Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 22:54
Static task
static1
Behavioral task
behavioral1
Sample
034aa6971a6ab8b55bb19f18a9aa8071f68c9a938d4d2c3c67cf1ea59a6d1879.exe
Resource
win10v2004-20241007-en
General
-
Target
034aa6971a6ab8b55bb19f18a9aa8071f68c9a938d4d2c3c67cf1ea59a6d1879.exe
-
Size
689KB
-
MD5
5552a8a5f529879c4e48ffa0d193254b
-
SHA1
33d2cdf22ae7c878849ba793fa6c0085cc79f966
-
SHA256
034aa6971a6ab8b55bb19f18a9aa8071f68c9a938d4d2c3c67cf1ea59a6d1879
-
SHA512
0c5f6d7c585e925c4e1a530faaa98be21b280f793ce79908fcc66f818b5959bdb6dac5f9e0ec6503eb4c04343ef6ceebac495360acb7fecb556fbb7c60082e7a
-
SSDEEP
12288:6MrEy90HVyQRpkU2LK1qlVoVfOhl73q3bghVbcZeTq9Y/Fog1:6ywXRG/wqlVoVfOhZq38hVbkPYqO
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3680-19-0x00000000026C0000-0x00000000026DA000-memory.dmp healer behavioral1/memory/3680-21-0x0000000002970000-0x0000000002988000-memory.dmp healer behavioral1/memory/3680-25-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/3680-49-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/3680-47-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/3680-45-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/3680-43-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/3680-41-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/3680-39-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/3680-37-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/3680-35-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/3680-33-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/3680-31-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/3680-29-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/3680-27-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/3680-23-0x0000000002970000-0x0000000002982000-memory.dmp healer behavioral1/memory/3680-22-0x0000000002970000-0x0000000002982000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro5628.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro5628.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro5628.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro5628.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro5628.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro5628.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2528-60-0x00000000028F0000-0x0000000002936000-memory.dmp family_redline behavioral1/memory/2528-61-0x0000000005410000-0x0000000005454000-memory.dmp family_redline behavioral1/memory/2528-79-0x0000000005410000-0x000000000544F000-memory.dmp family_redline behavioral1/memory/2528-85-0x0000000005410000-0x000000000544F000-memory.dmp family_redline behavioral1/memory/2528-93-0x0000000005410000-0x000000000544F000-memory.dmp family_redline behavioral1/memory/2528-91-0x0000000005410000-0x000000000544F000-memory.dmp family_redline behavioral1/memory/2528-89-0x0000000005410000-0x000000000544F000-memory.dmp family_redline behavioral1/memory/2528-87-0x0000000005410000-0x000000000544F000-memory.dmp family_redline behavioral1/memory/2528-83-0x0000000005410000-0x000000000544F000-memory.dmp family_redline behavioral1/memory/2528-81-0x0000000005410000-0x000000000544F000-memory.dmp family_redline behavioral1/memory/2528-77-0x0000000005410000-0x000000000544F000-memory.dmp family_redline behavioral1/memory/2528-75-0x0000000005410000-0x000000000544F000-memory.dmp family_redline behavioral1/memory/2528-73-0x0000000005410000-0x000000000544F000-memory.dmp family_redline behavioral1/memory/2528-71-0x0000000005410000-0x000000000544F000-memory.dmp family_redline behavioral1/memory/2528-95-0x0000000005410000-0x000000000544F000-memory.dmp family_redline behavioral1/memory/2528-70-0x0000000005410000-0x000000000544F000-memory.dmp family_redline behavioral1/memory/2528-67-0x0000000005410000-0x000000000544F000-memory.dmp family_redline behavioral1/memory/2528-65-0x0000000005410000-0x000000000544F000-memory.dmp family_redline behavioral1/memory/2528-63-0x0000000005410000-0x000000000544F000-memory.dmp family_redline behavioral1/memory/2528-62-0x0000000005410000-0x000000000544F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 244 un226411.exe 3680 pro5628.exe 2528 qu2763.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro5628.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro5628.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 034aa6971a6ab8b55bb19f18a9aa8071f68c9a938d4d2c3c67cf1ea59a6d1879.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un226411.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4400 3680 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro5628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu2763.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 034aa6971a6ab8b55bb19f18a9aa8071f68c9a938d4d2c3c67cf1ea59a6d1879.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un226411.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3680 pro5628.exe 3680 pro5628.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3680 pro5628.exe Token: SeDebugPrivilege 2528 qu2763.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1084 wrote to memory of 244 1084 034aa6971a6ab8b55bb19f18a9aa8071f68c9a938d4d2c3c67cf1ea59a6d1879.exe 84 PID 1084 wrote to memory of 244 1084 034aa6971a6ab8b55bb19f18a9aa8071f68c9a938d4d2c3c67cf1ea59a6d1879.exe 84 PID 1084 wrote to memory of 244 1084 034aa6971a6ab8b55bb19f18a9aa8071f68c9a938d4d2c3c67cf1ea59a6d1879.exe 84 PID 244 wrote to memory of 3680 244 un226411.exe 85 PID 244 wrote to memory of 3680 244 un226411.exe 85 PID 244 wrote to memory of 3680 244 un226411.exe 85 PID 244 wrote to memory of 2528 244 un226411.exe 99 PID 244 wrote to memory of 2528 244 un226411.exe 99 PID 244 wrote to memory of 2528 244 un226411.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\034aa6971a6ab8b55bb19f18a9aa8071f68c9a938d4d2c3c67cf1ea59a6d1879.exe"C:\Users\Admin\AppData\Local\Temp\034aa6971a6ab8b55bb19f18a9aa8071f68c9a938d4d2c3c67cf1ea59a6d1879.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un226411.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un226411.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5628.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5628.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 10644⤵
- Program crash
PID:4400
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2763.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2763.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3680 -ip 36801⤵PID:1684
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
535KB
MD58f7c15648bc6500e16875bc792910ce3
SHA19ba7ed41494d498ecbeb3c7b67ebf2de56244728
SHA2565e30cb6ccf0e9d7e28c8e53a8b60e817cfecdb7270acf3bc80d7f303138eaef1
SHA512aa460f4576b48ebf035f66e64c56a671093a843ff9d0653c3ff0250080c3490d27691f1f2f6fd3c733f6cc3788ba113da26e48cb829f1f609647c9285ce8e1ef
-
Filesize
311KB
MD53e3f26704f131b4c1c85df7f88ca498a
SHA1c48b1367356569320d08c6289fd725437b43198f
SHA25687ddb0f7fdc0eb9050ee387e3c2b7b06730262abf76116dc7ecd751f7b49c6d1
SHA512974751d43aeccc68528fa3c86917b6fd5675e099a389dd312fb0d99b6febecb178384cee1648aedda139528971b690cc0841e1f2844b388390e66f2babc543c2
-
Filesize
370KB
MD5a1fb7d2f5f15b0eaef2211853a0a54f8
SHA19d6d615d4cff5dec5e8675d02917eb28cf8483a9
SHA256f6656145830cf42bfe8a3181b958567b1db150b4ac79f30406de645a9b2ae1d8
SHA512bb704c48bd96df7cfa256090ab81e4185cec7d8880108ed79bea5e4829da6908d10c4565479bcb2e190c09f627efd58ce9f1bbfbde805880201ca463ef9f2374