Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:37
Static task
static1
Behavioral task
behavioral1
Sample
d4af52b2dbe0e5ab1643840043ad2089810ce44167633013ce9247d79b5bff93.exe
Resource
win10v2004-20241007-en
General
-
Target
d4af52b2dbe0e5ab1643840043ad2089810ce44167633013ce9247d79b5bff93.exe
-
Size
834KB
-
MD5
bf1bdeb6cf724ff26483f2495629bae0
-
SHA1
4c3ae9c8e009b8323ab003d13d11e4985b9cfcac
-
SHA256
d4af52b2dbe0e5ab1643840043ad2089810ce44167633013ce9247d79b5bff93
-
SHA512
f1b010530d6646b3b03f58b7d9406ec96aebd8cb5ffbb64c9a5582961b8cc765d6212b55584346781477efb7877864a7babea987ef5ace66e22ef0b63142ceff
-
SSDEEP
12288:BMr1y9078z2ptzWIyxZQKgFlxGctd6ZKo8jVrCse5Azekr9zunul3GURIocwDDc4:Qyq8KJyxyKgFltd+8IWvtEaV/eG
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x000b000000023b5d-19.dat healer behavioral1/memory/3996-22-0x00000000006D0000-0x00000000006DA000-memory.dmp healer behavioral1/memory/4264-29-0x00000000025A0000-0x00000000025BA000-memory.dmp healer behavioral1/memory/4264-31-0x0000000002880000-0x0000000002898000-memory.dmp healer behavioral1/memory/4264-32-0x0000000002880000-0x0000000002892000-memory.dmp healer behavioral1/memory/4264-39-0x0000000002880000-0x0000000002892000-memory.dmp healer behavioral1/memory/4264-59-0x0000000002880000-0x0000000002892000-memory.dmp healer behavioral1/memory/4264-57-0x0000000002880000-0x0000000002892000-memory.dmp healer behavioral1/memory/4264-55-0x0000000002880000-0x0000000002892000-memory.dmp healer behavioral1/memory/4264-53-0x0000000002880000-0x0000000002892000-memory.dmp healer behavioral1/memory/4264-51-0x0000000002880000-0x0000000002892000-memory.dmp healer behavioral1/memory/4264-49-0x0000000002880000-0x0000000002892000-memory.dmp healer behavioral1/memory/4264-47-0x0000000002880000-0x0000000002892000-memory.dmp healer behavioral1/memory/4264-45-0x0000000002880000-0x0000000002892000-memory.dmp healer behavioral1/memory/4264-43-0x0000000002880000-0x0000000002892000-memory.dmp healer behavioral1/memory/4264-41-0x0000000002880000-0x0000000002892000-memory.dmp healer behavioral1/memory/4264-37-0x0000000002880000-0x0000000002892000-memory.dmp healer behavioral1/memory/4264-35-0x0000000002880000-0x0000000002892000-memory.dmp healer behavioral1/memory/4264-33-0x0000000002880000-0x0000000002892000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro1044.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection qu4690.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" qu4690.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" qu4690.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" qu4690.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" qu4690.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection pro1044.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro1044.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro1044.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" qu4690.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro1044.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro1044.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4504-67-0x0000000002890000-0x00000000028D6000-memory.dmp family_redline behavioral1/memory/4504-68-0x0000000004E50000-0x0000000004E94000-memory.dmp family_redline behavioral1/memory/4504-70-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4504-84-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4504-102-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4504-100-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4504-98-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4504-96-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4504-92-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4504-90-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4504-89-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4504-86-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4504-82-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4504-80-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4504-78-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4504-76-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4504-74-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4504-72-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4504-94-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline behavioral1/memory/4504-69-0x0000000004E50000-0x0000000004E8E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 4084 unio9200.exe 4172 unio1580.exe 3996 pro1044.exe 4264 qu4690.exe 4504 rAM58s61.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" pro1044.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features qu4690.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" qu4690.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d4af52b2dbe0e5ab1643840043ad2089810ce44167633013ce9247d79b5bff93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio9200.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" unio1580.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4916 4264 WerFault.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4af52b2dbe0e5ab1643840043ad2089810ce44167633013ce9247d79b5bff93.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio9200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio1580.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu4690.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rAM58s61.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3996 pro1044.exe 3996 pro1044.exe 4264 qu4690.exe 4264 qu4690.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3996 pro1044.exe Token: SeDebugPrivilege 4264 qu4690.exe Token: SeDebugPrivilege 4504 rAM58s61.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3808 wrote to memory of 4084 3808 d4af52b2dbe0e5ab1643840043ad2089810ce44167633013ce9247d79b5bff93.exe 84 PID 3808 wrote to memory of 4084 3808 d4af52b2dbe0e5ab1643840043ad2089810ce44167633013ce9247d79b5bff93.exe 84 PID 3808 wrote to memory of 4084 3808 d4af52b2dbe0e5ab1643840043ad2089810ce44167633013ce9247d79b5bff93.exe 84 PID 4084 wrote to memory of 4172 4084 unio9200.exe 85 PID 4084 wrote to memory of 4172 4084 unio9200.exe 85 PID 4084 wrote to memory of 4172 4084 unio9200.exe 85 PID 4172 wrote to memory of 3996 4172 unio1580.exe 86 PID 4172 wrote to memory of 3996 4172 unio1580.exe 86 PID 4172 wrote to memory of 4264 4172 unio1580.exe 94 PID 4172 wrote to memory of 4264 4172 unio1580.exe 94 PID 4172 wrote to memory of 4264 4172 unio1580.exe 94 PID 4084 wrote to memory of 4504 4084 unio9200.exe 98 PID 4084 wrote to memory of 4504 4084 unio9200.exe 98 PID 4084 wrote to memory of 4504 4084 unio9200.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4af52b2dbe0e5ab1643840043ad2089810ce44167633013ce9247d79b5bff93.exe"C:\Users\Admin\AppData\Local\Temp\d4af52b2dbe0e5ab1643840043ad2089810ce44167633013ce9247d79b5bff93.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio9200.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio9200.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio1580.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio1580.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro1044.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro1044.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu4690.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu4690.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 10805⤵
- Program crash
PID:4916
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rAM58s61.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rAM58s61.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4264 -ip 42641⤵PID:2560
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
692KB
MD509111f97e7fa062e67c8d88cdf69a435
SHA19b8a3db906e90e056ba172c0c8c4c4dcc194e23b
SHA25662d363166f012d0bf430c4a97ed11fa8a9244c5c9c5b85df621ed6976e139b37
SHA5129f81aaea8874d4272187c5121e52d6171b40defe852cf101e4dfb2a84e43b8445090d73bd48b340ca2a6ff565d547a1adeb0bc0c03cbce0f12ae7b3bb5ca8835
-
Filesize
361KB
MD50480028a20a64f30a234971feaedc1e3
SHA144aa2f41c468dd7e1b5e512985683ea861a344e4
SHA2563206052f965a7322ff5eea6c14a95bb339726e544dbb941b58af9cd15c2da844
SHA5129030a449535511f5ac0e98345a2c98d5f06a48a98aaa34789406199b457f61e6146ed0f39a0433e5a671b0146cdf7da3b2347ee45b9201aca4bd51227cbb8f0e
-
Filesize
343KB
MD5beaccf1beab6844e0aa4a3246dfdb553
SHA16f3622da12bc86dcda133c34094186fde557a686
SHA25654e86ddb0b92afe8f060fc9f7378c5d17aa2239d0d784d1349a123734eaf4588
SHA512da06a9b73730b7e1a52f4af4c45a186d579ffb7201cfd862bce02e44150a7d1982cf16340ff363732bb5208a92556ec24da4f3129a1eafbfdba836c6fb282452
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
304KB
MD5e7ff0f3e231676cd882a84bc2cc259b4
SHA1ac614599ac72d9fdc56af7aed0599b83c9c7d366
SHA256840a0c1dab9209c79b6b362d34902a49ffbc753ae1f5323b7256d9d6d5ac0aa5
SHA5126d777b56b910ce33d91d5bb5fe73a2e6de7e865959bf57f5b692dc8bd5bab080e13ab96e1d87ba30a21df1d629130c2e9a1fef44e9cd2cc8d05d8eb5c1434272