Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 23:51
Static task
static1
Behavioral task
behavioral1
Sample
67baadad2fe20ed123f3433e3cf8894863f14c17d269bce21ba72ad48920aec0.exe
Resource
win10v2004-20241007-en
General
-
Target
67baadad2fe20ed123f3433e3cf8894863f14c17d269bce21ba72ad48920aec0.exe
-
Size
697KB
-
MD5
d78eeb24ff275c20f9785f2ff77b9e8f
-
SHA1
bf58174d73be31a9c02fe62c50c72422efbaaeb0
-
SHA256
67baadad2fe20ed123f3433e3cf8894863f14c17d269bce21ba72ad48920aec0
-
SHA512
2eb5936fb189bda779d257248c16906d87ccafd9a9a5cf2017906cb5dfb221775b4842a104c1c6a9b3ec233b1f926b7c4ae5d83d8256aed0d4fcca0fe207c044
-
SSDEEP
12288:5Mr/y90JF3MhMfPZZhrp/Yjx8l4lq74OOvLL6hpGj8AxI9grKq6YbK:+yGJPZHQxlqkOO3cGjVI9uWYbK
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4572-17-0x0000000002F90000-0x0000000002FAA000-memory.dmp healer behavioral1/memory/4572-19-0x0000000004BE0000-0x0000000004BF8000-memory.dmp healer behavioral1/memory/4572-48-0x0000000004BE0000-0x0000000004BF2000-memory.dmp healer behavioral1/memory/4572-47-0x0000000004BE0000-0x0000000004BF2000-memory.dmp healer behavioral1/memory/4572-44-0x0000000004BE0000-0x0000000004BF2000-memory.dmp healer behavioral1/memory/4572-43-0x0000000004BE0000-0x0000000004BF2000-memory.dmp healer behavioral1/memory/4572-40-0x0000000004BE0000-0x0000000004BF2000-memory.dmp healer behavioral1/memory/4572-38-0x0000000004BE0000-0x0000000004BF2000-memory.dmp healer behavioral1/memory/4572-36-0x0000000004BE0000-0x0000000004BF2000-memory.dmp healer behavioral1/memory/4572-34-0x0000000004BE0000-0x0000000004BF2000-memory.dmp healer behavioral1/memory/4572-32-0x0000000004BE0000-0x0000000004BF2000-memory.dmp healer behavioral1/memory/4572-30-0x0000000004BE0000-0x0000000004BF2000-memory.dmp healer behavioral1/memory/4572-28-0x0000000004BE0000-0x0000000004BF2000-memory.dmp healer behavioral1/memory/4572-26-0x0000000004BE0000-0x0000000004BF2000-memory.dmp healer behavioral1/memory/4572-24-0x0000000004BE0000-0x0000000004BF2000-memory.dmp healer behavioral1/memory/4572-22-0x0000000004BE0000-0x0000000004BF2000-memory.dmp healer behavioral1/memory/4572-21-0x0000000004BE0000-0x0000000004BF2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro1304.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro1304.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro1304.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro1304.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro1304.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro1304.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3564-60-0x0000000004910000-0x0000000004956000-memory.dmp family_redline behavioral1/memory/3564-61-0x0000000004C20000-0x0000000004C64000-memory.dmp family_redline behavioral1/memory/3564-79-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/3564-77-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/3564-95-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/3564-93-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/3564-91-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/3564-89-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/3564-87-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/3564-85-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/3564-83-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/3564-81-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/3564-75-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/3564-73-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/3564-71-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/3564-69-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/3564-67-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/3564-65-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/3564-63-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/3564-62-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1068 un427702.exe 4572 pro1304.exe 3564 qu4057.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro1304.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro1304.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 67baadad2fe20ed123f3433e3cf8894863f14c17d269bce21ba72ad48920aec0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un427702.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1736 4572 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 67baadad2fe20ed123f3433e3cf8894863f14c17d269bce21ba72ad48920aec0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un427702.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro1304.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu4057.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4572 pro1304.exe 4572 pro1304.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4572 pro1304.exe Token: SeDebugPrivilege 3564 qu4057.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1084 wrote to memory of 1068 1084 67baadad2fe20ed123f3433e3cf8894863f14c17d269bce21ba72ad48920aec0.exe 84 PID 1084 wrote to memory of 1068 1084 67baadad2fe20ed123f3433e3cf8894863f14c17d269bce21ba72ad48920aec0.exe 84 PID 1084 wrote to memory of 1068 1084 67baadad2fe20ed123f3433e3cf8894863f14c17d269bce21ba72ad48920aec0.exe 84 PID 1068 wrote to memory of 4572 1068 un427702.exe 85 PID 1068 wrote to memory of 4572 1068 un427702.exe 85 PID 1068 wrote to memory of 4572 1068 un427702.exe 85 PID 1068 wrote to memory of 3564 1068 un427702.exe 97 PID 1068 wrote to memory of 3564 1068 un427702.exe 97 PID 1068 wrote to memory of 3564 1068 un427702.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\67baadad2fe20ed123f3433e3cf8894863f14c17d269bce21ba72ad48920aec0.exe"C:\Users\Admin\AppData\Local\Temp\67baadad2fe20ed123f3433e3cf8894863f14c17d269bce21ba72ad48920aec0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un427702.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un427702.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1304.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1304.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 10884⤵
- Program crash
PID:1736
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4057.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4057.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3564
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4572 -ip 45721⤵PID:3156
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
555KB
MD58baf8f846ad1f77ad00908cc77ec9d0b
SHA178245c758dbb0f99f731ea9a38f90ef0c560dddd
SHA25612aafa22473be74f305e1929ec2107c0146177a435c4658eaf63b0170f4b326d
SHA51286fa3b50eed7f7d9681b2a39108653965df3b3a0a51bd55e7fb49b10f8d95521266ede553bff52f2912f99f776c83bc9e88acfce24b2af289805643c48d02029
-
Filesize
347KB
MD5cbb81972f92e8da31809cebed3d8b8db
SHA15c171d3b856eaa4d8b6ceac669361f0842d93b72
SHA25683f3cc90de0b2fb59cf76e04dec0469aa6b059f985800c201067292bd444c278
SHA51209a9ea8107f974f90d5c15c1ef105cdf57b4df200bf20ee481c1acead787d4fb0d7005dcb36696f863a088477612fa0085bf014571d3d4bc7efd7e1e8affaecd
-
Filesize
406KB
MD5a2bc2c9f0560c902b88d6ea56f5794b0
SHA1208075f378c327f7cfd1b4c20614442a31b8ceb9
SHA256c03ca50e1e39edc8cd5d4b5e874fee8dc4c05572007b28ee384e1c0b5e7178a0
SHA51261f7d196d7a23075f09cc907041320a183d4ba2b91a2897d59fb916e2f7166f71d61c4eed7729dc0a38c420b3392c15b2792721b22ef31f951f3c14e6d05d414