Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 23:31
Static task
static1
Behavioral task
behavioral1
Sample
148735c3c24a208736cf42516ab735f1a92452c30108ef3bc08812f256c60353.exe
Resource
win10v2004-20241007-en
General
-
Target
148735c3c24a208736cf42516ab735f1a92452c30108ef3bc08812f256c60353.exe
-
Size
666KB
-
MD5
ec74db71357d521f49434b0ba2ff0ce9
-
SHA1
4f27b93f9c3db1b712301e5cd455c4a624440ed5
-
SHA256
148735c3c24a208736cf42516ab735f1a92452c30108ef3bc08812f256c60353
-
SHA512
95dc20b3bfd0d7d1d2306ea1239e657916acc7e89af8b5475d4328d48bdcb7ea41ce97739e389d9dc9f8b13e32091b384353def41c0467dbb1977e85ee6fbd69
-
SSDEEP
12288:kMr6y90WbARRtThnOHi6DdyzNPMw4LA5OwYMHG1mavPJJSMMfG:GyVA7tNlogzNPP4kDDGcaHSMMfG
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3732-19-0x00000000029D0000-0x00000000029EA000-memory.dmp healer behavioral1/memory/3732-21-0x0000000005490000-0x00000000054A8000-memory.dmp healer behavioral1/memory/3732-23-0x0000000005490000-0x00000000054A2000-memory.dmp healer behavioral1/memory/3732-49-0x0000000005490000-0x00000000054A2000-memory.dmp healer behavioral1/memory/3732-47-0x0000000005490000-0x00000000054A2000-memory.dmp healer behavioral1/memory/3732-45-0x0000000005490000-0x00000000054A2000-memory.dmp healer behavioral1/memory/3732-43-0x0000000005490000-0x00000000054A2000-memory.dmp healer behavioral1/memory/3732-41-0x0000000005490000-0x00000000054A2000-memory.dmp healer behavioral1/memory/3732-39-0x0000000005490000-0x00000000054A2000-memory.dmp healer behavioral1/memory/3732-37-0x0000000005490000-0x00000000054A2000-memory.dmp healer behavioral1/memory/3732-35-0x0000000005490000-0x00000000054A2000-memory.dmp healer behavioral1/memory/3732-33-0x0000000005490000-0x00000000054A2000-memory.dmp healer behavioral1/memory/3732-32-0x0000000005490000-0x00000000054A2000-memory.dmp healer behavioral1/memory/3732-29-0x0000000005490000-0x00000000054A2000-memory.dmp healer behavioral1/memory/3732-27-0x0000000005490000-0x00000000054A2000-memory.dmp healer behavioral1/memory/3732-25-0x0000000005490000-0x00000000054A2000-memory.dmp healer behavioral1/memory/3732-22-0x0000000005490000-0x00000000054A2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7035.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7035.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7035.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7035.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7035.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro7035.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2736-61-0x0000000002830000-0x0000000002876000-memory.dmp family_redline behavioral1/memory/2736-62-0x0000000005400000-0x0000000005444000-memory.dmp family_redline behavioral1/memory/2736-78-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/2736-80-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/2736-96-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/2736-94-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/2736-92-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/2736-90-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/2736-88-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/2736-86-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/2736-84-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/2736-82-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/2736-76-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/2736-74-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/2736-72-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/2736-70-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/2736-68-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/2736-66-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/2736-64-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/2736-63-0x0000000005400000-0x000000000543F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4820 un257163.exe 3732 pro7035.exe 2736 qu6388.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro7035.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7035.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 148735c3c24a208736cf42516ab735f1a92452c30108ef3bc08812f256c60353.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un257163.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4672 3732 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro7035.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu6388.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 148735c3c24a208736cf42516ab735f1a92452c30108ef3bc08812f256c60353.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un257163.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3732 pro7035.exe 3732 pro7035.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3732 pro7035.exe Token: SeDebugPrivilege 2736 qu6388.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4056 wrote to memory of 4820 4056 148735c3c24a208736cf42516ab735f1a92452c30108ef3bc08812f256c60353.exe 84 PID 4056 wrote to memory of 4820 4056 148735c3c24a208736cf42516ab735f1a92452c30108ef3bc08812f256c60353.exe 84 PID 4056 wrote to memory of 4820 4056 148735c3c24a208736cf42516ab735f1a92452c30108ef3bc08812f256c60353.exe 84 PID 4820 wrote to memory of 3732 4820 un257163.exe 86 PID 4820 wrote to memory of 3732 4820 un257163.exe 86 PID 4820 wrote to memory of 3732 4820 un257163.exe 86 PID 4820 wrote to memory of 2736 4820 un257163.exe 97 PID 4820 wrote to memory of 2736 4820 un257163.exe 97 PID 4820 wrote to memory of 2736 4820 un257163.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\148735c3c24a208736cf42516ab735f1a92452c30108ef3bc08812f256c60353.exe"C:\Users\Admin\AppData\Local\Temp\148735c3c24a208736cf42516ab735f1a92452c30108ef3bc08812f256c60353.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un257163.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un257163.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7035.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7035.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 9604⤵
- Program crash
PID:4672
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6388.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6388.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3732 -ip 37321⤵PID:2060
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
524KB
MD534b8ac2024084aebbf37d8c5455d7d32
SHA19d694a8314c306f26d1a49000b448fe44e24542a
SHA2567b448706c191d51a63aff888bfd459854c6bd6e980fe3275c70ff1ea2afa3af2
SHA512173e735f8135407135ca7e728a1dbe4fc26e519358427858450c8607971ae42e2d72764a98eb6da0ceec05580ed070636ed3baf527764526a58c3176c47d99c3
-
Filesize
295KB
MD586ec9350b4ad704e8bf6b25963354469
SHA16afdaa1729555f382de3358ed52b5ee69aeb372c
SHA25651aac4966d1cfb487c236079a5468f2c8d75d76a55dfbc4276f4b5c866360fac
SHA5124a32d68f0cc1331918e56aa27dfcbeccde082aa31444a76b1eb8ecf2aa414a1cc1c88c130eea935f5a7f5ae04f95af5d144274c7eb7e8f788a0237d322a1b9a6
-
Filesize
353KB
MD5872bf90245e9362e1c73fc84f8a3d877
SHA114863bae354808314644d55f3655f5d629a8f597
SHA256616b09702e846b1cf0736bbda4efc6235a740a2b09207ab1c47c34dcfeb18fc3
SHA512eae3ab1ea76ff1e2b5866c46926aa01a9c4aa4b50a1e19d233ec1f693e40be4475fe38dd13d57f4796ea84d6e680dd57ed33d91e33f8e112fd0bb087713c4473