Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
b5e7994a8e5d271d363f8087259401d813b6c7f1ac78f05a6694c7b01eee0a41.exe
Resource
win10v2004-20241007-en
General
-
Target
b5e7994a8e5d271d363f8087259401d813b6c7f1ac78f05a6694c7b01eee0a41.exe
-
Size
659KB
-
MD5
33d4020b09563bd82ee8abf5b76d1560
-
SHA1
fa5cebacdf301a8b7cfe2dc9a03807c6bd67b9bc
-
SHA256
b5e7994a8e5d271d363f8087259401d813b6c7f1ac78f05a6694c7b01eee0a41
-
SHA512
5eb2adfe75544ea876bebd1ed27a399b51665306a941fd1690964c59df2139b49ca56016042855f4e6b63a35aafd0dc1a7092bd85494bca21ace5b168a801bbb
-
SSDEEP
12288:IMriy90JU30vm4zyzvWW+8T4e/PBTELFt59/rwJZNCXAVft/juC4j1:qygO0vm44ve3U4Zt5RuZUXyBrI1
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1120-19-0x00000000024F0000-0x000000000250A000-memory.dmp healer behavioral1/memory/1120-21-0x0000000004B80000-0x0000000004B98000-memory.dmp healer behavioral1/memory/1120-37-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/1120-49-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/1120-47-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/1120-45-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/1120-43-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/1120-41-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/1120-39-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/1120-35-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/1120-33-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/1120-31-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/1120-29-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/1120-27-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/1120-25-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/1120-23-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/1120-22-0x0000000004B80000-0x0000000004B92000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro1582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro1582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro1582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro1582.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro1582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro1582.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/444-60-0x00000000025C0000-0x0000000002606000-memory.dmp family_redline behavioral1/memory/444-61-0x0000000005080000-0x00000000050C4000-memory.dmp family_redline behavioral1/memory/444-69-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/444-75-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/444-73-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/444-95-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/444-93-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/444-91-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/444-89-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/444-87-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/444-85-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/444-83-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/444-79-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/444-77-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/444-72-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/444-81-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/444-67-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/444-65-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/444-63-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/444-62-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3772 un932477.exe 1120 pro1582.exe 444 qu4835.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro1582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro1582.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b5e7994a8e5d271d363f8087259401d813b6c7f1ac78f05a6694c7b01eee0a41.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un932477.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4836 1120 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro1582.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu4835.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b5e7994a8e5d271d363f8087259401d813b6c7f1ac78f05a6694c7b01eee0a41.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un932477.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1120 pro1582.exe 1120 pro1582.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1120 pro1582.exe Token: SeDebugPrivilege 444 qu4835.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4020 wrote to memory of 3772 4020 b5e7994a8e5d271d363f8087259401d813b6c7f1ac78f05a6694c7b01eee0a41.exe 84 PID 4020 wrote to memory of 3772 4020 b5e7994a8e5d271d363f8087259401d813b6c7f1ac78f05a6694c7b01eee0a41.exe 84 PID 4020 wrote to memory of 3772 4020 b5e7994a8e5d271d363f8087259401d813b6c7f1ac78f05a6694c7b01eee0a41.exe 84 PID 3772 wrote to memory of 1120 3772 un932477.exe 85 PID 3772 wrote to memory of 1120 3772 un932477.exe 85 PID 3772 wrote to memory of 1120 3772 un932477.exe 85 PID 3772 wrote to memory of 444 3772 un932477.exe 97 PID 3772 wrote to memory of 444 3772 un932477.exe 97 PID 3772 wrote to memory of 444 3772 un932477.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5e7994a8e5d271d363f8087259401d813b6c7f1ac78f05a6694c7b01eee0a41.exe"C:\Users\Admin\AppData\Local\Temp\b5e7994a8e5d271d363f8087259401d813b6c7f1ac78f05a6694c7b01eee0a41.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un932477.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un932477.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1582.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1582.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 10804⤵
- Program crash
PID:4836
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4835.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4835.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:444
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1120 -ip 11201⤵PID:3828
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517KB
MD524053b6e5a48d79e78f8bb0021fde4f1
SHA14b411fc846d264908eddd2b1c1744c0def6d7664
SHA256f5b45bdf3a4b48f09ccfdff623f733e9b6d31d1831f84a10e020144a3959150d
SHA512ca852bfacff8093edd35cd64624a0f875e925e8908515293c41d6d126f1e51d8db5459ce5019a1517b0cf07f52c2c8c04023b92c503384e36097747ba7d74f19
-
Filesize
237KB
MD5f61cb1c8d08aaef7049922e6a207bc2d
SHA10168194911ae6f9cf3b98df9cfcfa41748d93a91
SHA256d535b6c1da20879b712066accf63cd0824617d0e9b4803bcd4869ba2563d339c
SHA51229f30bd708042a4f4659e11d0bb1d586c690acae06b9305cb7ce05852b0563a1904315359dc681a46d50cda8e2081e2106ee848e78f8ff055bdb7e55a1a739b3
-
Filesize
295KB
MD5f655f59757be61f2521f9dd9cae522cd
SHA1c86ce0b1be80588e855b6fd7b681e3e7110f3cc9
SHA256d3c54dc4f0f8d1817f9318b2eea2805c91b0cd1f7a75da721e05b9a0e396367e
SHA51285bf5778183745650cae52d7d774b77900d30483b81823b9da772435dd29b9452438e5311c8f3d27ec8b96542daeb00e07e4df813176cfe1f3c64a53593695ca