Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:45
Static task
static1
Behavioral task
behavioral1
Sample
0c9564966bd966758cce5181e66d8929d340f5dd29c4bf9e33a1bc61df1271ec.exe
Resource
win10v2004-20241007-en
General
-
Target
0c9564966bd966758cce5181e66d8929d340f5dd29c4bf9e33a1bc61df1271ec.exe
-
Size
677KB
-
MD5
5ea32efcddfa436f719170eec349479f
-
SHA1
8edb006783f5b544e30d4277de0a6d1fa0b0edda
-
SHA256
0c9564966bd966758cce5181e66d8929d340f5dd29c4bf9e33a1bc61df1271ec
-
SHA512
7f9f802696b7795fe9b88be934519b211ce841c3d6b24c1ed6face99008da48f073b976e4b29152ef98aa3ea7815d4239fc3703d1eb2eaf08d1d11b7b8e0fe7c
-
SSDEEP
12288:pMr+y90CBLEf6KHVLZzxCSB6KcOlKEWxxmv2/QDVqBCvE9/ImIfbmE7Y+X:XynJw6Q1pg7yvYC89QmebmEjX
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4744-19-0x00000000023B0000-0x00000000023CA000-memory.dmp healer behavioral1/memory/4744-21-0x0000000002570000-0x0000000002588000-memory.dmp healer behavioral1/memory/4744-23-0x0000000002570000-0x0000000002582000-memory.dmp healer behavioral1/memory/4744-49-0x0000000002570000-0x0000000002582000-memory.dmp healer behavioral1/memory/4744-47-0x0000000002570000-0x0000000002582000-memory.dmp healer behavioral1/memory/4744-46-0x0000000002570000-0x0000000002582000-memory.dmp healer behavioral1/memory/4744-43-0x0000000002570000-0x0000000002582000-memory.dmp healer behavioral1/memory/4744-42-0x0000000002570000-0x0000000002582000-memory.dmp healer behavioral1/memory/4744-39-0x0000000002570000-0x0000000002582000-memory.dmp healer behavioral1/memory/4744-38-0x0000000002570000-0x0000000002582000-memory.dmp healer behavioral1/memory/4744-35-0x0000000002570000-0x0000000002582000-memory.dmp healer behavioral1/memory/4744-34-0x0000000002570000-0x0000000002582000-memory.dmp healer behavioral1/memory/4744-31-0x0000000002570000-0x0000000002582000-memory.dmp healer behavioral1/memory/4744-30-0x0000000002570000-0x0000000002582000-memory.dmp healer behavioral1/memory/4744-27-0x0000000002570000-0x0000000002582000-memory.dmp healer behavioral1/memory/4744-26-0x0000000002570000-0x0000000002582000-memory.dmp healer behavioral1/memory/4744-22-0x0000000002570000-0x0000000002582000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro5199.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro5199.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro5199.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro5199.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro5199.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro5199.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2240-60-0x00000000022B0000-0x00000000022F6000-memory.dmp family_redline behavioral1/memory/2240-61-0x0000000002750000-0x0000000002794000-memory.dmp family_redline behavioral1/memory/2240-62-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/2240-77-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/2240-95-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/2240-93-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/2240-91-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/2240-89-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/2240-87-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/2240-85-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/2240-83-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/2240-81-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/2240-79-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/2240-75-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/2240-73-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/2240-71-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/2240-69-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/2240-67-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/2240-65-0x0000000002750000-0x000000000278F000-memory.dmp family_redline behavioral1/memory/2240-63-0x0000000002750000-0x000000000278F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1600 un318738.exe 4744 pro5199.exe 2240 qu1236.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro5199.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro5199.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0c9564966bd966758cce5181e66d8929d340f5dd29c4bf9e33a1bc61df1271ec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un318738.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4876 4744 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0c9564966bd966758cce5181e66d8929d340f5dd29c4bf9e33a1bc61df1271ec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un318738.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro5199.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu1236.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4744 pro5199.exe 4744 pro5199.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4744 pro5199.exe Token: SeDebugPrivilege 2240 qu1236.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4116 wrote to memory of 1600 4116 0c9564966bd966758cce5181e66d8929d340f5dd29c4bf9e33a1bc61df1271ec.exe 83 PID 4116 wrote to memory of 1600 4116 0c9564966bd966758cce5181e66d8929d340f5dd29c4bf9e33a1bc61df1271ec.exe 83 PID 4116 wrote to memory of 1600 4116 0c9564966bd966758cce5181e66d8929d340f5dd29c4bf9e33a1bc61df1271ec.exe 83 PID 1600 wrote to memory of 4744 1600 un318738.exe 84 PID 1600 wrote to memory of 4744 1600 un318738.exe 84 PID 1600 wrote to memory of 4744 1600 un318738.exe 84 PID 1600 wrote to memory of 2240 1600 un318738.exe 98 PID 1600 wrote to memory of 2240 1600 un318738.exe 98 PID 1600 wrote to memory of 2240 1600 un318738.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c9564966bd966758cce5181e66d8929d340f5dd29c4bf9e33a1bc61df1271ec.exe"C:\Users\Admin\AppData\Local\Temp\0c9564966bd966758cce5181e66d8929d340f5dd29c4bf9e33a1bc61df1271ec.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un318738.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un318738.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5199.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5199.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4744 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 10644⤵
- Program crash
PID:4876
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1236.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1236.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4744 -ip 47441⤵PID:3824
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
523KB
MD5e05ffe9c082dfae01b0813f81bcfd0d1
SHA1c59998b2141bd47c700dd7c3b022a2a32965908c
SHA256ba1db3a7db361c2481c7ecfa6c3b89c8f758d2756dde56ba0c8401ef81c0b9fc
SHA512750dbe02ebef08c32eb5af711c9cf1d666f73d1b054aceab3c79f6229d0f0387090460bb9ce62d9cd4f232c412cc31553d65b1d304324c7dec207d989544fd13
-
Filesize
253KB
MD5db623d75b2fd86f80076b555ac0862fc
SHA14f345ea66d364cd7ed66322c0863f96441e66f93
SHA256bf4a682acfa3348386b860b6135b6f6e20a069dee98d70f12d2d6c153e2eb3c4
SHA5126d6ce9339ce6595e9c4a7363680b59c010dda45ce338e3ba0306446c16e4cf8e0785a2f3d62d7759b6fa5e961427c2499aabb3260a6b70dfcb028936aadba2e7
-
Filesize
311KB
MD5e05905752c3edb01cd602902d4cd6a03
SHA156a64bf01bf11437f4309d2b3b3f2b8afaf34e9b
SHA256e6cf240a968dddbde29e0fd48fe97707195b5acc5fb24743c6764a000eee4c76
SHA512f82eacbaa494cf106d14a4e8b84503d3d86a688975e791a3584b450fd31ebf3e13b1aea9c5f6e53271ff3b7799f1d1bb290cd293ee4812a94ddefa0b61b926a4