Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 21:58
Static task
static1
Behavioral task
behavioral1
Sample
748f465a94da22aa3b4e192d2c71121e0aec2c94fa99b8a4b8f753af7260d6dd.exe
Resource
win10v2004-20241007-en
General
-
Target
748f465a94da22aa3b4e192d2c71121e0aec2c94fa99b8a4b8f753af7260d6dd.exe
-
Size
689KB
-
MD5
e1ce38e2a301ee1c47e15eefd853bec1
-
SHA1
b6861f3f7639d8480d9c65b7654fa80971ed0e67
-
SHA256
748f465a94da22aa3b4e192d2c71121e0aec2c94fa99b8a4b8f753af7260d6dd
-
SHA512
52c72ac17ca177a533c366637f242f537a2b184f9943768e04212d624492a41d40fc5e79b20a5933537d4aef2ffe9db1bba2f9a4aeff92cb454d02bafb2679c0
-
SSDEEP
12288:JMr0y90nUO+0KlS9YAYZ9nW1hWv4l05ph3m679sxkOOYWRV:9ymUt0Kwr0W1WlD77i2OOY8
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2648-19-0x00000000025A0000-0x00000000025BA000-memory.dmp healer behavioral1/memory/2648-21-0x0000000004DA0000-0x0000000004DB8000-memory.dmp healer behavioral1/memory/2648-29-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/2648-49-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/2648-48-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/2648-46-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/2648-43-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/2648-41-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/2648-39-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/2648-37-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/2648-35-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/2648-33-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/2648-31-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/2648-27-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/2648-26-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/2648-23-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/2648-22-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro3238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro3238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro3238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro3238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro3238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro3238.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4836-60-0x0000000002770000-0x00000000027B6000-memory.dmp family_redline behavioral1/memory/4836-61-0x0000000004E50000-0x0000000004E94000-memory.dmp family_redline behavioral1/memory/4836-65-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4836-71-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4836-69-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4836-67-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4836-77-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4836-63-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4836-62-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4836-95-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4836-94-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4836-91-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4836-89-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4836-87-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4836-85-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4836-83-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4836-81-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4836-79-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4836-75-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/4836-73-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3792 un422264.exe 2648 pro3238.exe 4836 qu9329.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro3238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro3238.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 748f465a94da22aa3b4e192d2c71121e0aec2c94fa99b8a4b8f753af7260d6dd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un422264.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1740 2648 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 748f465a94da22aa3b4e192d2c71121e0aec2c94fa99b8a4b8f753af7260d6dd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un422264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro3238.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu9329.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2648 pro3238.exe 2648 pro3238.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2648 pro3238.exe Token: SeDebugPrivilege 4836 qu9329.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2132 wrote to memory of 3792 2132 748f465a94da22aa3b4e192d2c71121e0aec2c94fa99b8a4b8f753af7260d6dd.exe 84 PID 2132 wrote to memory of 3792 2132 748f465a94da22aa3b4e192d2c71121e0aec2c94fa99b8a4b8f753af7260d6dd.exe 84 PID 2132 wrote to memory of 3792 2132 748f465a94da22aa3b4e192d2c71121e0aec2c94fa99b8a4b8f753af7260d6dd.exe 84 PID 3792 wrote to memory of 2648 3792 un422264.exe 85 PID 3792 wrote to memory of 2648 3792 un422264.exe 85 PID 3792 wrote to memory of 2648 3792 un422264.exe 85 PID 3792 wrote to memory of 4836 3792 un422264.exe 98 PID 3792 wrote to memory of 4836 3792 un422264.exe 98 PID 3792 wrote to memory of 4836 3792 un422264.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\748f465a94da22aa3b4e192d2c71121e0aec2c94fa99b8a4b8f753af7260d6dd.exe"C:\Users\Admin\AppData\Local\Temp\748f465a94da22aa3b4e192d2c71121e0aec2c94fa99b8a4b8f753af7260d6dd.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un422264.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un422264.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3238.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3238.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 10844⤵
- Program crash
PID:1740
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9329.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9329.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2648 -ip 26481⤵PID:2524
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
535KB
MD584ac1e89bb9e37ec1228f8c91901f927
SHA11729260386deaedc96cb35f838c5ba3fb4333dc6
SHA256bb86fb6e85de5e3dffea7a17120fc69b793920b31a30f8de6b8aefe918efbb0b
SHA512c07f0c08caff5b3a0f27221142bb8b410a00a36f87186e9a6b1a40ad77216b1b4661780b5fa3cce9d7f63d81c59e983373b159eef91a496958aff6671e320a0c
-
Filesize
312KB
MD598861e79a0896c1983815ffed1789412
SHA15ff96162099b9d02531a5968fff73e153e387a88
SHA256fc2fe268540c55c551b0e3bca677de5a72e868db6f3c2996d0d0ccdff76c93b3
SHA5128fb01cdad1bbc92b7af6d79bc362cc176b7db35611af274e717c3a947a12e5a8b4ef34be4d5c1d57d91725fb0a2a415d2e684d9ac0d47a9c01066781c59b3397
-
Filesize
370KB
MD502411c42036599a9e78bcbd95297cade
SHA1c42af389583495e9be1182fa7720572ca81f9436
SHA256c826d2811654d20b04319a33eb96db3dd3848b1bdbb9e6ab589a5e240ca4c8ed
SHA51275ed582c2635750efd6ad4893a1c361e0368950ccf0ca49d693a8368c1747533838337a64f3c816938c37c3a345f23859c83c73dbc9cef6c91f230525e78a287