Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 23:12
Static task
static1
Behavioral task
behavioral1
Sample
1452663813898e1f856026f8442c1c788330214d86c58c93cabeb3799996c005.exe
Resource
win10v2004-20241007-en
General
-
Target
1452663813898e1f856026f8442c1c788330214d86c58c93cabeb3799996c005.exe
-
Size
723KB
-
MD5
ad4c14e680a98a155384d22020aea0a7
-
SHA1
99c7962b0e37b6294740d5f04cc4843758b68d35
-
SHA256
1452663813898e1f856026f8442c1c788330214d86c58c93cabeb3799996c005
-
SHA512
2d84e2b41b938e71dde6ab705f605fce30d471be9d120365223fe124a778700fe59e01888cccb32494d7b98d3eea65ca73f88d018b1056e740c1621ab2158c42
-
SSDEEP
12288:LMroy90zKGU1oDVxCns9XyCVfdhScKGN7jgQN8WqZ3LqTPyvO14eCUQaa:HyUvUaVxCs9Xyor750bWqZ3eL1EUDa
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4560-19-0x0000000002390000-0x00000000023AA000-memory.dmp healer behavioral1/memory/4560-21-0x00000000024E0000-0x00000000024F8000-memory.dmp healer behavioral1/memory/4560-22-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4560-49-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4560-45-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4560-43-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4560-39-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4560-33-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4560-32-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4560-29-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4560-27-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4560-25-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4560-23-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4560-47-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4560-41-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4560-38-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4560-35-0x00000000024E0000-0x00000000024F2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro4196.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro4196.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro4196.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro4196.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro4196.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro4196.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2160-61-0x00000000029C0000-0x0000000002A06000-memory.dmp family_redline behavioral1/memory/2160-62-0x00000000053B0000-0x00000000053F4000-memory.dmp family_redline behavioral1/memory/2160-80-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2160-82-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2160-96-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2160-94-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2160-92-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2160-90-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2160-88-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2160-86-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2160-84-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2160-78-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2160-76-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2160-74-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2160-72-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2160-70-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2160-68-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2160-66-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2160-64-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/2160-63-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4736 un201769.exe 4560 pro4196.exe 2160 qu1427.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro4196.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro4196.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1452663813898e1f856026f8442c1c788330214d86c58c93cabeb3799996c005.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un201769.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2904 4560 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un201769.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro4196.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu1427.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1452663813898e1f856026f8442c1c788330214d86c58c93cabeb3799996c005.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4560 pro4196.exe 4560 pro4196.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4560 pro4196.exe Token: SeDebugPrivilege 2160 qu1427.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4524 wrote to memory of 4736 4524 1452663813898e1f856026f8442c1c788330214d86c58c93cabeb3799996c005.exe 86 PID 4524 wrote to memory of 4736 4524 1452663813898e1f856026f8442c1c788330214d86c58c93cabeb3799996c005.exe 86 PID 4524 wrote to memory of 4736 4524 1452663813898e1f856026f8442c1c788330214d86c58c93cabeb3799996c005.exe 86 PID 4736 wrote to memory of 4560 4736 un201769.exe 87 PID 4736 wrote to memory of 4560 4736 un201769.exe 87 PID 4736 wrote to memory of 4560 4736 un201769.exe 87 PID 4736 wrote to memory of 2160 4736 un201769.exe 93 PID 4736 wrote to memory of 2160 4736 un201769.exe 93 PID 4736 wrote to memory of 2160 4736 un201769.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\1452663813898e1f856026f8442c1c788330214d86c58c93cabeb3799996c005.exe"C:\Users\Admin\AppData\Local\Temp\1452663813898e1f856026f8442c1c788330214d86c58c93cabeb3799996c005.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un201769.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un201769.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4196.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4196.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 10804⤵
- Program crash
PID:2904
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1427.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1427.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4560 -ip 45601⤵PID:3656
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
570KB
MD588b81c3b847f53e019025681fa77ace3
SHA1c6143c9de6dc241e89939c2ac17f52fe420321af
SHA2568d9d1fd5a426acb748a1baa705ef5b1dd809f6b84c90696b51f9751983283bab
SHA51246f224b81c7e05833b44c442424c5cb023156fd2e978e522acd718ac03bcdbf379500ac6a02913628f967f4c36557b3885c1b9b9e0216c6f56f54ee2092a6011
-
Filesize
253KB
MD5be6135cdd4234521524feb24e716421d
SHA1b6ad462586fc731b4833c306bef163425f6a6689
SHA256ed93e80704ef446b2a88261181d166b87c1efc12c2cc423484c1648092d0d05e
SHA51200999de4a704966ffaa42d2bc1e71c8c7997c0a9290ef2b4d5418dbe7b0e60f42d07fe1ff64ebd224264e25eba83874d7fc47a85d2f11f04c7faafec2e0f8110
-
Filesize
370KB
MD5f990587e831eb94dc9ecc0e21fa4bea7
SHA12fcfdb3a129ef24e2ddf5115bdd4270ad84b5497
SHA2569f9fad397834d2999e7e442b3af166c891adce631de0f7591026cee4086a64fe
SHA512e37489c7062e8f9c92d44909194f7230af2beea4f57f3e95e1da2fa84e93c48309a79625175d8831e4318f126e7c3d63b2feeecfba3d934ef0d8beba040115e1