Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 22:58
Static task
static1
Behavioral task
behavioral1
Sample
6ac8403b2a50486af460bf68075d707f2a0c5be6e4e181d4af7b17411cf1cb69.exe
Resource
win10v2004-20241007-en
General
-
Target
6ac8403b2a50486af460bf68075d707f2a0c5be6e4e181d4af7b17411cf1cb69.exe
-
Size
659KB
-
MD5
1a481ef2fd43a06ba9b66fedc7caa015
-
SHA1
23107057f21dfb2e1f808797f18b137aa21b3607
-
SHA256
6ac8403b2a50486af460bf68075d707f2a0c5be6e4e181d4af7b17411cf1cb69
-
SHA512
f1800f1e5336ad18aa3de75ae8c018b0d7471f581811a27663c198e608d7414dde5da619253f3f261ccf092d1ffb33d3e84a3b4fc5317837e51cab65bf75b0f2
-
SSDEEP
12288:rMroy90z0+YKrIKz0gPVnazmIt597rw7VjCleUft/juynzbuCm:zyJUUKgyKmIt5FYVelFBfHC
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/548-19-0x00000000007E0000-0x00000000007FA000-memory.dmp healer behavioral1/memory/548-21-0x00000000023E0000-0x00000000023F8000-memory.dmp healer behavioral1/memory/548-22-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/548-29-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/548-49-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/548-47-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/548-46-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/548-43-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/548-41-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/548-39-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/548-38-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/548-35-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/548-34-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/548-31-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/548-27-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/548-25-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/548-23-0x00000000023E0000-0x00000000023F2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro0960.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0960.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0960.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0960.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0960.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0960.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1576-60-0x0000000002500000-0x0000000002546000-memory.dmp family_redline behavioral1/memory/1576-61-0x00000000025A0000-0x00000000025E4000-memory.dmp family_redline behavioral1/memory/1576-65-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/1576-71-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/1576-69-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/1576-67-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/1576-75-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/1576-63-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/1576-62-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/1576-95-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/1576-93-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/1576-92-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/1576-89-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/1576-87-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/1576-85-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/1576-83-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/1576-81-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/1576-79-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/1576-77-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline behavioral1/memory/1576-73-0x00000000025A0000-0x00000000025DF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2180 un806287.exe 548 pro0960.exe 1576 qu1380.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0960.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro0960.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6ac8403b2a50486af460bf68075d707f2a0c5be6e4e181d4af7b17411cf1cb69.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un806287.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2836 548 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un806287.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro0960.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu1380.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6ac8403b2a50486af460bf68075d707f2a0c5be6e4e181d4af7b17411cf1cb69.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 548 pro0960.exe 548 pro0960.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 548 pro0960.exe Token: SeDebugPrivilege 1576 qu1380.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3628 wrote to memory of 2180 3628 6ac8403b2a50486af460bf68075d707f2a0c5be6e4e181d4af7b17411cf1cb69.exe 84 PID 3628 wrote to memory of 2180 3628 6ac8403b2a50486af460bf68075d707f2a0c5be6e4e181d4af7b17411cf1cb69.exe 84 PID 3628 wrote to memory of 2180 3628 6ac8403b2a50486af460bf68075d707f2a0c5be6e4e181d4af7b17411cf1cb69.exe 84 PID 2180 wrote to memory of 548 2180 un806287.exe 85 PID 2180 wrote to memory of 548 2180 un806287.exe 85 PID 2180 wrote to memory of 548 2180 un806287.exe 85 PID 2180 wrote to memory of 1576 2180 un806287.exe 98 PID 2180 wrote to memory of 1576 2180 un806287.exe 98 PID 2180 wrote to memory of 1576 2180 un806287.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ac8403b2a50486af460bf68075d707f2a0c5be6e4e181d4af7b17411cf1cb69.exe"C:\Users\Admin\AppData\Local\Temp\6ac8403b2a50486af460bf68075d707f2a0c5be6e4e181d4af7b17411cf1cb69.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un806287.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un806287.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0960.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0960.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 10204⤵
- Program crash
PID:2836
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1380.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1380.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 548 -ip 5481⤵PID:4572
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517KB
MD54421c0ddacf18c8c9502b305bc43cfac
SHA14d8e171089cc3a581049f4f795814b5704f002a5
SHA2565988e996757a2a38414d43cd3195656aa7d6a3a703fbc57febabd0c2866acc01
SHA512b9d87890df7e3f81be5a7d36245307171dcc4ca1a0bfe05d8d4fd9b074aa7a25524c2f75b57932530b616001f6224943361628c1e61680308d16330dc2e4b4dc
-
Filesize
237KB
MD54c6259e56777c352c62fe5d314a5dafe
SHA137e1c20a08ca10d84e51d25886a035ef28a8d6d9
SHA2560a46b7a0041298832a685e6b0d7d95ef23ca23f8627c6b0da00a09120f735e68
SHA51228a785a5cf11dcc0ada7e8df3fc12c71cc7f03fcb4b4f6c9b2f0c6bd9ab3d09dea859bc6e12e0af8615bd944d5e17d48e68db9aedc2c277e4311f8e94548f09b
-
Filesize
295KB
MD5c6e4ecf146e38c932c80eed7ad962626
SHA1d210a35aaaf712283f98b5b1931da5be5ed6668f
SHA2561aa172aae359af42c1417591f1cfc95f53ae342186038d9d04ad46a32f77b292
SHA5123588d2388d683e5f13ca79b7994e72494f84aab94ead21f1378efe4db471018f8c46d61ebd69fbb9ced542487df70ba68abe8fb01073e765e23234ff69e5214a