Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 22:17
Static task
static1
Behavioral task
behavioral1
Sample
7f261b4477e19bb45f5b4d482276c9732014a6d00b5858fe4ee15da1d3a94e15.exe
Resource
win10v2004-20241007-en
General
-
Target
7f261b4477e19bb45f5b4d482276c9732014a6d00b5858fe4ee15da1d3a94e15.exe
-
Size
658KB
-
MD5
453c23ae84a3182f7e3d42361a2122c9
-
SHA1
9fd4b028871ceb33560a1e4bf729465929047cb0
-
SHA256
7f261b4477e19bb45f5b4d482276c9732014a6d00b5858fe4ee15da1d3a94e15
-
SHA512
38c9acb1a40a779a4a385e558d2c8cf609254a592deb9474769a5490e8811f819ab8c9309beee4d472ed8bab8261d2a8ed6d05a43bfb8933baad0188a429e3e7
-
SSDEEP
12288:DMrsy90r41Pfx/5BvK9ohUut5MsjpL040RPg+jUHN9:3yl1Pft/eslyPhjUHN9
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2064-19-0x0000000002620000-0x000000000263A000-memory.dmp healer behavioral1/memory/2064-21-0x0000000002650000-0x0000000002668000-memory.dmp healer behavioral1/memory/2064-45-0x0000000002650000-0x0000000002662000-memory.dmp healer behavioral1/memory/2064-35-0x0000000002650000-0x0000000002662000-memory.dmp healer behavioral1/memory/2064-27-0x0000000002650000-0x0000000002662000-memory.dmp healer behavioral1/memory/2064-49-0x0000000002650000-0x0000000002662000-memory.dmp healer behavioral1/memory/2064-47-0x0000000002650000-0x0000000002662000-memory.dmp healer behavioral1/memory/2064-43-0x0000000002650000-0x0000000002662000-memory.dmp healer behavioral1/memory/2064-41-0x0000000002650000-0x0000000002662000-memory.dmp healer behavioral1/memory/2064-39-0x0000000002650000-0x0000000002662000-memory.dmp healer behavioral1/memory/2064-37-0x0000000002650000-0x0000000002662000-memory.dmp healer behavioral1/memory/2064-33-0x0000000002650000-0x0000000002662000-memory.dmp healer behavioral1/memory/2064-31-0x0000000002650000-0x0000000002662000-memory.dmp healer behavioral1/memory/2064-29-0x0000000002650000-0x0000000002662000-memory.dmp healer behavioral1/memory/2064-25-0x0000000002650000-0x0000000002662000-memory.dmp healer behavioral1/memory/2064-23-0x0000000002650000-0x0000000002662000-memory.dmp healer behavioral1/memory/2064-22-0x0000000002650000-0x0000000002662000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro4352.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro4352.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro4352.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro4352.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro4352.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro4352.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1528-61-0x00000000023D0000-0x0000000002416000-memory.dmp family_redline behavioral1/memory/1528-62-0x0000000002640000-0x0000000002684000-memory.dmp family_redline behavioral1/memory/1528-66-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/1528-70-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/1528-96-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/1528-94-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/1528-90-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/1528-88-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/1528-86-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/1528-85-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/1528-82-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/1528-80-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/1528-78-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/1528-74-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/1528-72-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/1528-68-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/1528-92-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/1528-76-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/1528-64-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/1528-63-0x0000000002640000-0x000000000267F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2552 un272287.exe 2064 pro4352.exe 1528 qu7388.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro4352.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro4352.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7f261b4477e19bb45f5b4d482276c9732014a6d00b5858fe4ee15da1d3a94e15.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un272287.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1540 2064 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro4352.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu7388.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7f261b4477e19bb45f5b4d482276c9732014a6d00b5858fe4ee15da1d3a94e15.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un272287.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2064 pro4352.exe 2064 pro4352.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2064 pro4352.exe Token: SeDebugPrivilege 1528 qu7388.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4260 wrote to memory of 2552 4260 7f261b4477e19bb45f5b4d482276c9732014a6d00b5858fe4ee15da1d3a94e15.exe 84 PID 4260 wrote to memory of 2552 4260 7f261b4477e19bb45f5b4d482276c9732014a6d00b5858fe4ee15da1d3a94e15.exe 84 PID 4260 wrote to memory of 2552 4260 7f261b4477e19bb45f5b4d482276c9732014a6d00b5858fe4ee15da1d3a94e15.exe 84 PID 2552 wrote to memory of 2064 2552 un272287.exe 85 PID 2552 wrote to memory of 2064 2552 un272287.exe 85 PID 2552 wrote to memory of 2064 2552 un272287.exe 85 PID 2552 wrote to memory of 1528 2552 un272287.exe 96 PID 2552 wrote to memory of 1528 2552 un272287.exe 96 PID 2552 wrote to memory of 1528 2552 un272287.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f261b4477e19bb45f5b4d482276c9732014a6d00b5858fe4ee15da1d3a94e15.exe"C:\Users\Admin\AppData\Local\Temp\7f261b4477e19bb45f5b4d482276c9732014a6d00b5858fe4ee15da1d3a94e15.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un272287.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un272287.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4352.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4352.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 10884⤵
- Program crash
PID:1540
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7388.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7388.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2064 -ip 20641⤵PID:2052
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
516KB
MD57e46a28acc1a758bd76c245ac4fbace4
SHA104b18dfc053d189f75cd40b11b5e32683bb3b915
SHA2560df257e98aada6466f42333506474dd53f41ab6ecb0a6eef33ca56f391a89b45
SHA5124c0faecdd27dbf7a4091e5f77e772364ed90ba8e176ae0cd81816347a2dfe80249ea01655520a8b9ab1c1396879a09a7a573d9a87b69276e66768ae49df332aa
-
Filesize
236KB
MD5d768652b7d63ac86f2a05f7725443013
SHA163686bacb8e057b6b6a2996e72da2998d67162d5
SHA256cb04b3fad00878d002c547fc89bfb328b5280b5c26e9c01f309bab53cc9c93ea
SHA5122194d9aa537745d3557b9ad3e6bbdbe393953fc21c364089467e6f4cd29de637e561d28dd5761a7d68e2f68d443ca1792779ad1c244d5947b815872408387c45
-
Filesize
294KB
MD5e0790b50bb3a340bf1d9c8d09dd655e7
SHA1893db4fe75b854d9f33106e4e50a368595bc584f
SHA25655dacaffd2cbb1f5da109de1999dbbd3c82985dafbc964d1f9e5e4fad6886383
SHA512bcc175637d6aeed0a45e8ace37df2bdf562c6e4f8ec7f1dad427b4648c5e89aa357acdaf17d45da99ad1bf2a8dd1941a7be46bfac77cc6ddd45b3f03fd304256