Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 21:51
Static task
static1
Behavioral task
behavioral1
Sample
5620bf554079ece4d5d8f19611ec326def1c201954b1949578492efe02857396.exe
Resource
win10v2004-20241007-en
General
-
Target
5620bf554079ece4d5d8f19611ec326def1c201954b1949578492efe02857396.exe
-
Size
659KB
-
MD5
adc8984cb67384e670732b784519ae1d
-
SHA1
abd1af2e7f92706d685e16528ce19a294602451b
-
SHA256
5620bf554079ece4d5d8f19611ec326def1c201954b1949578492efe02857396
-
SHA512
e4f43c989426180ef132588269362ad6a1d21291fc9e9ae8f4c75a7eb1d888518a949dcd635384963261b77f24210280afcfd67d3858c2cd9d1ae97c0f483d26
-
SSDEEP
12288:0MrGy90MaQtstFrQ8MuF5w88Z2k/xAi0pkitg1Ng2t59nrwbk1CVaOft/juDKZcF:yyU8p8IqeNg2t5h4k8VHBoKZcF
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4368-19-0x00000000023B0000-0x00000000023CA000-memory.dmp healer behavioral1/memory/4368-21-0x0000000004A50000-0x0000000004A68000-memory.dmp healer behavioral1/memory/4368-49-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/4368-47-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/4368-45-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/4368-43-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/4368-41-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/4368-39-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/4368-37-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/4368-35-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/4368-33-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/4368-31-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/4368-29-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/4368-27-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/4368-25-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/4368-23-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/4368-22-0x0000000004A50000-0x0000000004A62000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro3953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro3953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro3953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro3953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro3953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro3953.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4580-60-0x00000000023F0000-0x0000000002436000-memory.dmp family_redline behavioral1/memory/4580-61-0x0000000002670000-0x00000000026B4000-memory.dmp family_redline behavioral1/memory/4580-71-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/4580-73-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/4580-95-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/4580-93-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/4580-91-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/4580-87-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/4580-85-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/4580-83-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/4580-81-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/4580-79-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/4580-77-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/4580-75-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/4580-69-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/4580-67-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/4580-89-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/4580-65-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/4580-63-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline behavioral1/memory/4580-62-0x0000000002670000-0x00000000026AF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4292 un379912.exe 4368 pro3953.exe 4580 qu9033.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro3953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro3953.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5620bf554079ece4d5d8f19611ec326def1c201954b1949578492efe02857396.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un379912.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2708 4368 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5620bf554079ece4d5d8f19611ec326def1c201954b1949578492efe02857396.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un379912.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro3953.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu9033.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4368 pro3953.exe 4368 pro3953.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4368 pro3953.exe Token: SeDebugPrivilege 4580 qu9033.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2148 wrote to memory of 4292 2148 5620bf554079ece4d5d8f19611ec326def1c201954b1949578492efe02857396.exe 84 PID 2148 wrote to memory of 4292 2148 5620bf554079ece4d5d8f19611ec326def1c201954b1949578492efe02857396.exe 84 PID 2148 wrote to memory of 4292 2148 5620bf554079ece4d5d8f19611ec326def1c201954b1949578492efe02857396.exe 84 PID 4292 wrote to memory of 4368 4292 un379912.exe 85 PID 4292 wrote to memory of 4368 4292 un379912.exe 85 PID 4292 wrote to memory of 4368 4292 un379912.exe 85 PID 4292 wrote to memory of 4580 4292 un379912.exe 98 PID 4292 wrote to memory of 4580 4292 un379912.exe 98 PID 4292 wrote to memory of 4580 4292 un379912.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\5620bf554079ece4d5d8f19611ec326def1c201954b1949578492efe02857396.exe"C:\Users\Admin\AppData\Local\Temp\5620bf554079ece4d5d8f19611ec326def1c201954b1949578492efe02857396.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un379912.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un379912.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3953.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3953.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 10804⤵
- Program crash
PID:2708
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9033.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9033.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4368 -ip 43681⤵PID:1532
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517KB
MD512ebdb49a1d54b28b32056a61c37aa52
SHA1180a4c2ccd53f21f69bbcf4fd35784cd42756343
SHA25653632a3165b284646350075d2c1c19c2fc69a80f3af16087992f4f137317bf6a
SHA51214075d23418807b37b945174c0b2ec46d052b894274aaf820cccf63c4a7a845e979f7f0a98712b13e68821ace1884d003dbec896707b8fa75e4daa8f2206b754
-
Filesize
237KB
MD5f967fbee29e80d63c6fd24dad5e8cbe6
SHA1024abb526d974f54f62878198c986b21821daa88
SHA256cadcdceef46e611bc29705702ad0f7e5c3c93242cf283f5a9edb7ab927a7a573
SHA512ea6b5567cf1709f74e94f3c51bd3d4b73ba83f56a438b47622431859a386f21fa0c621421b51c9ba0744d3ea2b4088aebbbdf8ca5cc9a3b65b01803f4bfe2033
-
Filesize
295KB
MD506b77b9803ef429461f01f20065b4032
SHA1f6227197cbe931bd0e9c783250b9310ab12c0519
SHA256aa26d4a991612160cd6bb893c2582bd73725a561002fae17d62e294782105a32
SHA5123fb1036e55160c0d930bc1eea69b7b0f1841ad92157540be14554d09386b1ee3479bd390267e26decdb49d75e7759b70e90f6fffe028cdbe1fb0624566dca5af