Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 19:11
Static task
static1
Behavioral task
behavioral1
Sample
d63f1018b989859a5fd5a80d5e6ca1c664b7fb02cff3496265e8f28eda130a3a.exe
Resource
win10v2004-20241007-en
General
-
Target
d63f1018b989859a5fd5a80d5e6ca1c664b7fb02cff3496265e8f28eda130a3a.exe
-
Size
658KB
-
MD5
723b1d073f37c84d25a53acbfba77456
-
SHA1
f25757481bdd3f4cf05fd98755472a71c01dd159
-
SHA256
d63f1018b989859a5fd5a80d5e6ca1c664b7fb02cff3496265e8f28eda130a3a
-
SHA512
a80d8aa1288f05777bf6a42f116c144e8e00477e8134099a42eaaf26ac42c42a6c03f86a3b88f3555777c67edd51bb43d72855403f9cae04b6ad1fbf55e6dcfe
-
SSDEEP
12288:oMr+y90KIoHMhUKF4A/mnGPGfC94ILJE/VMyPDvS9:2ypchUKRpPGrSaVBDvC
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2116-17-0x0000000004950000-0x000000000496A000-memory.dmp healer behavioral1/memory/2116-19-0x0000000004E10000-0x0000000004E28000-memory.dmp healer behavioral1/memory/2116-38-0x0000000004E10000-0x0000000004E22000-memory.dmp healer behavioral1/memory/2116-48-0x0000000004E10000-0x0000000004E22000-memory.dmp healer behavioral1/memory/2116-46-0x0000000004E10000-0x0000000004E22000-memory.dmp healer behavioral1/memory/2116-44-0x0000000004E10000-0x0000000004E22000-memory.dmp healer behavioral1/memory/2116-42-0x0000000004E10000-0x0000000004E22000-memory.dmp healer behavioral1/memory/2116-40-0x0000000004E10000-0x0000000004E22000-memory.dmp healer behavioral1/memory/2116-36-0x0000000004E10000-0x0000000004E22000-memory.dmp healer behavioral1/memory/2116-34-0x0000000004E10000-0x0000000004E22000-memory.dmp healer behavioral1/memory/2116-32-0x0000000004E10000-0x0000000004E22000-memory.dmp healer behavioral1/memory/2116-30-0x0000000004E10000-0x0000000004E22000-memory.dmp healer behavioral1/memory/2116-28-0x0000000004E10000-0x0000000004E22000-memory.dmp healer behavioral1/memory/2116-26-0x0000000004E10000-0x0000000004E22000-memory.dmp healer behavioral1/memory/2116-24-0x0000000004E10000-0x0000000004E22000-memory.dmp healer behavioral1/memory/2116-22-0x0000000004E10000-0x0000000004E22000-memory.dmp healer behavioral1/memory/2116-21-0x0000000004E10000-0x0000000004E22000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro3570.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro3570.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro3570.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro3570.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro3570.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro3570.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/388-59-0x0000000004A60000-0x0000000004AA6000-memory.dmp family_redline behavioral1/memory/388-60-0x0000000004C20000-0x0000000004C64000-memory.dmp family_redline behavioral1/memory/388-88-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/388-92-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/388-94-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/388-90-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/388-86-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/388-84-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/388-82-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/388-80-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/388-78-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/388-76-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/388-74-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/388-72-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/388-70-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/388-68-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/388-67-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/388-64-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/388-62-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/388-61-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4784 un757157.exe 2116 pro3570.exe 388 qu1830.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro3570.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro3570.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un757157.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d63f1018b989859a5fd5a80d5e6ca1c664b7fb02cff3496265e8f28eda130a3a.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 948 2116 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d63f1018b989859a5fd5a80d5e6ca1c664b7fb02cff3496265e8f28eda130a3a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un757157.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro3570.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu1830.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2116 pro3570.exe 2116 pro3570.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2116 pro3570.exe Token: SeDebugPrivilege 388 qu1830.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4896 wrote to memory of 4784 4896 d63f1018b989859a5fd5a80d5e6ca1c664b7fb02cff3496265e8f28eda130a3a.exe 84 PID 4896 wrote to memory of 4784 4896 d63f1018b989859a5fd5a80d5e6ca1c664b7fb02cff3496265e8f28eda130a3a.exe 84 PID 4896 wrote to memory of 4784 4896 d63f1018b989859a5fd5a80d5e6ca1c664b7fb02cff3496265e8f28eda130a3a.exe 84 PID 4784 wrote to memory of 2116 4784 un757157.exe 85 PID 4784 wrote to memory of 2116 4784 un757157.exe 85 PID 4784 wrote to memory of 2116 4784 un757157.exe 85 PID 4784 wrote to memory of 388 4784 un757157.exe 101 PID 4784 wrote to memory of 388 4784 un757157.exe 101 PID 4784 wrote to memory of 388 4784 un757157.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\d63f1018b989859a5fd5a80d5e6ca1c664b7fb02cff3496265e8f28eda130a3a.exe"C:\Users\Admin\AppData\Local\Temp\d63f1018b989859a5fd5a80d5e6ca1c664b7fb02cff3496265e8f28eda130a3a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un757157.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un757157.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3570.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3570.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 10844⤵
- Program crash
PID:948
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1830.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1830.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:388
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2116 -ip 21161⤵PID:4748
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
516KB
MD5015357f2998d2a60fa80a013be1bd967
SHA18d04096b743fe690a375e7eca38160d936af98d0
SHA256e98dc0addc6edf2335688545ffa47ba13db57649a8c2759ffcad396a14e56413
SHA512c8474ddf10f0276060c073f146ce7ff87c1bfb4e42541577e99643faa222536730a85a470d9038d64f1cdfccbbbe76175aea5ea7a992511bd82ec023f44ae0d0
-
Filesize
284KB
MD5b820fa2ea4b4fa393bced57bafcc56a1
SHA1f10eba0208fbe74bd94682bd5c8c0fa5b7985d10
SHA25657b2b9d3fe6d9bdb182a93846a76227ea46c01c60e71feb3d6870b68fb84e7c1
SHA5123b117d27ae8f721de515584272ca8b2b2ecd3c2e1b8e534a6bc4ec6ab91b0fcb466da97edb3abd25c7b0dddf66e7e43dbebb4f86260ae91457b6bc5f5d663f70
-
Filesize
342KB
MD515b1b01f1c6921d18c331c1c12dae882
SHA1bd415ab9c431e3fca27494fc0b4e10e625540748
SHA256af10381b205abe99377e02f986de11a4a59b362e551f6cfd5030866169d0059a
SHA51252177b8495e8a70242bae73339eee85f8ed6eb97e0557c5a044d5bb25f7bf02f5b37e0e6dba9f96c9037eed23faf367c80f1b2105016f1d9a2d4e2351262df97