Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:54
Static task
static1
Behavioral task
behavioral1
Sample
c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c.exe
Resource
win10v2004-20241007-en
General
-
Target
c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c.exe
-
Size
683KB
-
MD5
9f1ed52ebd8c6eb56517a53a0b27d8ae
-
SHA1
199d0359e0d2439433f58c9e8c7516713ac97a9c
-
SHA256
c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c
-
SHA512
1226a0309753b0ff86336fe2789074d12119c2718fe8ef4091dd8edeb595948cbb7c726f25549dff25f15d5e4d8da24373636d951af1933c1ad956a96422ba35
-
SSDEEP
12288:7MrPy90BuOwlEVisPzm21VqJvz0QQXBeZ7ej6RU+VD40Wio8a9mRwX:UyMuOd1tUJvztQXm7eW6+VsUa9kY
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3208-18-0x00000000049B0000-0x00000000049CA000-memory.dmp healer behavioral1/memory/3208-20-0x00000000076D0000-0x00000000076E8000-memory.dmp healer behavioral1/memory/3208-38-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/3208-48-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/3208-46-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/3208-44-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/3208-42-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/3208-40-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/3208-36-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/3208-34-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/3208-32-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/3208-30-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/3208-28-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/3208-26-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/3208-24-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/3208-22-0x00000000076D0000-0x00000000076E2000-memory.dmp healer behavioral1/memory/3208-21-0x00000000076D0000-0x00000000076E2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0109.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0109.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0109.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0109.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0109.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro0109.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/828-60-0x0000000004C50000-0x0000000004C96000-memory.dmp family_redline behavioral1/memory/828-61-0x0000000007750000-0x0000000007794000-memory.dmp family_redline behavioral1/memory/828-69-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/828-95-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/828-93-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/828-91-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/828-89-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/828-87-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/828-85-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/828-83-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/828-81-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/828-79-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/828-77-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/828-75-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/828-73-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/828-71-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/828-67-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/828-65-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/828-63-0x0000000007750000-0x000000000778F000-memory.dmp family_redline behavioral1/memory/828-62-0x0000000007750000-0x000000000778F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4836 un849386.exe 3208 pro0109.exe 828 qu1936.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro0109.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0109.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un849386.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2364 3208 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un849386.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro0109.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu1936.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3208 pro0109.exe 3208 pro0109.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3208 pro0109.exe Token: SeDebugPrivilege 828 qu1936.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2140 wrote to memory of 4836 2140 c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c.exe 83 PID 2140 wrote to memory of 4836 2140 c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c.exe 83 PID 2140 wrote to memory of 4836 2140 c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c.exe 83 PID 4836 wrote to memory of 3208 4836 un849386.exe 84 PID 4836 wrote to memory of 3208 4836 un849386.exe 84 PID 4836 wrote to memory of 3208 4836 un849386.exe 84 PID 4836 wrote to memory of 828 4836 un849386.exe 99 PID 4836 wrote to memory of 828 4836 un849386.exe 99 PID 4836 wrote to memory of 828 4836 un849386.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c.exe"C:\Users\Admin\AppData\Local\Temp\c9a1793376a7669902f5fe26df45fa2afe2e1f316213eb4e0bc0c5b9db27cb7c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un849386.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un849386.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0109.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0109.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 10804⤵
- Program crash
PID:2364
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1936.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1936.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:828
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3208 -ip 32081⤵PID:4568
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
541KB
MD512f58ef97e1b1d8df6afef2b7e6622ec
SHA11747d7e117fc6501ac6a1eb8ffac7de36b412786
SHA256b436aa8e5827d331a0d090d93e3a8935866a3d1b0d7d244bbce64db7825aa042
SHA512bd22f55bb367b841f2fb627740dc5986060ec5fb5b3721adaea1177569300cfdaf166b61151c43c39ce0f7d217f23e6fbf4d2d9f4113b166cbd870ccf36e2155
-
Filesize
322KB
MD55439199f512057b8df3d164237fb39fb
SHA1d7d6e2e7914d26c95ab23dbdf0158c0cb556a4fa
SHA2561303306da95987b70dfb522ee601a7a20bb4fe73a0ea4140b3190d0995de04ff
SHA512bbe0953f1a14cea4ddabf51bdd8b5a72b85237ae2d51eacf0836d60d7900c4cde496d0504ea6a9e5c89487dffce92f62d0420b85e859a8b78b8231b68602352b
-
Filesize
379KB
MD580bc579808a2c5a4514ffef6235abc46
SHA11e469bdfd631de08a9a8d4f7944a691910880d24
SHA256b83d67d37e73bc59a04e9d15bf383797ca5d29c4f99837a7105f0b6aac09d8b2
SHA512db76b8b1926bd3ff552dd561be7084ca3a9dccfbc4b98fda8b478561821e37ee36f70dc170af32f2b68c4d2d37f23501022a0a938fe4c54e4dbf1f33a35cf70a