Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 22:21
Static task
static1
Behavioral task
behavioral1
Sample
993b5d1bacb44052ed264a81e5d5df415919267bb4f5db95803f25c255d92ed7.exe
Resource
win10v2004-20241007-en
General
-
Target
993b5d1bacb44052ed264a81e5d5df415919267bb4f5db95803f25c255d92ed7.exe
-
Size
689KB
-
MD5
ef399a8cf575a2dbd79a399f6f140e7c
-
SHA1
9e73263192c426204e1775f1e68a3c3acc7067b7
-
SHA256
993b5d1bacb44052ed264a81e5d5df415919267bb4f5db95803f25c255d92ed7
-
SHA512
21de4b0714a95ab60945b8b838707113b419d8249914d8322b7e36202c826cfd9dabe7fa48d49575c920eeb3484797f1419aa644a0ea8cc24a88a644dedd93e4
-
SSDEEP
12288:vMrAy90IPC8xTfJgTpYFaaN+j0BPkoECxJGsQn8+7ETkQj9:jy5PCkTfQ+FvN+ksoECFQ8+7ETkQJ
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3632-19-0x0000000002630000-0x000000000264A000-memory.dmp healer behavioral1/memory/3632-21-0x0000000004EE0000-0x0000000004EF8000-memory.dmp healer behavioral1/memory/3632-22-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/3632-41-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/3632-49-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/3632-45-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/3632-43-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/3632-39-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/3632-37-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/3632-35-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/3632-33-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/3632-31-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/3632-29-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/3632-27-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/3632-25-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/3632-23-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer behavioral1/memory/3632-47-0x0000000004EE0000-0x0000000004EF2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro5485.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro5485.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro5485.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro5485.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro5485.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro5485.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4188-61-0x0000000002820000-0x0000000002866000-memory.dmp family_redline behavioral1/memory/4188-62-0x0000000004E50000-0x0000000004E94000-memory.dmp family_redline behavioral1/memory/4188-68-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4188-66-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4188-64-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4188-63-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4188-78-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4188-96-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4188-94-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4188-92-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4188-91-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4188-88-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4188-84-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4188-82-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4188-80-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4188-76-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4188-74-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4188-72-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4188-70-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4188-86-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4856 un881946.exe 3632 pro5485.exe 4188 qu0186.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro5485.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro5485.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 993b5d1bacb44052ed264a81e5d5df415919267bb4f5db95803f25c255d92ed7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un881946.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4460 3632 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu0186.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 993b5d1bacb44052ed264a81e5d5df415919267bb4f5db95803f25c255d92ed7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un881946.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro5485.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3632 pro5485.exe 3632 pro5485.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3632 pro5485.exe Token: SeDebugPrivilege 4188 qu0186.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1892 wrote to memory of 4856 1892 993b5d1bacb44052ed264a81e5d5df415919267bb4f5db95803f25c255d92ed7.exe 86 PID 1892 wrote to memory of 4856 1892 993b5d1bacb44052ed264a81e5d5df415919267bb4f5db95803f25c255d92ed7.exe 86 PID 1892 wrote to memory of 4856 1892 993b5d1bacb44052ed264a81e5d5df415919267bb4f5db95803f25c255d92ed7.exe 86 PID 4856 wrote to memory of 3632 4856 un881946.exe 87 PID 4856 wrote to memory of 3632 4856 un881946.exe 87 PID 4856 wrote to memory of 3632 4856 un881946.exe 87 PID 4856 wrote to memory of 4188 4856 un881946.exe 99 PID 4856 wrote to memory of 4188 4856 un881946.exe 99 PID 4856 wrote to memory of 4188 4856 un881946.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\993b5d1bacb44052ed264a81e5d5df415919267bb4f5db95803f25c255d92ed7.exe"C:\Users\Admin\AppData\Local\Temp\993b5d1bacb44052ed264a81e5d5df415919267bb4f5db95803f25c255d92ed7.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un881946.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un881946.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5485.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5485.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 10884⤵
- Program crash
PID:4460
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0186.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0186.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3632 -ip 36321⤵PID:4504
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD537ec5a8d2e7c851c06e9d1665315e0f4
SHA10fa54ce1109b2e235732985c46c67d98a65ee7d9
SHA2567333bbe03b47173e4c9e028c6ac428468243dde248ee07ebc218ab05a104cac7
SHA512faa60136b6e4ceebfc3bcb111373419e4c3a284d5eac67318fe72ba59c31ac517ed5203e6492f5e3bf4f79d59a903d9f4439c8a353c8954fd49d95c38f27e0d7
-
Filesize
314KB
MD5e92ca82f787f061b7dd78de2e7cbdb82
SHA1ad80a352bf87e260de57411ffca9b069d11a74c3
SHA2563ba2749e1c96c4b81965ab9cdff005298258d5488d0b78c249280399489b98a2
SHA5126217f44e14bdbfffed2a95088e219a54a0a9599b13afae92180fd9ca27401c8b11c8381ec1be1c6a9b8c44e3ce18cf7e096148fb1a27eb029d40a6a6a91203f0
-
Filesize
372KB
MD5753e591fa66005548e8fdf7a8b106a1b
SHA12bdc0d94d8cf2badcfe332f57285a91f7513a6e2
SHA2561ce06e73f48fbb4cca5850aeed57d1cea65ed6dbebf740d8270acc874b5734a4
SHA5125f85c40daddfec1375f2812ad0023be1e0270214301f1827bcf782f68863191de639463636c2c00c0895d7211e0134559b601fb5998e87f9c47820aa05227d3c