Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2024 12:02
Static task
static1
Behavioral task
behavioral1
Sample
a61c9df5c66581a3d4b2cbd292e190ec5c923249382903815fe9a229b2f8a1d1.exe
Resource
win10v2004-20241007-en
General
-
Target
a61c9df5c66581a3d4b2cbd292e190ec5c923249382903815fe9a229b2f8a1d1.exe
-
Size
671KB
-
MD5
eaf2d181ec9bf0a26935bdb9159cc2f8
-
SHA1
d1114cd2c505b81fe37ed2216fcbaf775b6845ed
-
SHA256
a61c9df5c66581a3d4b2cbd292e190ec5c923249382903815fe9a229b2f8a1d1
-
SHA512
fedaf8371e28f385dec435537d04faeaa6e618497b5948aefce2c690ada847bff97f8d08bec59fd0a5dd2b81b3dc147130841da8aef921d84ba5e7446e240062
-
SSDEEP
12288:tMrmy90drhOAOoBAAq2lZkMyTKrhbE7SNbIlFzmE0kVAII9:fym1Cgrq2lZESbEgOFSEQ59
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1916-19-0x00000000023A0000-0x00000000023BA000-memory.dmp healer behavioral1/memory/1916-21-0x00000000025F0000-0x0000000002608000-memory.dmp healer behavioral1/memory/1916-49-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1916-47-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1916-45-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1916-43-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1916-41-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1916-40-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1916-37-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1916-35-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1916-33-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1916-31-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1916-29-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1916-27-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1916-25-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1916-23-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/1916-22-0x00000000025F0000-0x0000000002602000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0492.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0492.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro0492.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0492.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0492.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0492.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/528-61-0x0000000004A40000-0x0000000004A86000-memory.dmp family_redline behavioral1/memory/528-62-0x00000000050A0000-0x00000000050E4000-memory.dmp family_redline behavioral1/memory/528-78-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/528-76-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/528-96-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/528-94-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/528-92-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/528-90-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/528-88-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/528-86-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/528-84-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/528-82-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/528-80-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/528-74-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/528-72-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/528-70-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/528-68-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/528-66-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/528-64-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/528-63-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3300 un178385.exe 1916 pro0492.exe 528 qu1547.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro0492.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0492.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a61c9df5c66581a3d4b2cbd292e190ec5c923249382903815fe9a229b2f8a1d1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un178385.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3784 1916 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a61c9df5c66581a3d4b2cbd292e190ec5c923249382903815fe9a229b2f8a1d1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un178385.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro0492.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu1547.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1916 pro0492.exe 1916 pro0492.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1916 pro0492.exe Token: SeDebugPrivilege 528 qu1547.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2872 wrote to memory of 3300 2872 a61c9df5c66581a3d4b2cbd292e190ec5c923249382903815fe9a229b2f8a1d1.exe 85 PID 2872 wrote to memory of 3300 2872 a61c9df5c66581a3d4b2cbd292e190ec5c923249382903815fe9a229b2f8a1d1.exe 85 PID 2872 wrote to memory of 3300 2872 a61c9df5c66581a3d4b2cbd292e190ec5c923249382903815fe9a229b2f8a1d1.exe 85 PID 3300 wrote to memory of 1916 3300 un178385.exe 86 PID 3300 wrote to memory of 1916 3300 un178385.exe 86 PID 3300 wrote to memory of 1916 3300 un178385.exe 86 PID 3300 wrote to memory of 528 3300 un178385.exe 95 PID 3300 wrote to memory of 528 3300 un178385.exe 95 PID 3300 wrote to memory of 528 3300 un178385.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\a61c9df5c66581a3d4b2cbd292e190ec5c923249382903815fe9a229b2f8a1d1.exe"C:\Users\Admin\AppData\Local\Temp\a61c9df5c66581a3d4b2cbd292e190ec5c923249382903815fe9a229b2f8a1d1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un178385.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un178385.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0492.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0492.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 10964⤵
- Program crash
PID:3784
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1547.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1547.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1916 -ip 19161⤵PID:1356
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517KB
MD51d41a05619d85c8a938a8d467469041b
SHA1f9f536857a6578f31c363acc59ef16aa81035d38
SHA25615d3f29c21f5c073f918583105fe07722e8ffccbef1ddb24dabf2e7da023d4ff
SHA51244686fb86539e95517191e844cf700282ad198261770d7a8f9ff290187d5576c7944fbba195fcb26534bdd3c5934f39af8e004eb97aa86c9b49d8748adaf7656
-
Filesize
237KB
MD512dd67d3bda4d3aa31d4fa1c6363a881
SHA1a0180ff54eb9d23c3c489c32bced1ced2ec31ee1
SHA2565b8f0803073b878a43276b26205801596e7c654d9f40a727705537b15d6f8ba0
SHA512497a46c7d22cd9acaa2e71631432e366ea16b7bb759113df49a5bff623bec6a4846b0d7c08382bae2a276111e1fc11dabcddd56c317ee77008746645cc01f91e
-
Filesize
295KB
MD51816e5def3c23df001c074b1563c67e5
SHA1f47f28b3e3b2fba188683eecd43230f32c8547b5
SHA256ae2cccbae7e904f975c6c5ac5178be0de1fe9fb502f2d043c406e5bdb32b8238
SHA51226b365039cac918ffff7d55b5bd25bc18b47d1af646841e021d6fce3f05dc46558f4c94d278c0b8e21ba806b708cf0f6bcce22ae27e9bb5279f1fab49ca365f2