Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:50
Static task
static1
Behavioral task
behavioral1
Sample
5235be3d25acc4cbc5ea285e3b835d6180e5079ef39bcbff19088b126e70743b.exe
Resource
win10v2004-20241007-en
General
-
Target
5235be3d25acc4cbc5ea285e3b835d6180e5079ef39bcbff19088b126e70743b.exe
-
Size
696KB
-
MD5
087fbb45f1779da72b3250842e52922f
-
SHA1
e993feb44644bbb564d168ce803c69fa902bea73
-
SHA256
5235be3d25acc4cbc5ea285e3b835d6180e5079ef39bcbff19088b126e70743b
-
SHA512
4d5c58e5b83233363c1671d5715849daf78f81a580f716813f878628a076dc201f6136037db7d17c7193492c2d27ef2888853afca0056797ba19aea688a041cb
-
SSDEEP
12288:SMrfy90ggKiysUDtdnbsLGe7SzuIdD8roMA8YL62zGjgAxI9gzgpdE:9yifUxdnQGe7SzM3QlGjxI988E
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3668-18-0x0000000004A10000-0x0000000004A2A000-memory.dmp healer behavioral1/memory/3668-20-0x00000000070A0000-0x00000000070B8000-memory.dmp healer behavioral1/memory/3668-40-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/3668-48-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/3668-46-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/3668-44-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/3668-42-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/3668-38-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/3668-36-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/3668-34-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/3668-32-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/3668-30-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/3668-28-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/3668-24-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/3668-22-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/3668-21-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/3668-26-0x00000000070A0000-0x00000000070B2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro1319.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro1319.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro1319.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro1319.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro1319.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro1319.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/944-60-0x0000000004860000-0x00000000048A6000-memory.dmp family_redline behavioral1/memory/944-61-0x0000000004D30000-0x0000000004D74000-memory.dmp family_redline behavioral1/memory/944-75-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/944-95-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/944-93-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/944-91-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/944-89-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/944-87-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/944-85-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/944-83-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/944-81-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/944-79-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/944-77-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/944-73-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/944-71-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/944-70-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/944-65-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/944-63-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/944-67-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/944-62-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2108 un549368.exe 3668 pro1319.exe 944 qu1302.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro1319.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro1319.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5235be3d25acc4cbc5ea285e3b835d6180e5079ef39bcbff19088b126e70743b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un549368.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2736 3668 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu1302.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5235be3d25acc4cbc5ea285e3b835d6180e5079ef39bcbff19088b126e70743b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un549368.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro1319.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3668 pro1319.exe 3668 pro1319.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3668 pro1319.exe Token: SeDebugPrivilege 944 qu1302.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1256 wrote to memory of 2108 1256 5235be3d25acc4cbc5ea285e3b835d6180e5079ef39bcbff19088b126e70743b.exe 83 PID 1256 wrote to memory of 2108 1256 5235be3d25acc4cbc5ea285e3b835d6180e5079ef39bcbff19088b126e70743b.exe 83 PID 1256 wrote to memory of 2108 1256 5235be3d25acc4cbc5ea285e3b835d6180e5079ef39bcbff19088b126e70743b.exe 83 PID 2108 wrote to memory of 3668 2108 un549368.exe 85 PID 2108 wrote to memory of 3668 2108 un549368.exe 85 PID 2108 wrote to memory of 3668 2108 un549368.exe 85 PID 2108 wrote to memory of 944 2108 un549368.exe 99 PID 2108 wrote to memory of 944 2108 un549368.exe 99 PID 2108 wrote to memory of 944 2108 un549368.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\5235be3d25acc4cbc5ea285e3b835d6180e5079ef39bcbff19088b126e70743b.exe"C:\Users\Admin\AppData\Local\Temp\5235be3d25acc4cbc5ea285e3b835d6180e5079ef39bcbff19088b126e70743b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un549368.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un549368.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1319.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1319.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 10804⤵
- Program crash
PID:2736
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1302.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1302.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:944
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3668 -ip 36681⤵PID:712
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
555KB
MD5d05f5d18bb4bdf2de7462bebade7a264
SHA1a3be46cfcded334fc2959ed382d462ccf02ff8a4
SHA2560ad6d89755938f141b0187489f2a663a245c71bc1f345172a13ef0bafbcc2d16
SHA512fb48aab09a36279cf75bb14a3f53384422b4e7617aef352cb3c515b9c5701d67ab652a0ae5e42d8d026a1eba3b66d55ea60072ff10909ea77f4edd3e5fae649f
-
Filesize
347KB
MD5efb6aa9f9dc1e51a667da39267f55fb2
SHA1cff110ceee2e2b24f8bb1452040de8d91c1b3edf
SHA25699145be2ae87d4fa532f8476b021c5be093c225858afe3ec669311b1240277e9
SHA5122876956988ab5ced64d64903af5125b92ccfa4e18a41f6c3ede0e990945e84f47c87c44865d410d93663fd9c894aae669fb5dd224451bb582b5c4a008bf3ad42
-
Filesize
406KB
MD5a841f43cc788c2ee3f4a20cf746f70d6
SHA1ae510a9b3f2effe1e9d9ec3468bd9a6074c883a2
SHA256f064ed987b2edeaf60ddfe2e7f2f90024c92f27e31fb9112cbf27820e4cce370
SHA512e48d2c470d54870e7112a6c2c1b7d14e345991461b5e93691bc08e4ecb9097e40c7212ed683330d0b4a9d40bc77826fc25b286f981fc10c0d9b427102d4154cc