Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 22:57
Static task
static1
Behavioral task
behavioral1
Sample
55fb461dd10d7e906e7d3919963cda3d7f7509b32622028b868ba44e8e432c4b.exe
Resource
win10v2004-20241007-en
General
-
Target
55fb461dd10d7e906e7d3919963cda3d7f7509b32622028b868ba44e8e432c4b.exe
-
Size
689KB
-
MD5
10cdfe061daaa43b3eef3266cfcd8c43
-
SHA1
a8fdbee84c99ca77268df811c922d5b85a3f017a
-
SHA256
55fb461dd10d7e906e7d3919963cda3d7f7509b32622028b868ba44e8e432c4b
-
SHA512
5e3eee0c69680329039d32be4d6bfd96c6e7b0e517c2ca22133a7ebaf72187f50fd17a549eeca8687588f5c365979a50caa9063a174881dd03413cec78eb21c5
-
SSDEEP
12288:SMroy908m0k7O9gaDaTD5724DbyD65hLu0KIwTobmVezhPOSK5mJfvqF2XfigJf3:2y9kzT44iOfa0hBhPO35mJfW2XagJfrz
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3528-19-0x0000000002A10000-0x0000000002A2A000-memory.dmp healer behavioral1/memory/3528-21-0x0000000004DF0000-0x0000000004E08000-memory.dmp healer behavioral1/memory/3528-27-0x0000000004DF0000-0x0000000004E02000-memory.dmp healer behavioral1/memory/3528-45-0x0000000004DF0000-0x0000000004E02000-memory.dmp healer behavioral1/memory/3528-49-0x0000000004DF0000-0x0000000004E02000-memory.dmp healer behavioral1/memory/3528-47-0x0000000004DF0000-0x0000000004E02000-memory.dmp healer behavioral1/memory/3528-43-0x0000000004DF0000-0x0000000004E02000-memory.dmp healer behavioral1/memory/3528-42-0x0000000004DF0000-0x0000000004E02000-memory.dmp healer behavioral1/memory/3528-39-0x0000000004DF0000-0x0000000004E02000-memory.dmp healer behavioral1/memory/3528-37-0x0000000004DF0000-0x0000000004E02000-memory.dmp healer behavioral1/memory/3528-35-0x0000000004DF0000-0x0000000004E02000-memory.dmp healer behavioral1/memory/3528-33-0x0000000004DF0000-0x0000000004E02000-memory.dmp healer behavioral1/memory/3528-31-0x0000000004DF0000-0x0000000004E02000-memory.dmp healer behavioral1/memory/3528-29-0x0000000004DF0000-0x0000000004E02000-memory.dmp healer behavioral1/memory/3528-25-0x0000000004DF0000-0x0000000004E02000-memory.dmp healer behavioral1/memory/3528-23-0x0000000004DF0000-0x0000000004E02000-memory.dmp healer behavioral1/memory/3528-22-0x0000000004DF0000-0x0000000004E02000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro8297.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8297.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8297.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8297.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8297.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8297.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4556-61-0x0000000003980000-0x00000000039C6000-memory.dmp family_redline behavioral1/memory/4556-62-0x0000000006010000-0x0000000006054000-memory.dmp family_redline behavioral1/memory/4556-68-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4556-64-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4556-63-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4556-84-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4556-96-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4556-94-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4556-92-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4556-90-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4556-88-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4556-82-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4556-80-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4556-79-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4556-76-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4556-74-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4556-72-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4556-70-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4556-66-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4556-86-0x0000000006010000-0x000000000604F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 376 un500711.exe 3528 pro8297.exe 4556 qu1762.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8297.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8297.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 55fb461dd10d7e906e7d3919963cda3d7f7509b32622028b868ba44e8e432c4b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un500711.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3580 3528 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro8297.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu1762.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 55fb461dd10d7e906e7d3919963cda3d7f7509b32622028b868ba44e8e432c4b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un500711.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3528 pro8297.exe 3528 pro8297.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3528 pro8297.exe Token: SeDebugPrivilege 4556 qu1762.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3976 wrote to memory of 376 3976 55fb461dd10d7e906e7d3919963cda3d7f7509b32622028b868ba44e8e432c4b.exe 84 PID 3976 wrote to memory of 376 3976 55fb461dd10d7e906e7d3919963cda3d7f7509b32622028b868ba44e8e432c4b.exe 84 PID 3976 wrote to memory of 376 3976 55fb461dd10d7e906e7d3919963cda3d7f7509b32622028b868ba44e8e432c4b.exe 84 PID 376 wrote to memory of 3528 376 un500711.exe 85 PID 376 wrote to memory of 3528 376 un500711.exe 85 PID 376 wrote to memory of 3528 376 un500711.exe 85 PID 376 wrote to memory of 4556 376 un500711.exe 96 PID 376 wrote to memory of 4556 376 un500711.exe 96 PID 376 wrote to memory of 4556 376 un500711.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\55fb461dd10d7e906e7d3919963cda3d7f7509b32622028b868ba44e8e432c4b.exe"C:\Users\Admin\AppData\Local\Temp\55fb461dd10d7e906e7d3919963cda3d7f7509b32622028b868ba44e8e432c4b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500711.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500711.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8297.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8297.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 10164⤵
- Program crash
PID:3580
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1762.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1762.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3528 -ip 35281⤵PID:1568
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD5d8c30ad94535a60879cda16bf3732573
SHA1182c71c5ced7134bc9742f59e6e25bf6ede6fa49
SHA2563876861375f089067d359940fd7760a2f5370bcbffcd14b8116ca9960f79978f
SHA51205d850b19137b4cdf8c0c73df0f7d79374c8831239a9188066e784d182293faad86b2fca0270d192f2b54f55cf78e697d4260013eff3c4841db0beb2091bc10b
-
Filesize
291KB
MD54b007703bcb69263f0c6448b1ce0063f
SHA1a99dded4bfb61327535940065af65627c8db4349
SHA25670669b1055af70b16d11a765150058a79072df6540b926883429f47d0d7e454c
SHA51261177cebeb155169e106c3ab5138ccd3bb0d0282fc55a2fcf57773af0bba84351dcc12b4e955e23415a52c773abca5de51ae0bbba2618dc9082cf2eda472f1fd
-
Filesize
345KB
MD5adc592d3d7abab50674d0d85bce29d00
SHA14b0963ae29a8ac9cbf19892608e84045ea6bafc4
SHA2562db1e8b37450eb698da4cf26ee0df45fbf213be01931612976011489291ece0e
SHA51260b925ed4da5c830673e766637ddf79e5b52a3e0c8b3d40a73e2aceffdd71e2cfb5611f780fbcc60602b1df9f367d14fd261d41932f69274b12fd3f90bad6004