Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 22:49
Static task
static1
Behavioral task
behavioral1
Sample
ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74.exe
Resource
win10v2004-20241007-en
General
-
Target
ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74.exe
-
Size
695KB
-
MD5
399dac108b9fd8da34f8579cd6521bb9
-
SHA1
6b5bfda81085869f3fa761691abe4dded2100209
-
SHA256
ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74
-
SHA512
8573cab7778d498eb08c03db8b79c5ced4ee27e713ab6efc2799f4500f323dda027fdfe78f97fa0593e17d71e39b59c49ffa5b54c7c90db062dd55e8f829dc49
-
SSDEEP
12288:kMrvy90V5ibYrqBJpolQkkjRHkcvDtEaSf7MRNZDA1B1/t1zq5MJmHHmxsHheTmI:TyvcGsPWRE0xyMpAxt1qWQGxo0iI
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1176-19-0x0000000002410000-0x000000000242A000-memory.dmp healer behavioral1/memory/1176-21-0x0000000004CA0000-0x0000000004CB8000-memory.dmp healer behavioral1/memory/1176-39-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/1176-47-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/1176-45-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/1176-49-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/1176-43-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/1176-41-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/1176-37-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/1176-33-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/1176-31-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/1176-29-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/1176-27-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/1176-25-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/1176-23-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/1176-35-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer behavioral1/memory/1176-22-0x0000000004CA0000-0x0000000004CB2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro1540.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro1540.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro1540.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro1540.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro1540.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro1540.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1144-61-0x0000000002520000-0x0000000002566000-memory.dmp family_redline behavioral1/memory/1144-62-0x00000000028A0000-0x00000000028E4000-memory.dmp family_redline behavioral1/memory/1144-70-0x00000000028A0000-0x00000000028DF000-memory.dmp family_redline behavioral1/memory/1144-68-0x00000000028A0000-0x00000000028DF000-memory.dmp family_redline behavioral1/memory/1144-66-0x00000000028A0000-0x00000000028DF000-memory.dmp family_redline behavioral1/memory/1144-64-0x00000000028A0000-0x00000000028DF000-memory.dmp family_redline behavioral1/memory/1144-63-0x00000000028A0000-0x00000000028DF000-memory.dmp family_redline behavioral1/memory/1144-80-0x00000000028A0000-0x00000000028DF000-memory.dmp family_redline behavioral1/memory/1144-96-0x00000000028A0000-0x00000000028DF000-memory.dmp family_redline behavioral1/memory/1144-92-0x00000000028A0000-0x00000000028DF000-memory.dmp family_redline behavioral1/memory/1144-90-0x00000000028A0000-0x00000000028DF000-memory.dmp family_redline behavioral1/memory/1144-88-0x00000000028A0000-0x00000000028DF000-memory.dmp family_redline behavioral1/memory/1144-84-0x00000000028A0000-0x00000000028DF000-memory.dmp family_redline behavioral1/memory/1144-82-0x00000000028A0000-0x00000000028DF000-memory.dmp family_redline behavioral1/memory/1144-78-0x00000000028A0000-0x00000000028DF000-memory.dmp family_redline behavioral1/memory/1144-76-0x00000000028A0000-0x00000000028DF000-memory.dmp family_redline behavioral1/memory/1144-75-0x00000000028A0000-0x00000000028DF000-memory.dmp family_redline behavioral1/memory/1144-72-0x00000000028A0000-0x00000000028DF000-memory.dmp family_redline behavioral1/memory/1144-94-0x00000000028A0000-0x00000000028DF000-memory.dmp family_redline behavioral1/memory/1144-86-0x00000000028A0000-0x00000000028DF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1748 un539911.exe 1176 pro1540.exe 1144 qu2680.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro1540.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro1540.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un539911.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un539911.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro1540.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu2680.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1176 pro1540.exe 1176 pro1540.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1176 pro1540.exe Token: SeDebugPrivilege 1144 qu2680.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2348 wrote to memory of 1748 2348 ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74.exe 84 PID 2348 wrote to memory of 1748 2348 ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74.exe 84 PID 2348 wrote to memory of 1748 2348 ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74.exe 84 PID 1748 wrote to memory of 1176 1748 un539911.exe 85 PID 1748 wrote to memory of 1176 1748 un539911.exe 85 PID 1748 wrote to memory of 1176 1748 un539911.exe 85 PID 1748 wrote to memory of 1144 1748 un539911.exe 95 PID 1748 wrote to memory of 1144 1748 un539911.exe 95 PID 1748 wrote to memory of 1144 1748 un539911.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74.exe"C:\Users\Admin\AppData\Local\Temp\ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un539911.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un539911.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1540.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1540.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2680.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2680.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
553KB
MD5ab0a44c458a1f9165032f1196ad185ec
SHA1009cf992ef5c71c99e14a14ba78077676fa37148
SHA256ad4d9346103a9ed380792c3463aeab8d9ed7c49c269e71a0769ce06247f5267a
SHA512c6150531ca22a756fb85baa554743993e67b49cc03f0fe726325319e268e893b8d44819cf73193f745f82aed8529a6a4c066b222b0c02c742e7c3dda80738406
-
Filesize
308KB
MD5602052a807f92a887a1d1dad31672d9f
SHA10877ab1ac2365f8f8bf6ff3d68757299ee4252f3
SHA2568b005cc985745bc13a9d26198bfec30bd685948e2bf2dbba10cae4a428c9c07c
SHA512f6feefd0fba495124bdc9ee4bea10fb6db2daa58711a1f0534ddf99a0fe7982c84fa8fac2bc904858e81f46b4f736bdaace93bf4c8d87443a1e5efe11c5ddf0f
-
Filesize
366KB
MD51c5e6d86c501548f9b73433c672e7861
SHA1d1f3ba5194d3aa70239ed7b32ffa5b1680d8edfd
SHA256a325b93ffad1072157194287e2d290314bf450f1b38e8323517307a27d047a62
SHA5123b5dd69ecfd5446585e1a11f0236e693bcd2ea366315e5150fa98dfdb18fa61aa88acf2adc4e32da9ba1484b633a04c74c5c638275c6d4bf7ee85660a3fa51b2