Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe
Resource
win10v2004-20241007-en
General
-
Target
4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe
-
Size
518KB
-
MD5
1a86b112df7dbd1a210d5cf5ec4319bb
-
SHA1
bc1c900a92746788fb89b50e9812726953892b58
-
SHA256
4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8
-
SHA512
3ae8cf98fa8cb136ac23421a5e2beab1dd799101d6c95dda8b4fd1cb633f30ba57c6525c904da4a92a199dc29fffc58368f6a7384cd55db6d4a7e2fdce9b48ab
-
SSDEEP
12288:AMrRy90HlBzyssq5jd1DiKOMdo5qdqPMtQorN2z:hySlRys/5WKOMhWMtQo5c
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2176-12-0x00000000023C0000-0x00000000023DA000-memory.dmp healer behavioral1/memory/2176-14-0x0000000004A50000-0x0000000004A68000-memory.dmp healer behavioral1/memory/2176-15-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/2176-42-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/2176-40-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/2176-38-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/2176-36-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/2176-34-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/2176-32-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/2176-30-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/2176-28-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/2176-26-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/2176-24-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/2176-22-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/2176-20-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/2176-18-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/2176-16-0x0000000004A50000-0x0000000004A62000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8658.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro8658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8658.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1388-57-0x0000000002480000-0x00000000024C6000-memory.dmp family_redline behavioral1/memory/1388-58-0x0000000002560000-0x00000000025A4000-memory.dmp family_redline behavioral1/memory/1388-62-0x0000000002560000-0x000000000259F000-memory.dmp family_redline behavioral1/memory/1388-70-0x0000000002560000-0x000000000259F000-memory.dmp family_redline behavioral1/memory/1388-92-0x0000000002560000-0x000000000259F000-memory.dmp family_redline behavioral1/memory/1388-91-0x0000000002560000-0x000000000259F000-memory.dmp family_redline behavioral1/memory/1388-86-0x0000000002560000-0x000000000259F000-memory.dmp family_redline behavioral1/memory/1388-84-0x0000000002560000-0x000000000259F000-memory.dmp family_redline behavioral1/memory/1388-82-0x0000000002560000-0x000000000259F000-memory.dmp family_redline behavioral1/memory/1388-80-0x0000000002560000-0x000000000259F000-memory.dmp family_redline behavioral1/memory/1388-78-0x0000000002560000-0x000000000259F000-memory.dmp family_redline behavioral1/memory/1388-76-0x0000000002560000-0x000000000259F000-memory.dmp family_redline behavioral1/memory/1388-74-0x0000000002560000-0x000000000259F000-memory.dmp family_redline behavioral1/memory/1388-72-0x0000000002560000-0x000000000259F000-memory.dmp family_redline behavioral1/memory/1388-68-0x0000000002560000-0x000000000259F000-memory.dmp family_redline behavioral1/memory/1388-66-0x0000000002560000-0x000000000259F000-memory.dmp family_redline behavioral1/memory/1388-64-0x0000000002560000-0x000000000259F000-memory.dmp family_redline behavioral1/memory/1388-88-0x0000000002560000-0x000000000259F000-memory.dmp family_redline behavioral1/memory/1388-60-0x0000000002560000-0x000000000259F000-memory.dmp family_redline behavioral1/memory/1388-59-0x0000000002560000-0x000000000259F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2176 pro8658.exe 1388 qu6282.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8658.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4768 2176 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro8658.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu6282.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2176 pro8658.exe 2176 pro8658.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2176 pro8658.exe Token: SeDebugPrivilege 1388 qu6282.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 380 wrote to memory of 2176 380 4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe 84 PID 380 wrote to memory of 2176 380 4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe 84 PID 380 wrote to memory of 2176 380 4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe 84 PID 380 wrote to memory of 1388 380 4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe 95 PID 380 wrote to memory of 1388 380 4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe 95 PID 380 wrote to memory of 1388 380 4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe"C:\Users\Admin\AppData\Local\Temp\4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro8658.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro8658.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 10803⤵
- Program crash
PID:4768
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu6282.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu6282.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2176 -ip 21761⤵PID:4764
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
237KB
MD5eb5320b78f4e24646dc605fff022635b
SHA1df8a699d6af5e8e358e81ca5ace00cdd10027790
SHA256e3132cfb6127772f41eed0bfd1ab8208f1eaccae7655de0d3305840d29d2b281
SHA5125e218b777ee732da95261a216cb7fbf19e5a182d79c06dc99f1490809a69cded1a690dd044573094fcf4a2b2b99dc54ba7a88f57273885dd62c36fba8ed5b50a
-
Filesize
295KB
MD52b42198f4422780ecbdd8963037727cd
SHA1b0060adc70a374b9bf98cfa349fa0e9538c4ce96
SHA2565a9dd63a2b59caf12dd464bb0dc267a6728e21f6ca2ad77b67d8684476a25e3f
SHA512cedc078776f9d2c9d2049bf195311ea730549f42fc2766417a4f91517188c664f8a8db28e7406255bc7140670c84745c8daf26a26a978c91fe46b64dfba5c68c