote to memory of 3488 3816 un818804.exe 96 PID 3816 wrote to memory of 3488 3816 un818804.exe 96 PID 3816 wrote to memory of 3488 3816 un818804.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\614a7bc3cc3a78328199db7a3a1afbb2e5259be67d6ec422b0aff8b0d079268c.exe"C:\Users\Admin\AppData\Local\Temp\614a7bc3cc3a78328199db7a3a1afbb2e5259be67d6ec422b0aff8b0d079268c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un818804.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un818804.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7192.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7192.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 10804⤵
- Program crash
PID:880
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2617.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2617.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2144 -ip 21441⤵PID:3548
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
544KB
MD547b54e846d9f40dc98aa3e6f42a466a8
SHA1c38d763f32b9f37f034e7e3bbd96b4e783b4bdbc
SHA2569f4571b47084c38f0258af292a1b0be5e678ad160ccefd2166f3ec6d4c0e94a9
SHA5124cff705493db460662e9f89d430041f2e56bb24f6e10aefd73cc249cf2c6bc8ac9a36b1449f41b581b13545e86b9b9377040dd2f2cd3a797c7718e376e87f635
-
Filesize
292KB
MD540860b62b4f51454140a24b86d50bfac
SHA18ec00501c5d396b1214ca1d73691408de66c6be2
SHA25634fadf619a9687e71f846e28387f81da4415f0cb04ea3975d8551eb99adfa1ee
SHA512699ee3ec98de483a3bb63f7d856720026619cc0951f09ac601c4b27aa4e8731f1a817a4dcf9ceb2bfed431bb5d42e3d9bf70e39d5436aa72c759420ab60da542
-
Filesize
350KB
MD5f568d3fb6bb39e37af0acbd7be4c806b
SHA10a736da339aab58a08bae8ab8d2e00f1720d5e3b
SHA256a4ee19088f167787d555390647a7a45563ec9d0d66cad90f8e784d78cf2b8b95
SHA5128913b3efb4fe057e741061bfb8d6b385aa0f1c4a12042633404705983ae4589b6394de0da6a6608f441483ca02b92c3d2fa46fd5daf1085293f160b166d6ea1e