Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2024 08:54
Static task
static1
Behavioral task
behavioral1
Sample
9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a.exe
Resource
win10v2004-20241007-en
General
-
Target
9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a.exe
-
Size
683KB
-
MD5
179496f6bf718c1fd78dca23686929d5
-
SHA1
3c22ba99b6230f290f454fc53e11460be88d2b98
-
SHA256
9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a
-
SHA512
0ddf8883140bc0c40af0e5c8823662b6a6f641db3607ea09bcdefce3da09a02adcce5b7f1db0e13219f759bebf33252ae623f30d81993d5e913830321880b398
-
SSDEEP
12288:zMrty90fpXGvpMAhS6UfGDju1rfK2EY0gNaKLxRRg3PrR4bW6OTnOyXs:qyGepMAhnUfYjUDuKLxRATCCNs
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4080-18-0x0000000004830000-0x000000000484A000-memory.dmp healer behavioral1/memory/4080-20-0x00000000076D0000-0x00000000076E8000-memory.dmp healer behavioral1/memory/4080-21-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/4080-48-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/4080-46-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/4080-44-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/4080-42-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/4080-40-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/4080-38-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/4080-36-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/4080-34-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/4080-33-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/4080-30-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/4080-28-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/4080-26-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/4080-24-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/4080-22-0x00000000076D0000-0x00000000076E2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro7667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7667.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1608-60-0x0000000004960000-0x00000000049A6000-memory.dmp family_redline behavioral1/memory/1608-61-0x0000000004D20000-0x0000000004D64000-memory.dmp family_redline behavioral1/memory/1608-92-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1608-95-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1608-93-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1608-89-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1608-87-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1608-85-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1608-83-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1608-81-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1608-79-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1608-77-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1608-75-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1608-73-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1608-71-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1608-67-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1608-65-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1608-69-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1608-63-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1608-62-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3508 un671056.exe 4080 pro7667.exe 1608 qu3599.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro7667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7667.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un671056.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1844 4080 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un671056.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro7667.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu3599.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4080 pro7667.exe 4080 pro7667.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4080 pro7667.exe Token: SeDebugPrivilege 1608 qu3599.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5020 wrote to memory of 3508 5020 9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a.exe 84 PID 5020 wrote to memory of 3508 5020 9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a.exe 84 PID 5020 wrote to memory of 3508 5020 9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a.exe 84 PID 3508 wrote to memory of 4080 3508 un671056.exe 85 PID 3508 wrote to memory of 4080 3508 un671056.exe 85 PID 3508 wrote to memory of 4080 3508 un671056.exe 85 PID 3508 wrote to memory of 1608 3508 un671056.exe 100 PID 3508 wrote to memory of 1608 3508 un671056.exe 100 PID 3508 wrote to memory of 1608 3508 un671056.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a.exe"C:\Users\Admin\AppData\Local\Temp\9d141e3a2812861f6d0f3ab8746af1078464ecf0b0859b406f6c3a74ce93051a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un671056.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un671056.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7667.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7667.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 10804⤵
- Program crash
PID:1844
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3599.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3599.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4080 -ip 40801⤵PID:1148
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
541KB
MD5011aa4e83ebaaaf0466ee6853ba947b2
SHA1cd42f1f74b6e108465c7dae35b1f3974b0e935de
SHA256a649b878fe510aa9359129b218e41ab6c80b174f92f7a6616638a37980686f9f
SHA512614f5ee2bdb053b7dd3be4be0db29b97555c0815450bdf8ffaf4455a42954c2e6133428428aa1e4b4b6352d05036b7901a6bcb332aeadd4cb66413b5364d28e2
-
Filesize
322KB
MD568ae9285487a0d47fa0f5f55ccabe50a
SHA1a3e5f837c518b3a865b5680411babc435dd0b12a
SHA256dc36e162e0b2c9f1633c0b5b9ed456159ce35949700df419e72e05d346d56221
SHA512a5b2c2eb02427ec9e7b20763cba7403a98794b4acce49278a716a90e928ff4c7726aaf0eed373f3108948a5a5202fb6e1c66a6917d5b89fecf110a651a790235
-
Filesize
379KB
MD5e7f4711115b12911621bae1dd8f196ad
SHA162f5682fe9b015a0c3daf33bf4cc3e2f75b7373f
SHA2567ffe42c50ed6fce1454cda1bbaca8de887287bdaa4932713b76a9e05ec607d6a
SHA5126c25dae3081067357cddd4f7f2643060515655deed11213f419a1fb6b08005e59c4d1360b018a0befde74a3ba88e450dc5b1b5e3a251d234e3697b31f744d420