Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 23:53
Static task
static1
Behavioral task
behavioral1
Sample
9e7489b9666a9de11232aab4c95f98f44eb6d2237a31d6d6bd219bcc8263c914.exe
Resource
win10v2004-20241007-en
General
-
Target
9e7489b9666a9de11232aab4c95f98f44eb6d2237a31d6d6bd219bcc8263c914.exe
-
Size
667KB
-
MD5
942d80f526ceccd661b6905f3efa77a2
-
SHA1
710354db5bd884733d6d7c5654c869afe3b41837
-
SHA256
9e7489b9666a9de11232aab4c95f98f44eb6d2237a31d6d6bd219bcc8263c914
-
SHA512
f88e78dc66b784a9b580b3dc78c2865f1acad0e8b0d169f1a7b617ccd325f605339f4717d1e7b2da45c415ef6b16ff491f07cd50d7af86db28ad82cd0a3ac3c6
-
SSDEEP
12288:oMrUy901ZQ9uTPpOT3c4cZu5o+Y0KQOAmdc2VgR4lpcswFrU+0t/wMQxjaxEUGc0:My+y9uFEsR+cQO/c2VgR4lpXyrARwl9n
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4488-19-0x0000000002520000-0x000000000253A000-memory.dmp healer behavioral1/memory/4488-21-0x0000000005380000-0x0000000005398000-memory.dmp healer behavioral1/memory/4488-49-0x0000000005380000-0x0000000005392000-memory.dmp healer behavioral1/memory/4488-48-0x0000000005380000-0x0000000005392000-memory.dmp healer behavioral1/memory/4488-45-0x0000000005380000-0x0000000005392000-memory.dmp healer behavioral1/memory/4488-44-0x0000000005380000-0x0000000005392000-memory.dmp healer behavioral1/memory/4488-41-0x0000000005380000-0x0000000005392000-memory.dmp healer behavioral1/memory/4488-39-0x0000000005380000-0x0000000005392000-memory.dmp healer behavioral1/memory/4488-38-0x0000000005380000-0x0000000005392000-memory.dmp healer behavioral1/memory/4488-35-0x0000000005380000-0x0000000005392000-memory.dmp healer behavioral1/memory/4488-33-0x0000000005380000-0x0000000005392000-memory.dmp healer behavioral1/memory/4488-31-0x0000000005380000-0x0000000005392000-memory.dmp healer behavioral1/memory/4488-29-0x0000000005380000-0x0000000005392000-memory.dmp healer behavioral1/memory/4488-27-0x0000000005380000-0x0000000005392000-memory.dmp healer behavioral1/memory/4488-25-0x0000000005380000-0x0000000005392000-memory.dmp healer behavioral1/memory/4488-23-0x0000000005380000-0x0000000005392000-memory.dmp healer behavioral1/memory/4488-22-0x0000000005380000-0x0000000005392000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro2221.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro2221.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro2221.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro2221.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro2221.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro2221.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1608-60-0x0000000002740000-0x0000000002786000-memory.dmp family_redline behavioral1/memory/1608-61-0x00000000028F0000-0x0000000002934000-memory.dmp family_redline behavioral1/memory/1608-83-0x00000000028F0000-0x000000000292F000-memory.dmp family_redline behavioral1/memory/1608-89-0x00000000028F0000-0x000000000292F000-memory.dmp family_redline behavioral1/memory/1608-95-0x00000000028F0000-0x000000000292F000-memory.dmp family_redline behavioral1/memory/1608-93-0x00000000028F0000-0x000000000292F000-memory.dmp family_redline behavioral1/memory/1608-91-0x00000000028F0000-0x000000000292F000-memory.dmp family_redline behavioral1/memory/1608-87-0x00000000028F0000-0x000000000292F000-memory.dmp family_redline behavioral1/memory/1608-85-0x00000000028F0000-0x000000000292F000-memory.dmp family_redline behavioral1/memory/1608-81-0x00000000028F0000-0x000000000292F000-memory.dmp family_redline behavioral1/memory/1608-79-0x00000000028F0000-0x000000000292F000-memory.dmp family_redline behavioral1/memory/1608-77-0x00000000028F0000-0x000000000292F000-memory.dmp family_redline behavioral1/memory/1608-75-0x00000000028F0000-0x000000000292F000-memory.dmp family_redline behavioral1/memory/1608-73-0x00000000028F0000-0x000000000292F000-memory.dmp family_redline behavioral1/memory/1608-69-0x00000000028F0000-0x000000000292F000-memory.dmp family_redline behavioral1/memory/1608-71-0x00000000028F0000-0x000000000292F000-memory.dmp family_redline behavioral1/memory/1608-67-0x00000000028F0000-0x000000000292F000-memory.dmp family_redline behavioral1/memory/1608-65-0x00000000028F0000-0x000000000292F000-memory.dmp family_redline behavioral1/memory/1608-63-0x00000000028F0000-0x000000000292F000-memory.dmp family_redline behavioral1/memory/1608-62-0x00000000028F0000-0x000000000292F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 5084 un258264.exe 4488 pro2221.exe 1608 qu4681.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro2221.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro2221.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9e7489b9666a9de11232aab4c95f98f44eb6d2237a31d6d6bd219bcc8263c914.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un258264.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 516 4488 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un258264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro2221.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu4681.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9e7489b9666a9de11232aab4c95f98f44eb6d2237a31d6d6bd219bcc8263c914.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4488 pro2221.exe 4488 pro2221.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4488 pro2221.exe Token: SeDebugPrivilege 1608 qu4681.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 348 wrote to memory of 5084 348 9e7489b9666a9de11232aab4c95f98f44eb6d2237a31d6d6bd219bcc8263c914.exe 86 PID 348 wrote to memory of 5084 348 9e7489b9666a9de11232aab4c95f98f44eb6d2237a31d6d6bd219bcc8263c914.exe 86 PID 348 wrote to memory of 5084 348 9e7489b9666a9de11232aab4c95f98f44eb6d2237a31d6d6bd219bcc8263c914.exe 86 PID 5084 wrote to memory of 4488 5084 un258264.exe 87 PID 5084 wrote to memory of 4488 5084 un258264.exe 87 PID 5084 wrote to memory of 4488 5084 un258264.exe 87 PID 5084 wrote to memory of 1608 5084 un258264.exe 99 PID 5084 wrote to memory of 1608 5084 un258264.exe 99 PID 5084 wrote to memory of 1608 5084 un258264.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e7489b9666a9de11232aab4c95f98f44eb6d2237a31d6d6bd219bcc8263c914.exe"C:\Users\Admin\AppData\Local\Temp\9e7489b9666a9de11232aab4c95f98f44eb6d2237a31d6d6bd219bcc8263c914.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un258264.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un258264.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2221.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2221.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4488 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 10844⤵
- Program crash
PID:516
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4681.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4681.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4488 -ip 44881⤵PID:1144
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
524KB
MD584b6d433db00fa7eaf188d6777fba26f
SHA1265275303583bf1702d3e8d3c6d3c0da36ed6577
SHA2560389efe1cbb611d76aa0ba1bdbbc5d0b0141a35f047a2fa5273d511277587b0b
SHA512aa1a608b5bb88e0d31fdd89cf7ca5ff972c21588263521e6bde4bb837e51107680d4ee8e4d836a3079a56bee2a1140f920ac16df8379d6d31e3d30beb4182280
-
Filesize
294KB
MD5a56f3892333e8fe1930b038327cf8c17
SHA1c5a751300deca05b73c931cd4b2a91b0fc333ad5
SHA256bc68c46db2148fd8abb9f36610f5ca93b7942538341d04d114bff1692d424cba
SHA5121c6a14f18d5ae3ae92371d66d2365aaca891869b451c0db1b0df860fb9b128249719c554d16ce89f84afed1dae37e9680aad53d4888256720749823aa98234d4
-
Filesize
352KB
MD5a2d3224af848379cf83d533737e7690a
SHA1933bf5b0ab54adc773e18fae783a3edf6e486a67
SHA256da13c2aaa2d2fde7dad520f44b4fda8f57b3db14b37e859b4fc7efdf8c987409
SHA512fafc81bfa8f773884917d5f913c1ed2714508cd35f3d989edb887f11739ea9db26f83c4ab64c160097a3e2483d240bf336585a17adc1bf31fdf67310a76ff781