Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:29
Static task
static1
Behavioral task
behavioral1
Sample
6ac0a8d732f2987e323f5cd6184738515c24c9c6a97a5fddb22d0cfd8dcb9c75.exe
Resource
win10v2004-20241007-en
General
-
Target
6ac0a8d732f2987e323f5cd6184738515c24c9c6a97a5fddb22d0cfd8dcb9c75.exe
-
Size
687KB
-
MD5
38c08aecf175c465eb78319087c110ea
-
SHA1
ce6462629b136145040fa39de6d25f7ea246465f
-
SHA256
6ac0a8d732f2987e323f5cd6184738515c24c9c6a97a5fddb22d0cfd8dcb9c75
-
SHA512
f544c26d1a356155fe524a27d92cca0b85ef1eb56198876780889594ff09a49d4680bcaec2000fbc6a1be76bdb6829187db259db39f0946fe4e3588ce5b60d18
-
SSDEEP
12288:8Mrky90EDQrd3Ni3DY+n3ad8U1FxX6bKgrzyscUHNBMmzqkEVLZRfXePe:wydQrd3NH+qd8AcuOtHAoK9XOe
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2376-18-0x0000000004A00000-0x0000000004A1A000-memory.dmp healer behavioral1/memory/2376-20-0x0000000007250000-0x0000000007268000-memory.dmp healer behavioral1/memory/2376-48-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/2376-46-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/2376-44-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/2376-42-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/2376-40-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/2376-38-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/2376-36-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/2376-34-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/2376-32-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/2376-30-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/2376-28-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/2376-26-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/2376-24-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/2376-22-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/2376-21-0x0000000007250000-0x0000000007262000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro5052.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro5052.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro5052.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro5052.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro5052.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro5052.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2572-60-0x0000000007110000-0x0000000007156000-memory.dmp family_redline behavioral1/memory/2572-61-0x00000000071D0000-0x0000000007214000-memory.dmp family_redline behavioral1/memory/2572-77-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/2572-75-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/2572-95-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/2572-93-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/2572-91-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/2572-89-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/2572-87-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/2572-85-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/2572-83-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/2572-81-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/2572-79-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/2572-73-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/2572-71-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/2572-69-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/2572-67-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/2572-65-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/2572-63-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/2572-62-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1152 un231817.exe 2376 pro5052.exe 2572 qu7342.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro5052.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro5052.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6ac0a8d732f2987e323f5cd6184738515c24c9c6a97a5fddb22d0cfd8dcb9c75.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un231817.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1864 2376 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6ac0a8d732f2987e323f5cd6184738515c24c9c6a97a5fddb22d0cfd8dcb9c75.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un231817.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro5052.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu7342.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2376 pro5052.exe 2376 pro5052.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2376 pro5052.exe Token: SeDebugPrivilege 2572 qu7342.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2360 wrote to memory of 1152 2360 6ac0a8d732f2987e323f5cd6184738515c24c9c6a97a5fddb22d0cfd8dcb9c75.exe 84 PID 2360 wrote to memory of 1152 2360 6ac0a8d732f2987e323f5cd6184738515c24c9c6a97a5fddb22d0cfd8dcb9c75.exe 84 PID 2360 wrote to memory of 1152 2360 6ac0a8d732f2987e323f5cd6184738515c24c9c6a97a5fddb22d0cfd8dcb9c75.exe 84 PID 1152 wrote to memory of 2376 1152 un231817.exe 85 PID 1152 wrote to memory of 2376 1152 un231817.exe 85 PID 1152 wrote to memory of 2376 1152 un231817.exe 85 PID 1152 wrote to memory of 2572 1152 un231817.exe 101 PID 1152 wrote to memory of 2572 1152 un231817.exe 101 PID 1152 wrote to memory of 2572 1152 un231817.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ac0a8d732f2987e323f5cd6184738515c24c9c6a97a5fddb22d0cfd8dcb9c75.exe"C:\Users\Admin\AppData\Local\Temp\6ac0a8d732f2987e323f5cd6184738515c24c9c6a97a5fddb22d0cfd8dcb9c75.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un231817.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un231817.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5052.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5052.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 10884⤵
- Program crash
PID:1864
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7342.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7342.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2376 -ip 23761⤵PID:3184
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
545KB
MD53752ef42c67dd709ff65fd6dd2537be2
SHA123d5b22a7313e192c2597b27116b529e08a7ea49
SHA25621ee2e04eb4326e9685d9f8bde7bb614f4e7f4897ca92b6294158b6744d7ba6e
SHA512c8801e346c6b7456718f34234f62301ad7ee9e6af0030ed81d6870571a023766b83d99436b6ce192c401e873cb3e5dbb67cdd0971cd6667ec03d618cea32f67b
-
Filesize
325KB
MD5eba03edbe1e91c3b7558a2385cff60aa
SHA1a221c21726e26c190ee58f5164ea5df0cdb224bf
SHA256908cf6fe4d40f48de3fb90fc70844936b94002f8eeed584f166e88b839828f59
SHA5126059dd5a8e9e9df34a7dcf3047cf7658168b1e1f21984b18ddda071e9a6cd3f350b9b7000089314aa2b3c3a3def73105b61884a614c264b368c50dcf4a7cf7df
-
Filesize
383KB
MD596a93f98b9baf300b58123610c7ffc00
SHA1f72f2cb14995e0850c9599d10b1796f684efb12f
SHA2564afe5cda349802964c7ff50cd89efc9fcca6261abd9e73c79dafffd07de63cc7
SHA51216c65a34fad8b7393eac23be6dcec03491dd2475c30d5bc4f70a850d2335194ab7b1dc01d45d2741b27d9f48b17524f63cf2fae0727a288ab0932a86864fe0b8