Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 21:52
Static task
static1
Behavioral task
behavioral1
Sample
ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00.exe
Resource
win10v2004-20241007-en
General
-
Target
ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00.exe
-
Size
666KB
-
MD5
bdcea0bbc83f644859872c3ddcd08552
-
SHA1
1ed36bc946ba0df88ea902fec6aa392510bca77f
-
SHA256
ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00
-
SHA512
29d4f670b480b05e68b61064ddcd4447deee23ec0f84eef2b9caa34e5bf835168741a3055d8d3e2d5bf335a6e040126910596db22e5e1abdd14bb690386aee65
-
SSDEEP
12288:gMrGy90nWiu0A+CyYdUcS1Sjb9o8b+vHVsvtnRc4l2ZtLNcbXX2EpTBll//iiX:WyxiuWCxFq7VsvtnRc48ZlNc6EpPd/BX
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4020-19-0x0000000002880000-0x000000000289A000-memory.dmp healer behavioral1/memory/4020-21-0x0000000002A50000-0x0000000002A68000-memory.dmp healer behavioral1/memory/4020-47-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/4020-46-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/4020-43-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/4020-41-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/4020-40-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/4020-37-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/4020-35-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/4020-33-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/4020-31-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/4020-49-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/4020-29-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/4020-27-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/4020-25-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/4020-23-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/4020-22-0x0000000002A50000-0x0000000002A62000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro1778.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro1778.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro1778.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro1778.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro1778.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro1778.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4052-61-0x0000000002600000-0x0000000002646000-memory.dmp family_redline behavioral1/memory/4052-62-0x0000000004EC0000-0x0000000004F04000-memory.dmp family_redline behavioral1/memory/4052-74-0x0000000004EC0000-0x0000000004EFF000-memory.dmp family_redline behavioral1/memory/4052-78-0x0000000004EC0000-0x0000000004EFF000-memory.dmp family_redline behavioral1/memory/4052-76-0x0000000004EC0000-0x0000000004EFF000-memory.dmp family_redline behavioral1/memory/4052-72-0x0000000004EC0000-0x0000000004EFF000-memory.dmp family_redline behavioral1/memory/4052-96-0x0000000004EC0000-0x0000000004EFF000-memory.dmp family_redline behavioral1/memory/4052-92-0x0000000004EC0000-0x0000000004EFF000-memory.dmp family_redline behavioral1/memory/4052-90-0x0000000004EC0000-0x0000000004EFF000-memory.dmp family_redline behavioral1/memory/4052-88-0x0000000004EC0000-0x0000000004EFF000-memory.dmp family_redline behavioral1/memory/4052-86-0x0000000004EC0000-0x0000000004EFF000-memory.dmp family_redline behavioral1/memory/4052-84-0x0000000004EC0000-0x0000000004EFF000-memory.dmp family_redline behavioral1/memory/4052-82-0x0000000004EC0000-0x0000000004EFF000-memory.dmp family_redline behavioral1/memory/4052-80-0x0000000004EC0000-0x0000000004EFF000-memory.dmp family_redline behavioral1/memory/4052-70-0x0000000004EC0000-0x0000000004EFF000-memory.dmp family_redline behavioral1/memory/4052-94-0x0000000004EC0000-0x0000000004EFF000-memory.dmp family_redline behavioral1/memory/4052-68-0x0000000004EC0000-0x0000000004EFF000-memory.dmp family_redline behavioral1/memory/4052-66-0x0000000004EC0000-0x0000000004EFF000-memory.dmp family_redline behavioral1/memory/4052-64-0x0000000004EC0000-0x0000000004EFF000-memory.dmp family_redline behavioral1/memory/4052-63-0x0000000004EC0000-0x0000000004EFF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3256 un828933.exe 4020 pro1778.exe 4052 qu6159.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro1778.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro1778.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un828933.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 688 4020 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un828933.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro1778.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu6159.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4020 pro1778.exe 4020 pro1778.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4020 pro1778.exe Token: SeDebugPrivilege 4052 qu6159.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3416 wrote to memory of 3256 3416 ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00.exe 84 PID 3416 wrote to memory of 3256 3416 ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00.exe 84 PID 3416 wrote to memory of 3256 3416 ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00.exe 84 PID 3256 wrote to memory of 4020 3256 un828933.exe 85 PID 3256 wrote to memory of 4020 3256 un828933.exe 85 PID 3256 wrote to memory of 4020 3256 un828933.exe 85 PID 3256 wrote to memory of 4052 3256 un828933.exe 97 PID 3256 wrote to memory of 4052 3256 un828933.exe 97 PID 3256 wrote to memory of 4052 3256 un828933.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00.exe"C:\Users\Admin\AppData\Local\Temp\ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un828933.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un828933.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1778.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1778.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 10964⤵
- Program crash
PID:688
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6159.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6159.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4020 -ip 40201⤵PID:4308
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
524KB
MD5c43d7980df354cda3ec2468aefad012c
SHA1e859085c0042dbf404270010f1fc40535dbf8f40
SHA256b8f1393baf323d9829e51ec8877a955f3e638ba10dd20e055433e1de5f40cc7e
SHA5129e34cfc869742807a318754c96f6031928fe8735fac15fb109271593d9a26b6b54858d01e81ec471eec0c98570e124503c57188ef99c2b97104d5252fe58a528
-
Filesize
294KB
MD5337e0a96a10ff2b2980fc4341b2b94a1
SHA15289794c7497db7e15198391043b0e26ff4fda80
SHA256c850430fedb6617afc59f6be7922ad74b3c8ea8ec6bface357fa2b43c45967a6
SHA51284afa48f5af666dc37aa1e77dd96bf4309f0a31a09f1f5ac0dadd175e0c74582aa73397c20da3da63b46045585dd4ac6e66750477a8fbd2d2da268ce8970c396
-
Filesize
353KB
MD561d114b56c1163d4ff213151b2910246
SHA1009428b2b2ab030a28e85bac6e47421bf37804d1
SHA25620b1a7e09076d559fd66456a4cefe46d9febee9155a3d569df68afb08903220f
SHA5126c38693eb093debb66fbab5358d0a8eb6f8550d70aff31d118c79b8c2798cd1e7e89ac1e202c4552be61e4d9da90a66dc39b1f1d5be44d08be2fd31d6af154b0