Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 23:43
Static task
static1
Behavioral task
behavioral1
Sample
05ed29ad8c43f4eb63cb327f0ebb037f869429773347b8b494b51f7806966552.exe
Resource
win10v2004-20241007-en
General
-
Target
05ed29ad8c43f4eb63cb327f0ebb037f869429773347b8b494b51f7806966552.exe
-
Size
673KB
-
MD5
7bfb3b64685f99c63eb3635723496568
-
SHA1
cee4f47cbe2ceb6e488cfbc41ef9c355d6d0bff5
-
SHA256
05ed29ad8c43f4eb63cb327f0ebb037f869429773347b8b494b51f7806966552
-
SHA512
cdf24952e57d4423d5105c7aaf31e281ba7faec9c45f81241a6fd30502b48af0db45a1545188f62e5e604a47550e946283d8379bfa00e8d15fc3b1211e94f686
-
SSDEEP
12288:hMrAy90IYitemON2LhfZz4a8FrXhMm7BObWrHmrN8E/:lyJqmOULR5x8qmcbCyNd/
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4416-19-0x00000000024B0000-0x00000000024CA000-memory.dmp healer behavioral1/memory/4416-21-0x0000000002560000-0x0000000002578000-memory.dmp healer behavioral1/memory/4416-49-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/4416-47-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/4416-45-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/4416-43-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/4416-39-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/4416-35-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/4416-33-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/4416-31-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/4416-29-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/4416-25-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/4416-22-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/4416-41-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/4416-37-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/4416-27-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/4416-23-0x0000000002560000-0x0000000002572000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro7663.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7663.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7663.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7663.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7663.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7663.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4948-61-0x00000000022E0000-0x0000000002326000-memory.dmp family_redline behavioral1/memory/4948-62-0x0000000002370000-0x00000000023B4000-memory.dmp family_redline behavioral1/memory/4948-80-0x0000000002370000-0x00000000023AF000-memory.dmp family_redline behavioral1/memory/4948-92-0x0000000002370000-0x00000000023AF000-memory.dmp family_redline behavioral1/memory/4948-96-0x0000000002370000-0x00000000023AF000-memory.dmp family_redline behavioral1/memory/4948-94-0x0000000002370000-0x00000000023AF000-memory.dmp family_redline behavioral1/memory/4948-90-0x0000000002370000-0x00000000023AF000-memory.dmp family_redline behavioral1/memory/4948-88-0x0000000002370000-0x00000000023AF000-memory.dmp family_redline behavioral1/memory/4948-86-0x0000000002370000-0x00000000023AF000-memory.dmp family_redline behavioral1/memory/4948-84-0x0000000002370000-0x00000000023AF000-memory.dmp family_redline behavioral1/memory/4948-82-0x0000000002370000-0x00000000023AF000-memory.dmp family_redline behavioral1/memory/4948-78-0x0000000002370000-0x00000000023AF000-memory.dmp family_redline behavioral1/memory/4948-76-0x0000000002370000-0x00000000023AF000-memory.dmp family_redline behavioral1/memory/4948-74-0x0000000002370000-0x00000000023AF000-memory.dmp family_redline behavioral1/memory/4948-72-0x0000000002370000-0x00000000023AF000-memory.dmp family_redline behavioral1/memory/4948-71-0x0000000002370000-0x00000000023AF000-memory.dmp family_redline behavioral1/memory/4948-68-0x0000000002370000-0x00000000023AF000-memory.dmp family_redline behavioral1/memory/4948-66-0x0000000002370000-0x00000000023AF000-memory.dmp family_redline behavioral1/memory/4948-64-0x0000000002370000-0x00000000023AF000-memory.dmp family_redline behavioral1/memory/4948-63-0x0000000002370000-0x00000000023AF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4500 un676855.exe 4416 pro7663.exe 4948 qu9285.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7663.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro7663.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 05ed29ad8c43f4eb63cb327f0ebb037f869429773347b8b494b51f7806966552.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un676855.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3076 4416 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 05ed29ad8c43f4eb63cb327f0ebb037f869429773347b8b494b51f7806966552.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un676855.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro7663.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu9285.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4416 pro7663.exe 4416 pro7663.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4416 pro7663.exe Token: SeDebugPrivilege 4948 qu9285.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2056 wrote to memory of 4500 2056 05ed29ad8c43f4eb63cb327f0ebb037f869429773347b8b494b51f7806966552.exe 86 PID 2056 wrote to memory of 4500 2056 05ed29ad8c43f4eb63cb327f0ebb037f869429773347b8b494b51f7806966552.exe 86 PID 2056 wrote to memory of 4500 2056 05ed29ad8c43f4eb63cb327f0ebb037f869429773347b8b494b51f7806966552.exe 86 PID 4500 wrote to memory of 4416 4500 un676855.exe 87 PID 4500 wrote to memory of 4416 4500 un676855.exe 87 PID 4500 wrote to memory of 4416 4500 un676855.exe 87 PID 4500 wrote to memory of 4948 4500 un676855.exe 98 PID 4500 wrote to memory of 4948 4500 un676855.exe 98 PID 4500 wrote to memory of 4948 4500 un676855.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\05ed29ad8c43f4eb63cb327f0ebb037f869429773347b8b494b51f7806966552.exe"C:\Users\Admin\AppData\Local\Temp\05ed29ad8c43f4eb63cb327f0ebb037f869429773347b8b494b51f7806966552.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676855.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676855.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7663.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7663.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 10844⤵
- Program crash
PID:3076
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9285.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9285.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4948
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4416 -ip 44161⤵PID:1160
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
531KB
MD5820b3ab1364b5efba99023d8bd43632a
SHA13616248d0560bdc8e28c2b38b3d0c3993615077c
SHA256c1978a026201e6c5ca98de841e0869b4f8f8870a110f2358dff3a5c3d2a57b1b
SHA512b9dec489a557900ced7688417d3682f40bbf8523cd293379e271a3c0e6f5e6b0bceee973a83b670a91797af37062d8c1b2e8ecd359df3d0e892a9da1cc1d4ce9
-
Filesize
260KB
MD5d5aae395cbfe6ba80a905e52cec9a116
SHA126bae0e02578c78e83f5c5e6749d1c6775163050
SHA256d0e6d857b769e57b7e93b831c4ba69fe4884dc4d11da7ed8d55812cf974a6da3
SHA512b34230224335da5e3f56c685792857f190a7ace32e21d98e62cdc62c5d69eea3c33b6a73fe0079f7ac4a31550dc50df3d7773064f23adeb09e340cbfce4588c9
-
Filesize
318KB
MD5b99d71812d1e32e1eb538425774184d4
SHA12cea459d9195da6f6988e9cc68a57776aa6ab97c
SHA25691d56900ae7e954fbb654ae671cc5b9191ca03f5fac58965c749f96c4598886e
SHA512d42bb307569815096d20ffaf0a1fed0167d464891fa11efb4134996a503238d1d7d5adfe12b98f2a0f7c6055272ad62ae5cf05f073199ad25849071cbd6c153e