Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:46
Static task
static1
Behavioral task
behavioral1
Sample
de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788.exe
Resource
win10v2004-20241007-en
General
-
Target
de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788.exe
-
Size
678KB
-
MD5
97d73bccc11d2720aa98bd529b7b5802
-
SHA1
27d5cfa30e27a615cde68fcadddf6211b140418c
-
SHA256
de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788
-
SHA512
62775cf93bea967c644de805221a47b3def8d80cc549a561f5cd6b69a6444ec2c912cf9f4179c8a6501ef6ed78ec3fb5b8b68c57d7c79e1895ebfbb3cbf988d7
-
SSDEEP
12288:aMrcy90NqzHjjVEAs3D3dbNsBqtwC+ly/dhY27By:KydHu5hSBxC+8nYH
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/848-19-0x0000000000AB0000-0x0000000000ACA000-memory.dmp healer behavioral1/memory/848-21-0x0000000002830000-0x0000000002848000-memory.dmp healer behavioral1/memory/848-22-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/848-49-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/848-47-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/848-45-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/848-44-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/848-41-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/848-39-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/848-38-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/848-35-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/848-33-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/848-32-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/848-29-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/848-27-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/848-25-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/848-23-0x0000000002830000-0x0000000002842000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro3696.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro3696.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro3696.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro3696.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro3696.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro3696.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1244-61-0x0000000002390000-0x00000000023D6000-memory.dmp family_redline behavioral1/memory/1244-62-0x0000000005400000-0x0000000005444000-memory.dmp family_redline behavioral1/memory/1244-68-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/1244-72-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/1244-96-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/1244-94-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/1244-92-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/1244-90-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/1244-88-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/1244-86-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/1244-84-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/1244-80-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/1244-78-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/1244-76-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/1244-75-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/1244-70-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/1244-82-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/1244-66-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/1244-64-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/1244-63-0x0000000005400000-0x000000000543F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3824 un221650.exe 848 pro3696.exe 1244 qu0588.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro3696.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro3696.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un221650.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5096 848 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un221650.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro3696.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu0588.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 848 pro3696.exe 848 pro3696.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 848 pro3696.exe Token: SeDebugPrivilege 1244 qu0588.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4384 wrote to memory of 3824 4384 de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788.exe 82 PID 4384 wrote to memory of 3824 4384 de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788.exe 82 PID 4384 wrote to memory of 3824 4384 de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788.exe 82 PID 3824 wrote to memory of 848 3824 un221650.exe 83 PID 3824 wrote to memory of 848 3824 un221650.exe 83 PID 3824 wrote to memory of 848 3824 un221650.exe 83 PID 3824 wrote to memory of 1244 3824 un221650.exe 94 PID 3824 wrote to memory of 1244 3824 un221650.exe 94 PID 3824 wrote to memory of 1244 3824 un221650.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788.exe"C:\Users\Admin\AppData\Local\Temp\de107f0e5b1a27237f8aeeed095d03e0784f46b6ce5e843da2679151effe4788.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221650.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un221650.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3696.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3696.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 10804⤵
- Program crash
PID:5096
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0588.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0588.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 848 -ip 8481⤵PID:3256
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
524KB
MD58389155b3cdf35388975c2a799b592aa
SHA1552f9d86a3ebe39c9a490496d62078f5ed37c5f8
SHA256f992547f326a34a46a6e26a9b0bb3d34a74d0eb34edb1186ddcea1d7010db539
SHA5126720ea55a218d45534de0d998caad8ba5c2154da01bcaa4027c5a77f030eb1bc6513577ae6c787d5a470a34a4597e18ecef143131b9a4723a476ed38e769b468
-
Filesize
289KB
MD5217e1777bb5a9638e0672bca975afe56
SHA12c7e1ec4a3c579bc311cdb5c079f9f91c6d971b3
SHA2569c9168311e613c2995e8d8859dca9bc0fa26042b27b2e280aa60f7de7a2996e0
SHA512eabba88778b6e8947cc0661fed713276152cb1a7f09b5be7851f4af33fd18f509587c398db4f9f525583c54d36fe7d2a09aa382eddae8afa545a6fa854cbd656
-
Filesize
348KB
MD59e0e83a0b6939bf64093ba9a60c5d80b
SHA11a07a07a5a1350f7ef5f17557bef484202fbc94f
SHA25648ad52ba751f573156182b27f047d7e8bcebdd40ce1b3b2fe99bb953634cdf6f
SHA51208d32f1c3e5f12aecb8ad7221d0d8a4293701c0f27814e15b4822f0b7570f7d514660937deac15d2bda2998b77ef2da6bbcbfbb3aa7ba00b85d2eca4e568a218