Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 14:00
Static task
static1
Behavioral task
behavioral1
Sample
63a00873cc1270cd2a48b7965f2f1562b7814bd25bebed0f75193f3fbbda9cff.exe
Resource
win10v2004-20241007-en
General
-
Target
63a00873cc1270cd2a48b7965f2f1562b7814bd25bebed0f75193f3fbbda9cff.exe
-
Size
686KB
-
MD5
495933cbb4645711b42aee0d9026d5cf
-
SHA1
466e4894ed6b459fa1162d4173656d6bb008774a
-
SHA256
63a00873cc1270cd2a48b7965f2f1562b7814bd25bebed0f75193f3fbbda9cff
-
SHA512
0ca1212d4c111978aa58ba913ac46b837bea6054d5039f11c4721e293d1c1f42e25f6eb0d0b66253ef556cf35adbf644113b35e59e985f5e50cb725fd65ff29d
-
SSDEEP
12288:TMryy90qrishfkwzcK0SEu2a+WWVQhTSfFu+yzpqxth4v2Th3iO:ByxfkwV0PIWyh2FOc3L
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3776-17-0x0000000004B70000-0x0000000004B8A000-memory.dmp healer behavioral1/memory/3776-20-0x0000000004E00000-0x0000000004E18000-memory.dmp healer behavioral1/memory/3776-36-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/3776-48-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/3776-46-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/3776-42-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/3776-40-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/3776-38-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/3776-34-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/3776-32-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/3776-30-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/3776-28-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/3776-26-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/3776-24-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/3776-22-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/3776-21-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/3776-45-0x0000000004E00000-0x0000000004E12000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro0703.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0703.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0703.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0703.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0703.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0703.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4304-60-0x0000000004910000-0x0000000004956000-memory.dmp family_redline behavioral1/memory/4304-61-0x0000000007750000-0x0000000007794000-memory.dmp family_redline behavioral1/memory/4304-63-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/4304-62-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/4304-95-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/4304-93-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/4304-91-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/4304-89-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/4304-87-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/4304-85-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/4304-83-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/4304-81-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/4304-79-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/4304-77-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/4304-75-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/4304-71-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/4304-69-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/4304-67-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/4304-65-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/4304-73-0x0000000007750000-0x000000000778F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4768 un137113.exe 3776 pro0703.exe 4304 qu9626.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro0703.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0703.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 63a00873cc1270cd2a48b7965f2f1562b7814bd25bebed0f75193f3fbbda9cff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un137113.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63a00873cc1270cd2a48b7965f2f1562b7814bd25bebed0f75193f3fbbda9cff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un137113.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro0703.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu9626.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3776 pro0703.exe 3776 pro0703.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3776 pro0703.exe Token: SeDebugPrivilege 4304 qu9626.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4464 wrote to memory of 4768 4464 63a00873cc1270cd2a48b7965f2f1562b7814bd25bebed0f75193f3fbbda9cff.exe 86 PID 4464 wrote to memory of 4768 4464 63a00873cc1270cd2a48b7965f2f1562b7814bd25bebed0f75193f3fbbda9cff.exe 86 PID 4464 wrote to memory of 4768 4464 63a00873cc1270cd2a48b7965f2f1562b7814bd25bebed0f75193f3fbbda9cff.exe 86 PID 4768 wrote to memory of 3776 4768 un137113.exe 87 PID 4768 wrote to memory of 3776 4768 un137113.exe 87 PID 4768 wrote to memory of 3776 4768 un137113.exe 87 PID 4768 wrote to memory of 4304 4768 un137113.exe 96 PID 4768 wrote to memory of 4304 4768 un137113.exe 96 PID 4768 wrote to memory of 4304 4768 un137113.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\63a00873cc1270cd2a48b7965f2f1562b7814bd25bebed0f75193f3fbbda9cff.exe"C:\Users\Admin\AppData\Local\Temp\63a00873cc1270cd2a48b7965f2f1562b7814bd25bebed0f75193f3fbbda9cff.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un137113.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un137113.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0703.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0703.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3776
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9626.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9626.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
544KB
MD5918d7ab087dbdc9aefd54cf4de3b768e
SHA16d7372f0b54589274fbebb9c3354f6b463af9913
SHA256f729d741714fcf952c7667f757dadedc330b2a468f6ec596193f3216fa11496d
SHA5120d7b7a08896da8d5f06d2762b7a12cd897291c7a00a37033bd142b88eec72a1150af3966987b3a8e0dfbafc57565cbfd3820b3ab49ec4e4b8e9dd93e0259e3b3
-
Filesize
325KB
MD59dd97dadd9043419e319dc23b7621701
SHA18bcb7077b8c7cb499f6c6bb1ddc41695140e69d2
SHA256f53c3661765f239c87a03efca7d09c6dc8612dc139e525b1d82474087d72adc4
SHA512d4cdd0885af8a19f5fcb70bdb3a2ffe9ec4dc4c2c0d19a0e6ac962359c16fafaa753a3af8f8bce3c378d0a822906b27d1d51713f58c03dce6d6278e56b7b2122
-
Filesize
384KB
MD5b1edc0b3ae58f2e2300e961535f5708b
SHA1e49db808705a80a403f89aaae9bdcf937d223bf3
SHA25637b240e9c975ba120c22661098baa6443e21463c3bfe8b18d07c6c8fd308856a
SHA512daa995fd2b7258bc3d091baabc3a4ce07bfe18b945ae09e61ab37a82e738ffb916eede75ea1bb03a8ef63ee8b0f3e667a8cbefa0856f11c052e26328838b2081