Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:45
Static task
static1
Behavioral task
behavioral1
Sample
33848fb648af670da89366215a5bdeee491cbe2b574a057509bf5f91f3a31284.exe
Resource
win10v2004-20241007-en
General
-
Target
33848fb648af670da89366215a5bdeee491cbe2b574a057509bf5f91f3a31284.exe
-
Size
695KB
-
MD5
96d93c3d5570eefa3e0ea9a102e8e952
-
SHA1
3dd618b69af23965d37de77daecd8638c87a58c1
-
SHA256
33848fb648af670da89366215a5bdeee491cbe2b574a057509bf5f91f3a31284
-
SHA512
9f8055d33327e58df55559fcc85c86d9ac0043ed9aefe7e7ad425f71c57598f0cd30dd7aa7eedb758f507e12001d2a3a823cb277725c54e0c165117a50f34744
-
SSDEEP
12288:xMrBy90RB0L6Qt6DlCpfp1JArcGuPlhc+QGMyO/rfIzBRxJVQDokPC:ky4yL6TDl4p1WrcGelhlOzIBD7/kq
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2036-19-0x00000000024C0000-0x00000000024DA000-memory.dmp healer behavioral1/memory/2036-21-0x0000000005270000-0x0000000005288000-memory.dmp healer behavioral1/memory/2036-47-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2036-49-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2036-45-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2036-43-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2036-41-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2036-39-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2036-37-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2036-35-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2036-33-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2036-31-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2036-29-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2036-27-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2036-25-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2036-23-0x0000000005270000-0x0000000005282000-memory.dmp healer behavioral1/memory/2036-22-0x0000000005270000-0x0000000005282000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro3393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro3393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro3393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro3393.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro3393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro3393.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3268-61-0x0000000002650000-0x0000000002696000-memory.dmp family_redline behavioral1/memory/3268-62-0x0000000004C00000-0x0000000004C44000-memory.dmp family_redline behavioral1/memory/3268-74-0x0000000004C00000-0x0000000004C3F000-memory.dmp family_redline behavioral1/memory/3268-80-0x0000000004C00000-0x0000000004C3F000-memory.dmp family_redline behavioral1/memory/3268-96-0x0000000004C00000-0x0000000004C3F000-memory.dmp family_redline behavioral1/memory/3268-94-0x0000000004C00000-0x0000000004C3F000-memory.dmp family_redline behavioral1/memory/3268-92-0x0000000004C00000-0x0000000004C3F000-memory.dmp family_redline behavioral1/memory/3268-88-0x0000000004C00000-0x0000000004C3F000-memory.dmp family_redline behavioral1/memory/3268-86-0x0000000004C00000-0x0000000004C3F000-memory.dmp family_redline behavioral1/memory/3268-84-0x0000000004C00000-0x0000000004C3F000-memory.dmp family_redline behavioral1/memory/3268-82-0x0000000004C00000-0x0000000004C3F000-memory.dmp family_redline behavioral1/memory/3268-78-0x0000000004C00000-0x0000000004C3F000-memory.dmp family_redline behavioral1/memory/3268-76-0x0000000004C00000-0x0000000004C3F000-memory.dmp family_redline behavioral1/memory/3268-72-0x0000000004C00000-0x0000000004C3F000-memory.dmp family_redline behavioral1/memory/3268-70-0x0000000004C00000-0x0000000004C3F000-memory.dmp family_redline behavioral1/memory/3268-68-0x0000000004C00000-0x0000000004C3F000-memory.dmp family_redline behavioral1/memory/3268-90-0x0000000004C00000-0x0000000004C3F000-memory.dmp family_redline behavioral1/memory/3268-66-0x0000000004C00000-0x0000000004C3F000-memory.dmp family_redline behavioral1/memory/3268-64-0x0000000004C00000-0x0000000004C3F000-memory.dmp family_redline behavioral1/memory/3268-63-0x0000000004C00000-0x0000000004C3F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1704 un768433.exe 2036 pro3393.exe 3268 qu7491.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro3393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro3393.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 33848fb648af670da89366215a5bdeee491cbe2b574a057509bf5f91f3a31284.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un768433.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu7491.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33848fb648af670da89366215a5bdeee491cbe2b574a057509bf5f91f3a31284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un768433.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro3393.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2036 pro3393.exe 2036 pro3393.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2036 pro3393.exe Token: SeDebugPrivilege 3268 qu7491.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1016 wrote to memory of 1704 1016 33848fb648af670da89366215a5bdeee491cbe2b574a057509bf5f91f3a31284.exe 83 PID 1016 wrote to memory of 1704 1016 33848fb648af670da89366215a5bdeee491cbe2b574a057509bf5f91f3a31284.exe 83 PID 1016 wrote to memory of 1704 1016 33848fb648af670da89366215a5bdeee491cbe2b574a057509bf5f91f3a31284.exe 83 PID 1704 wrote to memory of 2036 1704 un768433.exe 84 PID 1704 wrote to memory of 2036 1704 un768433.exe 84 PID 1704 wrote to memory of 2036 1704 un768433.exe 84 PID 1704 wrote to memory of 3268 1704 un768433.exe 95 PID 1704 wrote to memory of 3268 1704 un768433.exe 95 PID 1704 wrote to memory of 3268 1704 un768433.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\33848fb648af670da89366215a5bdeee491cbe2b574a057509bf5f91f3a31284.exe"C:\Users\Admin\AppData\Local\Temp\33848fb648af670da89366215a5bdeee491cbe2b574a057509bf5f91f3a31284.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un768433.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un768433.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3393.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3393.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7491.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7491.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
553KB
MD50dbd56ee77f76e22a3a4ab10c576db34
SHA16955ab9d7a41118989fde5d9ba903b8539a5248f
SHA256e87983538ce19ba2d7991ac4c34f28f1a648386c06baddbe05404962e3d07796
SHA51213dfc01b307e5613856fe99243deff7028e46ff03ebfb573cf3ba388eb9a4d8731ac5b02af5d1804953a1542e253bc8bc9838c92a6995e5f24fc54d8be0a46ec
-
Filesize
308KB
MD5d9c07efeda60ab7911698fe0adc32fdc
SHA11ad174b0e47a12c18306aa07f9702998ed6ff47d
SHA256d9bfe450b4f999547d56f73a577415658f7e74f9ffbce6dec4e5b154708f447b
SHA512a769ff311df2f03c68714f5db27af8ac82898efb1c7aa88a0c74b1bc73491fd75c7b0426298e94d5fb87f85cde6c58dcbcacdbdb41d245d6f24f4e192757385d
-
Filesize
366KB
MD5aa6de8dfea5c56c4fc4fc03b5fe8c2ea
SHA12dcb98f63da2f59bc410a101b93108fdd55d7bb7
SHA256a74b74a0f43106a663a2aaf701ff31eb4ffc1081725edb6d1d742ee822b59e15
SHA5128e202983bf843eb057c1a201d6cdd9489ea12024fdd93b79ba06ce251e2b9975898219471926b46e0ce9d51ca8b43b00c9471e03cea770d54fccb62e61c33c73