Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2024 10:35
Static task
static1
Behavioral task
behavioral1
Sample
dcc1bc682b2986f3fba231a8c370b5e59dcc2173e146e1f160ac89631b5ec094.exe
Resource
win10v2004-20241007-en
General
-
Target
dcc1bc682b2986f3fba231a8c370b5e59dcc2173e146e1f160ac89631b5ec094.exe
-
Size
689KB
-
MD5
37c146a1dac773ac2e17dd982ab5b66f
-
SHA1
fbee4337e2446c21f7d320e8c02964ab9316c335
-
SHA256
dcc1bc682b2986f3fba231a8c370b5e59dcc2173e146e1f160ac89631b5ec094
-
SHA512
6140831c77fe0c88ed48d16a7a98537492fc7c87bde8a4004a8ff454ceaa00c973816e43040d047363224fafed493f5bcb3cbbdad7f6bf98e60b02567d5a24ad
-
SSDEEP
12288:/Mrey90eGG8XEe8CMUIt3gp0+ye65hLuCq1F7LjpgDRJ6R6v4F5WfigkJ9nA4:dyhGGWEe2HiK7FfaRfyDJA5Wage9A4
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4748-19-0x00000000026B0000-0x00000000026CA000-memory.dmp healer behavioral1/memory/4748-21-0x0000000002850000-0x0000000002868000-memory.dmp healer behavioral1/memory/4748-49-0x0000000002850000-0x0000000002862000-memory.dmp healer behavioral1/memory/4748-48-0x0000000002850000-0x0000000002862000-memory.dmp healer behavioral1/memory/4748-45-0x0000000002850000-0x0000000002862000-memory.dmp healer behavioral1/memory/4748-43-0x0000000002850000-0x0000000002862000-memory.dmp healer behavioral1/memory/4748-41-0x0000000002850000-0x0000000002862000-memory.dmp healer behavioral1/memory/4748-40-0x0000000002850000-0x0000000002862000-memory.dmp healer behavioral1/memory/4748-37-0x0000000002850000-0x0000000002862000-memory.dmp healer behavioral1/memory/4748-35-0x0000000002850000-0x0000000002862000-memory.dmp healer behavioral1/memory/4748-33-0x0000000002850000-0x0000000002862000-memory.dmp healer behavioral1/memory/4748-31-0x0000000002850000-0x0000000002862000-memory.dmp healer behavioral1/memory/4748-29-0x0000000002850000-0x0000000002862000-memory.dmp healer behavioral1/memory/4748-27-0x0000000002850000-0x0000000002862000-memory.dmp healer behavioral1/memory/4748-25-0x0000000002850000-0x0000000002862000-memory.dmp healer behavioral1/memory/4748-24-0x0000000002850000-0x0000000002862000-memory.dmp healer behavioral1/memory/4748-22-0x0000000002850000-0x0000000002862000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro6990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro6990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro6990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro6990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro6990.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro6990.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2352-61-0x0000000005E60000-0x0000000005EA6000-memory.dmp family_redline behavioral1/memory/2352-62-0x00000000065D0000-0x0000000006614000-memory.dmp family_redline behavioral1/memory/2352-72-0x00000000065D0000-0x000000000660F000-memory.dmp family_redline behavioral1/memory/2352-78-0x00000000065D0000-0x000000000660F000-memory.dmp family_redline behavioral1/memory/2352-96-0x00000000065D0000-0x000000000660F000-memory.dmp family_redline behavioral1/memory/2352-94-0x00000000065D0000-0x000000000660F000-memory.dmp family_redline behavioral1/memory/2352-92-0x00000000065D0000-0x000000000660F000-memory.dmp family_redline behavioral1/memory/2352-88-0x00000000065D0000-0x000000000660F000-memory.dmp family_redline behavioral1/memory/2352-86-0x00000000065D0000-0x000000000660F000-memory.dmp family_redline behavioral1/memory/2352-85-0x00000000065D0000-0x000000000660F000-memory.dmp family_redline behavioral1/memory/2352-82-0x00000000065D0000-0x000000000660F000-memory.dmp family_redline behavioral1/memory/2352-80-0x00000000065D0000-0x000000000660F000-memory.dmp family_redline behavioral1/memory/2352-76-0x00000000065D0000-0x000000000660F000-memory.dmp family_redline behavioral1/memory/2352-74-0x00000000065D0000-0x000000000660F000-memory.dmp family_redline behavioral1/memory/2352-70-0x00000000065D0000-0x000000000660F000-memory.dmp family_redline behavioral1/memory/2352-68-0x00000000065D0000-0x000000000660F000-memory.dmp family_redline behavioral1/memory/2352-90-0x00000000065D0000-0x000000000660F000-memory.dmp family_redline behavioral1/memory/2352-66-0x00000000065D0000-0x000000000660F000-memory.dmp family_redline behavioral1/memory/2352-64-0x00000000065D0000-0x000000000660F000-memory.dmp family_redline behavioral1/memory/2352-63-0x00000000065D0000-0x000000000660F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 772 un120869.exe 4748 pro6990.exe 2352 qu2687.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro6990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro6990.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un120869.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dcc1bc682b2986f3fba231a8c370b5e59dcc2173e146e1f160ac89631b5ec094.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4788 4748 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro6990.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu2687.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dcc1bc682b2986f3fba231a8c370b5e59dcc2173e146e1f160ac89631b5ec094.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un120869.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4748 pro6990.exe 4748 pro6990.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4748 pro6990.exe Token: SeDebugPrivilege 2352 qu2687.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 376 wrote to memory of 772 376 dcc1bc682b2986f3fba231a8c370b5e59dcc2173e146e1f160ac89631b5ec094.exe 85 PID 376 wrote to memory of 772 376 dcc1bc682b2986f3fba231a8c370b5e59dcc2173e146e1f160ac89631b5ec094.exe 85 PID 376 wrote to memory of 772 376 dcc1bc682b2986f3fba231a8c370b5e59dcc2173e146e1f160ac89631b5ec094.exe 85 PID 772 wrote to memory of 4748 772 un120869.exe 87 PID 772 wrote to memory of 4748 772 un120869.exe 87 PID 772 wrote to memory of 4748 772 un120869.exe 87 PID 772 wrote to memory of 2352 772 un120869.exe 97 PID 772 wrote to memory of 2352 772 un120869.exe 97 PID 772 wrote to memory of 2352 772 un120869.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcc1bc682b2986f3fba231a8c370b5e59dcc2173e146e1f160ac89631b5ec094.exe"C:\Users\Admin\AppData\Local\Temp\dcc1bc682b2986f3fba231a8c370b5e59dcc2173e146e1f160ac89631b5ec094.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un120869.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un120869.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6990.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6990.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4748 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 10564⤵
- Program crash
PID:4788
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2687.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2687.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4748 -ip 47481⤵PID:404
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
548KB
MD574c5b0729277dcaadc9d9149405ed6da
SHA12795c1e21cac481bdb4793ed8cfc8909a4641ed9
SHA256e3047a572f89116809ce9f9af4c1b4fc3861dcddf349962b250447b18c855407
SHA5126008e1478874f92294cd3c0330ef75adeb8a1397b825ec58f15e9de9e9f9001e3c6d983b9068d1fa9cdaed85750c32b16a65717ddc64641057fa1bb0ad6b3247
-
Filesize
291KB
MD5ab10ccdbac883fa9b4cf5fa96b01f93e
SHA1954e1046398b2cad446f59cac7539508c8dec4f2
SHA2568f6b75077a246075e68cd6cde4347f3a6088c0e40fd1461ef6cf11c5ce02449a
SHA512e2aa3cb50f565a488a1c2476b08ab9e841435805b1b06d40091ca04074998291c9b06ab3843571e3c7ea00ca907d3aa45b376c96f00f415c36a3047b6654181f
-
Filesize
345KB
MD57e439cc76facf80477c17aa7a2efa616
SHA15e50446061142e6fbe3ae3172aa5d96ecc568d19
SHA256187199e06a0f50a01e23745c7002573c4f4fb6dacaec717317239865a1196ae9
SHA5125d14fe4da5b480ca8b537ef7a36cc427419d1246b86e1e929011ecec5e4fccd6bd29fd7401a3f4f365edaf28b4f570639553e3b7a318187e0fe816710c9fb482