Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2024 09:08
Static task
static1
Behavioral task
behavioral1
Sample
b3049d1cf44c86b9bb0b962679e372cc31982879695529f49716109a95c715a1.exe
Resource
win10v2004-20241007-en
General
-
Target
b3049d1cf44c86b9bb0b962679e372cc31982879695529f49716109a95c715a1.exe
-
Size
696KB
-
MD5
ba81849edd00e6413c9ce430571000ac
-
SHA1
7a1d5dd4938dd6c38553d3cdf25a5f4b6ae7ba68
-
SHA256
b3049d1cf44c86b9bb0b962679e372cc31982879695529f49716109a95c715a1
-
SHA512
511b9b17b6658ba47bee7ba1cbb73368e3d1debcdef4a553db9d3239a96165d2178c98b148d22b82580b7115859a820a311517192f70513e0ad54cc48443880d
-
SSDEEP
12288:TMrYy90eYTVK+bCdyridaSIkdSYxHbZvO+Y7NlH3OM3fycYjXap5pk5obvYi8N6l:Dy4VKUCgEFIkdSS7Q+Y7SMvDV7YpN6l
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1576-18-0x0000000002E90000-0x0000000002EAA000-memory.dmp healer behavioral1/memory/1576-20-0x00000000076F0000-0x0000000007708000-memory.dmp healer behavioral1/memory/1576-21-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1576-24-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1576-48-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1576-46-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1576-42-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1576-40-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1576-38-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1576-36-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1576-34-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1576-32-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1576-30-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1576-28-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1576-26-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1576-22-0x00000000076F0000-0x0000000007702000-memory.dmp healer behavioral1/memory/1576-44-0x00000000076F0000-0x0000000007702000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8141.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8141.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8141.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro8141.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8141.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8141.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4536-60-0x0000000004B20000-0x0000000004B66000-memory.dmp family_redline behavioral1/memory/4536-61-0x0000000004C20000-0x0000000004C64000-memory.dmp family_redline behavioral1/memory/4536-69-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/4536-65-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/4536-63-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/4536-62-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/4536-95-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/4536-93-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/4536-91-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/4536-89-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/4536-87-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/4536-85-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/4536-83-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/4536-81-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/4536-79-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/4536-77-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/4536-75-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/4536-73-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/4536-71-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/4536-67-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3780 un954416.exe 1576 pro8141.exe 4536 qu4957.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8141.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8141.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b3049d1cf44c86b9bb0b962679e372cc31982879695529f49716109a95c715a1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un954416.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1312 1576 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b3049d1cf44c86b9bb0b962679e372cc31982879695529f49716109a95c715a1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un954416.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro8141.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu4957.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1576 pro8141.exe 1576 pro8141.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1576 pro8141.exe Token: SeDebugPrivilege 4536 qu4957.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 516 wrote to memory of 3780 516 b3049d1cf44c86b9bb0b962679e372cc31982879695529f49716109a95c715a1.exe 84 PID 516 wrote to memory of 3780 516 b3049d1cf44c86b9bb0b962679e372cc31982879695529f49716109a95c715a1.exe 84 PID 516 wrote to memory of 3780 516 b3049d1cf44c86b9bb0b962679e372cc31982879695529f49716109a95c715a1.exe 84 PID 3780 wrote to memory of 1576 3780 un954416.exe 85 PID 3780 wrote to memory of 1576 3780 un954416.exe 85 PID 3780 wrote to memory of 1576 3780 un954416.exe 85 PID 3780 wrote to memory of 4536 3780 un954416.exe 98 PID 3780 wrote to memory of 4536 3780 un954416.exe 98 PID 3780 wrote to memory of 4536 3780 un954416.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3049d1cf44c86b9bb0b962679e372cc31982879695529f49716109a95c715a1.exe"C:\Users\Admin\AppData\Local\Temp\b3049d1cf44c86b9bb0b962679e372cc31982879695529f49716109a95c715a1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un954416.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un954416.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8141.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8141.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 10804⤵
- Program crash
PID:1312
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4957.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4957.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4536
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1576 -ip 15761⤵PID:776
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
554KB
MD5cf108772910c10f1c10f7d1460109efe
SHA1fc2282ca67ae3dbfca42c75de5ea4daf024ecd5c
SHA2566b1b11e66bff42e0d5fb521b08bca576e02bbda64829d41b522b6028bb80df15
SHA512e0dec8ecd2a21f8ff8595516b22b9428dfbf96dbdbc5860ddd68e5e60d9460f79864a10102d1f33a749d6ed2d202720a26d43dde26468beb3a78486e0b3826e1
-
Filesize
348KB
MD52a63ca0e6bab405caa1732b17eafb6df
SHA1bc90be0cdd82ad91b7565df65168f1526289f5df
SHA2565628cd6b716cb905ee2699020d7f752f1caccba1de8a138d6273dc33fe8d4323
SHA51252faf6a838b24e7073b09a4c84c9d5f68fa4411b4b71569ade6457a073ccc15f8aad7f3365f62c0c177f2554554f65fcf32bf1c2da7d2cd53b45b5aa2a337dd1
-
Filesize
406KB
MD50ca89d4117bca8ab566f1c40da9d26d8
SHA1d6b16a605f7064d421295d2d959673e11edac607
SHA256eb5f59780d02d9cf66162b9213d379bf70aa22d7ed1c908295b42d10fab6f99f
SHA512a8db87bc9ba08380de413806c3d8372fdfdc1ed0fdac28c5c7e9f5ac59f64361059bffc9aa6f16247346db0246b0e628978ce7a18273c87b14d3c04dbb3f7710