Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2024 08:54
Static task
static1
Behavioral task
behavioral1
Sample
e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846.exe
Resource
win10v2004-20241007-en
General
-
Target
e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846.exe
-
Size
659KB
-
MD5
a5fd21fe91145a3f4816287d05f5b02f
-
SHA1
b58a87d84246718cab4d83bb1bb0bc33308df86d
-
SHA256
e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846
-
SHA512
87baae0748c6a83d34c296ddf9e7f4e93c9b2866e9d0ff1ab57febe8cf6d5a967e8be36380d1709ce0f936822a15be848d31e7ba8bd1724b270a4111d4dd8dad
-
SSDEEP
12288:lMr9y90j0MeXALzf1r//sOuYmz7EqAOdE02XLnKjlQoqBig/BN/c:QynlALL1j/MtUmRQDZBu
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1456-18-0x00000000048C0000-0x00000000048DA000-memory.dmp healer behavioral1/memory/1456-20-0x00000000049C0000-0x00000000049D8000-memory.dmp healer behavioral1/memory/1456-48-0x00000000049C0000-0x00000000049D2000-memory.dmp healer behavioral1/memory/1456-46-0x00000000049C0000-0x00000000049D2000-memory.dmp healer behavioral1/memory/1456-44-0x00000000049C0000-0x00000000049D2000-memory.dmp healer behavioral1/memory/1456-42-0x00000000049C0000-0x00000000049D2000-memory.dmp healer behavioral1/memory/1456-41-0x00000000049C0000-0x00000000049D2000-memory.dmp healer behavioral1/memory/1456-38-0x00000000049C0000-0x00000000049D2000-memory.dmp healer behavioral1/memory/1456-37-0x00000000049C0000-0x00000000049D2000-memory.dmp healer behavioral1/memory/1456-34-0x00000000049C0000-0x00000000049D2000-memory.dmp healer behavioral1/memory/1456-32-0x00000000049C0000-0x00000000049D2000-memory.dmp healer behavioral1/memory/1456-30-0x00000000049C0000-0x00000000049D2000-memory.dmp healer behavioral1/memory/1456-28-0x00000000049C0000-0x00000000049D2000-memory.dmp healer behavioral1/memory/1456-26-0x00000000049C0000-0x00000000049D2000-memory.dmp healer behavioral1/memory/1456-24-0x00000000049C0000-0x00000000049D2000-memory.dmp healer behavioral1/memory/1456-22-0x00000000049C0000-0x00000000049D2000-memory.dmp healer behavioral1/memory/1456-21-0x00000000049C0000-0x00000000049D2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8090.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro8090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8090.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4472-60-0x0000000004A90000-0x0000000004AD6000-memory.dmp family_redline behavioral1/memory/4472-61-0x0000000007730000-0x0000000007774000-memory.dmp family_redline behavioral1/memory/4472-75-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/4472-95-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/4472-93-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/4472-91-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/4472-89-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/4472-87-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/4472-85-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/4472-83-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/4472-81-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/4472-79-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/4472-77-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/4472-73-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/4472-71-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/4472-69-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/4472-67-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/4472-65-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/4472-63-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/4472-62-0x0000000007730000-0x000000000776F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1684 un723417.exe 1456 pro8090.exe 4472 qu6015.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8090.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un723417.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3520 1456 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu6015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un723417.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro8090.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1456 pro8090.exe 1456 pro8090.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1456 pro8090.exe Token: SeDebugPrivilege 4472 qu6015.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4232 wrote to memory of 1684 4232 e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846.exe 84 PID 4232 wrote to memory of 1684 4232 e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846.exe 84 PID 4232 wrote to memory of 1684 4232 e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846.exe 84 PID 1684 wrote to memory of 1456 1684 un723417.exe 85 PID 1684 wrote to memory of 1456 1684 un723417.exe 85 PID 1684 wrote to memory of 1456 1684 un723417.exe 85 PID 1684 wrote to memory of 4472 1684 un723417.exe 96 PID 1684 wrote to memory of 4472 1684 un723417.exe 96 PID 1684 wrote to memory of 4472 1684 un723417.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846.exe"C:\Users\Admin\AppData\Local\Temp\e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un723417.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un723417.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8090.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8090.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 10044⤵
- Program crash
PID:3520
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6015.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6015.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1456 -ip 14561⤵PID:4260
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517KB
MD50b24b5a014b629a7a81bced8d0b94283
SHA1d019c19c30e94dae72f40135d1b2eb840f784e0f
SHA25667a986ca913124145d501de33b17073460f7fb2dc70c8e8c06111c6cacb6e119
SHA512d8f4ed967ba6ed80d4262cd260fd2b75162a70b4e5d0cbdddbf0611410532956c8c6384711b496da97f5214430ef94e0d3958276f01906c78cdfd59bac004d79
-
Filesize
295KB
MD540709af349aa027ed9969a33f0c3ba14
SHA12adffca8bae8d3e94fa4d52768bf59592c468a8e
SHA2564e0eb2382ed61af2d00396fc5eac71e7c62c0963e667e555bcbdf93f9829ed03
SHA512b9a20b492cfd11a5b7caa9d658d748f67fbe1691ca70e9bfe02564859bb2590bd571293f0e611bf8d570bda2fdf4dc694b12da2f6797432888b2ddc42e343f58
-
Filesize
354KB
MD5d0e261d2412fb0f4c2fe70907075d010
SHA1840e9b871c6b0b5cd054f1fbe28d58d40ca66d55
SHA25619533431582a31e16ab1c3ff98960f66e5dd8ab9acee909a1e5fd1ffd69289fa
SHA5122cac9d4f5d08ef343abd18b4f90e58a0ce433d54ada299ac0e80e1874ebb2f6ba3f56f4558c5acd4bc6d01d9d82fbd209cfb30e148979d02900b2511df4f82dc