Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 23:04
Static task
static1
Behavioral task
behavioral1
Sample
1a5106462ca0bed7fdca3fe0f72530649a851198293a0a3b065d9a41a07d2024.exe
Resource
win10v2004-20241007-en
General
-
Target
1a5106462ca0bed7fdca3fe0f72530649a851198293a0a3b065d9a41a07d2024.exe
-
Size
659KB
-
MD5
242b2fb499d041fc349dc06727911e4d
-
SHA1
8d6d7bdf6a1e2c90dc8a1224c47bcca2d3b09ef4
-
SHA256
1a5106462ca0bed7fdca3fe0f72530649a851198293a0a3b065d9a41a07d2024
-
SHA512
7d7dd890675bfa52f7d70998983d6fbe523e8e40d18c66b2ec136dba7e98e86d8519e15ba9597b71d2436b6a18148ad13ed68c637d3c9455635b995a9117ece8
-
SSDEEP
12288:PMrdy90zfdsR+gZBl6UtAO2O+u8XQXsXGMKjsQoqBiOhPbgNF53:+ysfHImUtAPBXQyiIQDF9ov3
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4472-17-0x0000000004900000-0x000000000491A000-memory.dmp healer behavioral1/memory/4472-19-0x0000000004CB0000-0x0000000004CC8000-memory.dmp healer behavioral1/memory/4472-21-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4472-22-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4472-48-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4472-46-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4472-44-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4472-42-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4472-40-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4472-38-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4472-36-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4472-34-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4472-32-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4472-30-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4472-28-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4472-26-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4472-24-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7245.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7245.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7245.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7245.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7245.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro7245.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/5100-59-0x0000000004C70000-0x0000000004CB6000-memory.dmp family_redline behavioral1/memory/5100-60-0x0000000007740000-0x0000000007784000-memory.dmp family_redline behavioral1/memory/5100-74-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/5100-72-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/5100-92-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/5100-90-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/5100-88-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/5100-86-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/5100-84-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/5100-82-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/5100-80-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/5100-78-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/5100-76-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/5100-70-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/5100-68-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/5100-66-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/5100-94-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/5100-64-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/5100-62-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/5100-61-0x0000000007740000-0x000000000777F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4308 un784940.exe 4472 pro7245.exe 5100 qu1424.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro7245.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7245.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1a5106462ca0bed7fdca3fe0f72530649a851198293a0a3b065d9a41a07d2024.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un784940.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4860 4472 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu1424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a5106462ca0bed7fdca3fe0f72530649a851198293a0a3b065d9a41a07d2024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un784940.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro7245.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4472 pro7245.exe 4472 pro7245.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4472 pro7245.exe Token: SeDebugPrivilege 5100 qu1424.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1404 wrote to memory of 4308 1404 1a5106462ca0bed7fdca3fe0f72530649a851198293a0a3b065d9a41a07d2024.exe 85 PID 1404 wrote to memory of 4308 1404 1a5106462ca0bed7fdca3fe0f72530649a851198293a0a3b065d9a41a07d2024.exe 85 PID 1404 wrote to memory of 4308 1404 1a5106462ca0bed7fdca3fe0f72530649a851198293a0a3b065d9a41a07d2024.exe 85 PID 4308 wrote to memory of 4472 4308 un784940.exe 87 PID 4308 wrote to memory of 4472 4308 un784940.exe 87 PID 4308 wrote to memory of 4472 4308 un784940.exe 87 PID 4308 wrote to memory of 5100 4308 un784940.exe 96 PID 4308 wrote to memory of 5100 4308 un784940.exe 96 PID 4308 wrote to memory of 5100 4308 un784940.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a5106462ca0bed7fdca3fe0f72530649a851198293a0a3b065d9a41a07d2024.exe"C:\Users\Admin\AppData\Local\Temp\1a5106462ca0bed7fdca3fe0f72530649a851198293a0a3b065d9a41a07d2024.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un784940.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un784940.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7245.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7245.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 10804⤵
- Program crash
PID:4860
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1424.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1424.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4472 -ip 44721⤵PID:4588
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517KB
MD5785918834e5e04cc56d0d0c146b6604d
SHA1a20f7052048c107570192450b9745e2b2d61e4ac
SHA256b5603a599354785d4d1cb9f85080ac57ccef1ddbbe0561232511d20b57d7d6b3
SHA512decc6ca23faa58f293bf191a0b97f76b53cfa4143e78b9b0a3f2c09728a31b19185c44a0119623e149880bfacbef5d3c1330cfdae0d3ce6fe8709803ba9ca6dc
-
Filesize
295KB
MD549ebe2965361e4f005b1d753d5026dcd
SHA12944d97a377cee26400c12c45d04b7a6cb5db73b
SHA25600493c6ffe88949fd493c8c5384c682c85747bac52ad9693a4a0a1fbce8e913f
SHA5120d5ef21a94f2c6b6265a92913c59ca8388ffab98cac2a4c3b781f93f17ac372ec9da52f18c036432b8641e960b2eaacd54c6bb54a93223489ee52b556bf181fe
-
Filesize
354KB
MD5f673bd0ab3bde6daee6e5fc53a42b13a
SHA1968eb18fa5b5de6f5a2372d61ba2f1697e60ebbe
SHA256a70bc78a8b4f50cbdf2a8cc138f644a7ac6766b3c05abdd6449ce16287bea7cb
SHA5121f441ab6b20e4c957a275adb4077c5b26d0eca9249a1fb8d6c8f45464558cdbe75387a566755c042338afa80046422cc3c927bae8c8abc796a3c2a19867f6818