Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 23:38
Static task
static1
Behavioral task
behavioral1
Sample
8cda87c3e19c8469bdd1f3ab61eda7346cd1b8fb7b3800452b35df90050fbd65.exe
Resource
win10v2004-20241007-en
General
-
Target
8cda87c3e19c8469bdd1f3ab61eda7346cd1b8fb7b3800452b35df90050fbd65.exe
-
Size
662KB
-
MD5
5129ae6df70d0b5b965825db6d5eaf23
-
SHA1
fcf856942ee1cf9c0419446b46791df09621756f
-
SHA256
8cda87c3e19c8469bdd1f3ab61eda7346cd1b8fb7b3800452b35df90050fbd65
-
SHA512
d59b628a7b5c40c54a436e411d152396c9be077250447bace870c30a456af8540924193efb9c855f4c6349b4a42ef18a803e4f683b32b167930a25b31654a012
-
SSDEEP
12288:WMrKy90ZvWwDIEE4qpgtrP0vk/udB1u/f1B2q7hex3M7HuDtP+HLr:wy+WsYiBczx69B2q7wx87HuDQP
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1368-19-0x00000000025B0000-0x00000000025CA000-memory.dmp healer behavioral1/memory/1368-21-0x0000000002730000-0x0000000002748000-memory.dmp healer behavioral1/memory/1368-22-0x0000000002730000-0x0000000002742000-memory.dmp healer behavioral1/memory/1368-31-0x0000000002730000-0x0000000002742000-memory.dmp healer behavioral1/memory/1368-49-0x0000000002730000-0x0000000002742000-memory.dmp healer behavioral1/memory/1368-47-0x0000000002730000-0x0000000002742000-memory.dmp healer behavioral1/memory/1368-45-0x0000000002730000-0x0000000002742000-memory.dmp healer behavioral1/memory/1368-43-0x0000000002730000-0x0000000002742000-memory.dmp healer behavioral1/memory/1368-41-0x0000000002730000-0x0000000002742000-memory.dmp healer behavioral1/memory/1368-39-0x0000000002730000-0x0000000002742000-memory.dmp healer behavioral1/memory/1368-37-0x0000000002730000-0x0000000002742000-memory.dmp healer behavioral1/memory/1368-35-0x0000000002730000-0x0000000002742000-memory.dmp healer behavioral1/memory/1368-33-0x0000000002730000-0x0000000002742000-memory.dmp healer behavioral1/memory/1368-29-0x0000000002730000-0x0000000002742000-memory.dmp healer behavioral1/memory/1368-28-0x0000000002730000-0x0000000002742000-memory.dmp healer behavioral1/memory/1368-25-0x0000000002730000-0x0000000002742000-memory.dmp healer behavioral1/memory/1368-23-0x0000000002730000-0x0000000002742000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro7465.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7465.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7465.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7465.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7465.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7465.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/396-61-0x0000000002650000-0x0000000002696000-memory.dmp family_redline behavioral1/memory/396-62-0x00000000026D0000-0x0000000002714000-memory.dmp family_redline behavioral1/memory/396-68-0x00000000026D0000-0x000000000270F000-memory.dmp family_redline behavioral1/memory/396-70-0x00000000026D0000-0x000000000270F000-memory.dmp family_redline behavioral1/memory/396-94-0x00000000026D0000-0x000000000270F000-memory.dmp family_redline behavioral1/memory/396-72-0x00000000026D0000-0x000000000270F000-memory.dmp family_redline behavioral1/memory/396-66-0x00000000026D0000-0x000000000270F000-memory.dmp family_redline behavioral1/memory/396-64-0x00000000026D0000-0x000000000270F000-memory.dmp family_redline behavioral1/memory/396-63-0x00000000026D0000-0x000000000270F000-memory.dmp family_redline behavioral1/memory/396-96-0x00000000026D0000-0x000000000270F000-memory.dmp family_redline behavioral1/memory/396-92-0x00000000026D0000-0x000000000270F000-memory.dmp family_redline behavioral1/memory/396-90-0x00000000026D0000-0x000000000270F000-memory.dmp family_redline behavioral1/memory/396-89-0x00000000026D0000-0x000000000270F000-memory.dmp family_redline behavioral1/memory/396-86-0x00000000026D0000-0x000000000270F000-memory.dmp family_redline behavioral1/memory/396-84-0x00000000026D0000-0x000000000270F000-memory.dmp family_redline behavioral1/memory/396-82-0x00000000026D0000-0x000000000270F000-memory.dmp family_redline behavioral1/memory/396-80-0x00000000026D0000-0x000000000270F000-memory.dmp family_redline behavioral1/memory/396-78-0x00000000026D0000-0x000000000270F000-memory.dmp family_redline behavioral1/memory/396-76-0x00000000026D0000-0x000000000270F000-memory.dmp family_redline behavioral1/memory/396-74-0x00000000026D0000-0x000000000270F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3232 un519918.exe 1368 pro7465.exe 396 qu8828.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7465.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro7465.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un519918.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8cda87c3e19c8469bdd1f3ab61eda7346cd1b8fb7b3800452b35df90050fbd65.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5304 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8cda87c3e19c8469bdd1f3ab61eda7346cd1b8fb7b3800452b35df90050fbd65.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un519918.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro7465.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu8828.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1368 pro7465.exe 1368 pro7465.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1368 pro7465.exe Token: SeDebugPrivilege 396 qu8828.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4212 wrote to memory of 3232 4212 8cda87c3e19c8469bdd1f3ab61eda7346cd1b8fb7b3800452b35df90050fbd65.exe 84 PID 4212 wrote to memory of 3232 4212 8cda87c3e19c8469bdd1f3ab61eda7346cd1b8fb7b3800452b35df90050fbd65.exe 84 PID 4212 wrote to memory of 3232 4212 8cda87c3e19c8469bdd1f3ab61eda7346cd1b8fb7b3800452b35df90050fbd65.exe 84 PID 3232 wrote to memory of 1368 3232 un519918.exe 85 PID 3232 wrote to memory of 1368 3232 un519918.exe 85 PID 3232 wrote to memory of 1368 3232 un519918.exe 85 PID 3232 wrote to memory of 396 3232 un519918.exe 93 PID 3232 wrote to memory of 396 3232 un519918.exe 93 PID 3232 wrote to memory of 396 3232 un519918.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cda87c3e19c8469bdd1f3ab61eda7346cd1b8fb7b3800452b35df90050fbd65.exe"C:\Users\Admin\AppData\Local\Temp\8cda87c3e19c8469bdd1f3ab61eda7346cd1b8fb7b3800452b35df90050fbd65.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un519918.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un519918.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7465.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7465.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8828.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8828.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:5304
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
520KB
MD50a84579d716cdc0195b0bb0e052a887d
SHA161a01f72db62db630d58e0a693abd0ce9553144b
SHA25629ce5988f99428cf882b28c7c397547a62378ecac4ba01e538b4a0460ad78ce5
SHA5127105f8e5ed53414d7b31493145298ec0498e01c7b4575d5dd8f0b286e56f36cc16bf9dc9a5f6f9b8790281c80d42d2ecf914cf4e5f8695e04da651888f481575
-
Filesize
236KB
MD59a2517453244bcacac6baf0a88d70ff8
SHA1cc12c00933dbb53b6b9269734481edb3e4c3a80e
SHA256103eb5b2c40a67cfc173471e043e2dbff4e043de0ed0109657bb369d019e35dc
SHA512ef699015f509b51127264adff1e3051df70c9d4bf5171c6a455c2acfa737f66c97888a5dff25f3dca4c3a6f725b9b16f845e542184485b714b9cb9b0106f82f5
-
Filesize
295KB
MD5a5b6d35269c35d9180908afa00662d43
SHA1b904b29480ab7a4240b924ac6a8a3b41553714fe
SHA25624e8f64b9092dd18c075ba42224b61729d57c38fc32a7a5ec487018bcc8d43ea
SHA5124d34bb49ecdcdcbebb255843391a78a513a512603641a828468d61e965828022d748452977ef75900d416433a939182079660a5e22de22df451210eb95c725c3