Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:30
Static task
static1
Behavioral task
behavioral1
Sample
304803e5d6df565e029d25e604b007721d002348a6702067648718d0e5484d25.exe
Resource
win10v2004-20241007-en
General
-
Target
304803e5d6df565e029d25e604b007721d002348a6702067648718d0e5484d25.exe
-
Size
1.4MB
-
MD5
bbf24d5445fad8476bd1bae77f1bd449
-
SHA1
edc5eb3a5cbafa3ea45d6cfcb00ed770ad212193
-
SHA256
304803e5d6df565e029d25e604b007721d002348a6702067648718d0e5484d25
-
SHA512
e4dffd2dc4a6b1d60f579297846f9470c09608c6cc451ba66131394c317b9ed4f65b5c9ca9364bcfd88ce39368a93755179ec31bba42cc68853874b700d72e3c
-
SSDEEP
24576:rywAUnOpItG/wN31z+PVueJdJjAysjfTPaMNd6twMiuAN6P4OCtBbNXH0HAESHNE:eOOv/a31zUdJc6vavbxoStEl
Malware Config
Extracted
redline
maxbi
185.161.248.73:4164
-
auth_value
6aa7dba884fe45693dfa04c91440daef
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4952-36-0x0000000002380000-0x000000000239A000-memory.dmp healer behavioral1/memory/4952-38-0x0000000004DB0000-0x0000000004DC8000-memory.dmp healer behavioral1/memory/4952-62-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/4952-64-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/4952-60-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/4952-59-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/4952-56-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/4952-54-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/4952-52-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/4952-51-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/4952-48-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/4952-46-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/4952-44-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/4952-42-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/4952-66-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/4952-40-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/4952-39-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a29347295.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a29347295.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a29347295.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a29347295.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a29347295.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a29347295.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cd1-71.dat family_redline behavioral1/memory/2672-73-0x0000000000FC0000-0x0000000000FF0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 212 i03814919.exe 4828 i88432761.exe 2380 i31511900.exe 3320 i05295996.exe 4952 a29347295.exe 2672 b94018008.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a29347295.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a29347295.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 304803e5d6df565e029d25e604b007721d002348a6702067648718d0e5484d25.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i03814919.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i88432761.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i31511900.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i05295996.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4424 4952 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b94018008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 304803e5d6df565e029d25e604b007721d002348a6702067648718d0e5484d25.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i03814919.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i88432761.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i31511900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i05295996.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a29347295.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4952 a29347295.exe 4952 a29347295.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4952 a29347295.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4552 wrote to memory of 212 4552 304803e5d6df565e029d25e604b007721d002348a6702067648718d0e5484d25.exe 84 PID 4552 wrote to memory of 212 4552 304803e5d6df565e029d25e604b007721d002348a6702067648718d0e5484d25.exe 84 PID 4552 wrote to memory of 212 4552 304803e5d6df565e029d25e604b007721d002348a6702067648718d0e5484d25.exe 84 PID 212 wrote to memory of 4828 212 i03814919.exe 85 PID 212 wrote to memory of 4828 212 i03814919.exe 85 PID 212 wrote to memory of 4828 212 i03814919.exe 85 PID 4828 wrote to memory of 2380 4828 i88432761.exe 86 PID 4828 wrote to memory of 2380 4828 i88432761.exe 86 PID 4828 wrote to memory of 2380 4828 i88432761.exe 86 PID 2380 wrote to memory of 3320 2380 i31511900.exe 88 PID 2380 wrote to memory of 3320 2380 i31511900.exe 88 PID 2380 wrote to memory of 3320 2380 i31511900.exe 88 PID 3320 wrote to memory of 4952 3320 i05295996.exe 90 PID 3320 wrote to memory of 4952 3320 i05295996.exe 90 PID 3320 wrote to memory of 4952 3320 i05295996.exe 90 PID 3320 wrote to memory of 2672 3320 i05295996.exe 99 PID 3320 wrote to memory of 2672 3320 i05295996.exe 99 PID 3320 wrote to memory of 2672 3320 i05295996.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\304803e5d6df565e029d25e604b007721d002348a6702067648718d0e5484d25.exe"C:\Users\Admin\AppData\Local\Temp\304803e5d6df565e029d25e604b007721d002348a6702067648718d0e5484d25.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i03814919.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i03814919.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i88432761.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i88432761.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i31511900.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i31511900.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i05295996.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i05295996.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a29347295.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a29347295.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 10847⤵
- Program crash
PID:4424
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b94018008.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b94018008.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2672
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4952 -ip 49521⤵PID:4368
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5925ff33187898d082fa24cfc00203a1b
SHA16ecefff833ef445dbb15430d8b95de493e1ef41b
SHA256b1366804e93065ee1e1ad3ca8d6dbc19c9c2b3cd1bf450dbbc7f0f45eda461be
SHA51220ca383be2b57f858d3ad8966a240d51f271f48e15e74388eb65932bda3e4c37f086cc7d0bd88c5299ec88b288891254ee4cf60a07a13c2ed48e2abd787202bb
-
Filesize
1.1MB
MD50a33d99ed45a0879ca85fab5d51bf81c
SHA10bf339db9426e61e8568a2941243d17f28a9f8d6
SHA2565f7d164afbf995c5ebe6262450daf2d57e5e98b54fa1701a1aa883c619b828b8
SHA512ee8967ae524521ffed72d508b010616e5519aa25715b1a5a26e3a964fca0a97ec160332e37a932c362e294d647c8ae98eef5549c0d6753762e9ba50793018152
-
Filesize
645KB
MD5367a9208462621a5f007b05e4d537186
SHA1d73e59a599b41c79491c733d4884ceb51b8067c3
SHA25646e43a1824200a2fa85fd85eaefb84849b6d8972201c00733acf9968dde837d0
SHA51248d8ac3583c5f8a3d87b9a52a5ef26304da6d02eed78f356e758cda618bff50b142037272051c3bdc8b30b065ed93a6d52eaa79c773424ffe0fc23689177603d
-
Filesize
385KB
MD5747cb61d39c10607680d92a84a5c25e6
SHA1e8d8bd2ae8acdc38823558a35ba321c51175ff0c
SHA256f8240ebd2b76e7930dcebe95a17302c6fa2db7d53bfdf92087ebaa6123f291e5
SHA512c9bf6b0b91b3c74e7418a97dd5c3034058e9546e7e07b79c5417a6f51b3768de065b52f66ff64713fef787a4638d1e8288964c60c2088f3e85ec5be18d80b01b
-
Filesize
294KB
MD5f844987e75167b54d9192090b1fd901a
SHA142dbea33a863a8e13511ac93278f89339d52af00
SHA2561169b30278dd044c5a58a995497da74085162c8e896383f29c3b0350efccca98
SHA512bc79f7ce46dca4ccff43c7227c63f1a8c7e9f3eb61b38f514558575c36e929634e18d17a0dbaf2c50c594828b9188116d9daf3d4ee3f851b714dd1f6108d1712
-
Filesize
168KB
MD53d6eebbdabba5a1136d9c35b08c5c09a
SHA1dedb5f6799bde7202a605a6178ca4db227515a78
SHA256a1431a7a68c771988cd97bb559db704bb3bf457f2a6e41c5c25882ce15052fe8
SHA512472338739903a5aae66000179fb806af5b3ec479610d36d306617a9bb425ce6552b3b95257e93be1c9ba0498aa905191b37b2039e1eb41991286223c6ad2f0a1