Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 14:01
Static task
static1
Behavioral task
behavioral1
Sample
11d7c4f9cab38b5a6bbb7f40f2bc09bd2c40831e3925b0d832d41bbf70bd8189.exe
Resource
win10v2004-20241007-en
General
-
Target
11d7c4f9cab38b5a6bbb7f40f2bc09bd2c40831e3925b0d832d41bbf70bd8189.exe
-
Size
686KB
-
MD5
007333c21209198d69044e59e47ca794
-
SHA1
b4f1cace1aed198eb225fbb7870077d47eee421e
-
SHA256
11d7c4f9cab38b5a6bbb7f40f2bc09bd2c40831e3925b0d832d41bbf70bd8189
-
SHA512
6dd3c56788d12314d1db2c7f7ad6443ff6bd50bf15d0859baf140c3ea45e29ae10158a634e12027b66baed0919095073dc0d9fe49e9f2180da051d8661c1154c
-
SSDEEP
12288:WMr3y90y2ROiHObuTNIvojnzxRdmOH1hcyMKK96HdPNGyCU:dyNe3LU21R4I1hzARI
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/400-18-0x0000000004B00000-0x0000000004B1A000-memory.dmp healer behavioral1/memory/400-20-0x0000000007250000-0x0000000007268000-memory.dmp healer behavioral1/memory/400-36-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/400-48-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/400-46-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/400-44-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/400-42-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/400-40-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/400-38-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/400-34-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/400-32-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/400-30-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/400-28-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/400-26-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/400-24-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/400-22-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/400-21-0x0000000007250000-0x0000000007262000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0343.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0343.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro0343.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0343.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0343.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0343.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2836-59-0x0000000004BA0000-0x0000000004BE6000-memory.dmp family_redline behavioral1/memory/2836-60-0x0000000007160000-0x00000000071A4000-memory.dmp family_redline behavioral1/memory/2836-62-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/2836-95-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/2836-92-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/2836-90-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/2836-88-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/2836-86-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/2836-84-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/2836-82-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/2836-81-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/2836-78-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/2836-77-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/2836-74-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/2836-72-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/2836-70-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/2836-68-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/2836-66-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/2836-64-0x0000000007160000-0x000000000719F000-memory.dmp family_redline behavioral1/memory/2836-61-0x0000000007160000-0x000000000719F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1688 un279627.exe 400 pro0343.exe 2836 qu7418.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro0343.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0343.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 11d7c4f9cab38b5a6bbb7f40f2bc09bd2c40831e3925b0d832d41bbf70bd8189.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un279627.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5072 400 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un279627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro0343.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu7418.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11d7c4f9cab38b5a6bbb7f40f2bc09bd2c40831e3925b0d832d41bbf70bd8189.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 400 pro0343.exe 400 pro0343.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 400 pro0343.exe Token: SeDebugPrivilege 2836 qu7418.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3612 wrote to memory of 1688 3612 11d7c4f9cab38b5a6bbb7f40f2bc09bd2c40831e3925b0d832d41bbf70bd8189.exe 84 PID 3612 wrote to memory of 1688 3612 11d7c4f9cab38b5a6bbb7f40f2bc09bd2c40831e3925b0d832d41bbf70bd8189.exe 84 PID 3612 wrote to memory of 1688 3612 11d7c4f9cab38b5a6bbb7f40f2bc09bd2c40831e3925b0d832d41bbf70bd8189.exe 84 PID 1688 wrote to memory of 400 1688 un279627.exe 85 PID 1688 wrote to memory of 400 1688 un279627.exe 85 PID 1688 wrote to memory of 400 1688 un279627.exe 85 PID 1688 wrote to memory of 2836 1688 un279627.exe 96 PID 1688 wrote to memory of 2836 1688 un279627.exe 96 PID 1688 wrote to memory of 2836 1688 un279627.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\11d7c4f9cab38b5a6bbb7f40f2bc09bd2c40831e3925b0d832d41bbf70bd8189.exe"C:\Users\Admin\AppData\Local\Temp\11d7c4f9cab38b5a6bbb7f40f2bc09bd2c40831e3925b0d832d41bbf70bd8189.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un279627.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un279627.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0343.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0343.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 10804⤵
- Program crash
PID:5072
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7418.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7418.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 400 -ip 4001⤵PID:404
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
544KB
MD5e48bbfe22874400ac1a60bfc59ff254e
SHA149a2ce3247a8373b89dc7614bb27a5ab7e580200
SHA256b2da91643ba733f04ac49af72cf51cc7158a7019a932496a0f06dd4270793f11
SHA512ff9398458d64a3d9f67e598a735a24d1d00ae912de39e870bc8603322cbe73a0f88217f5195393ee66319559009fb42d508584abc62734ac5f0126a175e16c7e
-
Filesize
326KB
MD541d2565e30304849c3492cbc1c3e2904
SHA1399554f8713b6d1480bde046e8d727457b619b11
SHA25649b21f6ddbea73767f88c6f2473b7efbe4f159222474cca84634c91ac852ec96
SHA5126cc01efebbd2fadade09b7d603fefa47d9e8c99e16ed852d3cbc30d1b6e009270fa0f056c9a1658960a3325bfc6be164bb520a807e1ceda133ab3ef1c440ad2c
-
Filesize
384KB
MD5f932e4255ccc7e9a3a14f6b07b70e34a
SHA1f31d39be17aa36d506b64dd4682693ccb1cf61d0
SHA256ed50343f4edfc4d7a216fca32e935acf35fd9dc3106476b1363108946bf96b9c
SHA5128a01afd4b859cd54abfa589c5f72efdae593718f687ef468dfee9dfdc6c700108ed230575cfac30c6b2ef9511e581c060fa887dce6240146d2f84fe87526fe60