Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 20:53
Static task
static1
Behavioral task
behavioral1
Sample
dc41cb7649cef3eafbd6bbb98711f8405d6072da7fe5e557001da0c27966553d.exe
Resource
win10v2004-20241007-en
General
-
Target
dc41cb7649cef3eafbd6bbb98711f8405d6072da7fe5e557001da0c27966553d.exe
-
Size
689KB
-
MD5
c7049d8fe7c23baf761a33f0f35187ff
-
SHA1
68eb6e30e12b2a3ffa1726b479f6f9c02cbceab2
-
SHA256
dc41cb7649cef3eafbd6bbb98711f8405d6072da7fe5e557001da0c27966553d
-
SHA512
c3a62797e1cb0e371b0199b2bd7b8c8cbcae91b60247edd24fa457cb08398927c204ffe545fb7af1f7d01241d2ccf69329939d974e1dccfaa7e171a129112c15
-
SSDEEP
12288:DMrgy90+MD1ExuftThmcZ1x5NRgGSylfxbZB3hio1V4T5zCYscOuLfKyPMAE+cCz:ryJMOuft9rr5NJ1lRZ1z4UYscOqbPMAb
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2808-19-0x0000000002410000-0x000000000242A000-memory.dmp healer behavioral1/memory/2808-21-0x0000000002840000-0x0000000002858000-memory.dmp healer behavioral1/memory/2808-25-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2808-47-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2808-45-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2808-43-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2808-42-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2808-39-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2808-37-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2808-49-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2808-35-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2808-33-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2808-31-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2808-27-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2808-23-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2808-22-0x0000000002840000-0x0000000002852000-memory.dmp healer behavioral1/memory/2808-29-0x0000000002840000-0x0000000002852000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro6811.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro6811.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro6811.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro6811.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro6811.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro6811.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4676-60-0x0000000002A70000-0x0000000002AB6000-memory.dmp family_redline behavioral1/memory/4676-61-0x0000000005450000-0x0000000005494000-memory.dmp family_redline behavioral1/memory/4676-65-0x0000000005450000-0x000000000548F000-memory.dmp family_redline behavioral1/memory/4676-73-0x0000000005450000-0x000000000548F000-memory.dmp family_redline behavioral1/memory/4676-96-0x0000000005450000-0x000000000548F000-memory.dmp family_redline behavioral1/memory/4676-93-0x0000000005450000-0x000000000548F000-memory.dmp family_redline behavioral1/memory/4676-91-0x0000000005450000-0x000000000548F000-memory.dmp family_redline behavioral1/memory/4676-89-0x0000000005450000-0x000000000548F000-memory.dmp family_redline behavioral1/memory/4676-87-0x0000000005450000-0x000000000548F000-memory.dmp family_redline behavioral1/memory/4676-86-0x0000000005450000-0x000000000548F000-memory.dmp family_redline behavioral1/memory/4676-83-0x0000000005450000-0x000000000548F000-memory.dmp family_redline behavioral1/memory/4676-81-0x0000000005450000-0x000000000548F000-memory.dmp family_redline behavioral1/memory/4676-77-0x0000000005450000-0x000000000548F000-memory.dmp family_redline behavioral1/memory/4676-75-0x0000000005450000-0x000000000548F000-memory.dmp family_redline behavioral1/memory/4676-71-0x0000000005450000-0x000000000548F000-memory.dmp family_redline behavioral1/memory/4676-69-0x0000000005450000-0x000000000548F000-memory.dmp family_redline behavioral1/memory/4676-67-0x0000000005450000-0x000000000548F000-memory.dmp family_redline behavioral1/memory/4676-79-0x0000000005450000-0x000000000548F000-memory.dmp family_redline behavioral1/memory/4676-63-0x0000000005450000-0x000000000548F000-memory.dmp family_redline behavioral1/memory/4676-62-0x0000000005450000-0x000000000548F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4808 un172409.exe 2808 pro6811.exe 4676 qu5999.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro6811.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro6811.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dc41cb7649cef3eafbd6bbb98711f8405d6072da7fe5e557001da0c27966553d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un172409.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1620 2808 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc41cb7649cef3eafbd6bbb98711f8405d6072da7fe5e557001da0c27966553d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un172409.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro6811.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu5999.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2808 pro6811.exe 2808 pro6811.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2808 pro6811.exe Token: SeDebugPrivilege 4676 qu5999.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3060 wrote to memory of 4808 3060 dc41cb7649cef3eafbd6bbb98711f8405d6072da7fe5e557001da0c27966553d.exe 84 PID 3060 wrote to memory of 4808 3060 dc41cb7649cef3eafbd6bbb98711f8405d6072da7fe5e557001da0c27966553d.exe 84 PID 3060 wrote to memory of 4808 3060 dc41cb7649cef3eafbd6bbb98711f8405d6072da7fe5e557001da0c27966553d.exe 84 PID 4808 wrote to memory of 2808 4808 un172409.exe 85 PID 4808 wrote to memory of 2808 4808 un172409.exe 85 PID 4808 wrote to memory of 2808 4808 un172409.exe 85 PID 4808 wrote to memory of 4676 4808 un172409.exe 92 PID 4808 wrote to memory of 4676 4808 un172409.exe 92 PID 4808 wrote to memory of 4676 4808 un172409.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc41cb7649cef3eafbd6bbb98711f8405d6072da7fe5e557001da0c27966553d.exe"C:\Users\Admin\AppData\Local\Temp\dc41cb7649cef3eafbd6bbb98711f8405d6072da7fe5e557001da0c27966553d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un172409.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un172409.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6811.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6811.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 10924⤵
- Program crash
PID:1620
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5999.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5999.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2808 -ip 28081⤵PID:1012
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD568d2205e9726aca1758625ca51b7d63d
SHA1424e36ce69f0c64992b36697767a1c5b35e2c361
SHA2560c8fee303e59a0047ba4f22a4dcc83bfc3a1cded078712a022ffe325e9336e0d
SHA512415c3a2b263a9c901929defdf5c8e4def6d252938cab9054aaf6207efdb6417490ff02d85c0574023798bebdef3e1ce181c165bb0c9256d414f58af19c2c7ae3
-
Filesize
312KB
MD55300d3477af652f468b8aabad3ced01e
SHA1c5733b467b45efb40f175c30034e7ff66bcf87c4
SHA2565aeaf1a4b2aaa35a6596e5bf0a84bb98280293af08b64a788352789076e9e053
SHA512af71ad8569977347ff6f1904d028daa59b210de6ca2cd8fa7785d927e7236994ff39ab65aebdc7e104d8256802c1de78dfb80d1c0ad7ba23a4f593efac8f99bc
-
Filesize
370KB
MD5fd471499e0aa36147d4e25c9708a504a
SHA1f8332f614d4dc1e9b320600c006bc9ca5403f663
SHA2567f8bdbb25e926604513d52045d990f44c8914f4d51ee275aa4df4bc0b7fc2de4
SHA512fadfd947f043e59fd57b5e91ca6b4137b8afa09ea251c56a48317126e0ce042f4600accffc381eeafd54edfaf506cb2478adedf1bc4a08afddaa29d08b52e70e