Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:58
Static task
static1
Behavioral task
behavioral1
Sample
eec8006a53c5f85c442040a9e30d8b26a258b0668084ae6fe599307453b38f58.exe
Resource
win10v2004-20241007-en
General
-
Target
eec8006a53c5f85c442040a9e30d8b26a258b0668084ae6fe599307453b38f58.exe
-
Size
660KB
-
MD5
79a5863a02f199f27042a337b2266f1d
-
SHA1
dfff750dd89cb4b7e5f515ba7834d0a148584ab1
-
SHA256
eec8006a53c5f85c442040a9e30d8b26a258b0668084ae6fe599307453b38f58
-
SHA512
fc7e745cb485c816c7f4feffabdb3dc1c06c93517ce122327db3cbaa4436064346f7e1b5378368d6bf833f830d1290a99157dd7f1df246fd5e89099d1bf918d2
-
SSDEEP
12288:PMrQy90WkuILsbe5vFYFIVNFZkgujQxN3bazBolTLfEg7aSoP9m:jybkb4YA3j4azBoNleSoP9m
Malware Config
Extracted
redline
rosto
hueref.eu:4162
-
auth_value
07d81eba8cad42bbd0ae60042d48eac6
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3796-19-0x0000000002390000-0x00000000023AA000-memory.dmp healer behavioral1/memory/3796-21-0x0000000002690000-0x00000000026A8000-memory.dmp healer behavioral1/memory/3796-45-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3796-49-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3796-47-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3796-43-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3796-41-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3796-39-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3796-37-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3796-35-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3796-33-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3796-31-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3796-29-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3796-27-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3796-25-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3796-23-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3796-22-0x0000000002690000-0x00000000026A2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection urld75fl67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" urld75fl67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" urld75fl67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" urld75fl67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" urld75fl67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" urld75fl67.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1064-61-0x0000000002310000-0x0000000002356000-memory.dmp family_redline behavioral1/memory/1064-62-0x0000000004AE0000-0x0000000004B24000-memory.dmp family_redline behavioral1/memory/1064-76-0x0000000004AE0000-0x0000000004B1E000-memory.dmp family_redline behavioral1/memory/1064-78-0x0000000004AE0000-0x0000000004B1E000-memory.dmp family_redline behavioral1/memory/1064-96-0x0000000004AE0000-0x0000000004B1E000-memory.dmp family_redline behavioral1/memory/1064-94-0x0000000004AE0000-0x0000000004B1E000-memory.dmp family_redline behavioral1/memory/1064-92-0x0000000004AE0000-0x0000000004B1E000-memory.dmp family_redline behavioral1/memory/1064-90-0x0000000004AE0000-0x0000000004B1E000-memory.dmp family_redline behavioral1/memory/1064-86-0x0000000004AE0000-0x0000000004B1E000-memory.dmp family_redline behavioral1/memory/1064-84-0x0000000004AE0000-0x0000000004B1E000-memory.dmp family_redline behavioral1/memory/1064-82-0x0000000004AE0000-0x0000000004B1E000-memory.dmp family_redline behavioral1/memory/1064-80-0x0000000004AE0000-0x0000000004B1E000-memory.dmp family_redline behavioral1/memory/1064-74-0x0000000004AE0000-0x0000000004B1E000-memory.dmp family_redline behavioral1/memory/1064-72-0x0000000004AE0000-0x0000000004B1E000-memory.dmp family_redline behavioral1/memory/1064-70-0x0000000004AE0000-0x0000000004B1E000-memory.dmp family_redline behavioral1/memory/1064-88-0x0000000004AE0000-0x0000000004B1E000-memory.dmp family_redline behavioral1/memory/1064-68-0x0000000004AE0000-0x0000000004B1E000-memory.dmp family_redline behavioral1/memory/1064-66-0x0000000004AE0000-0x0000000004B1E000-memory.dmp family_redline behavioral1/memory/1064-64-0x0000000004AE0000-0x0000000004B1E000-memory.dmp family_redline behavioral1/memory/1064-63-0x0000000004AE0000-0x0000000004B1E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3840 ycZQ43qr88.exe 3796 urld75fl67.exe 1064 wrey59kC60.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features urld75fl67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" urld75fl67.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" eec8006a53c5f85c442040a9e30d8b26a258b0668084ae6fe599307453b38f58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ycZQ43qr88.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4528 3796 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eec8006a53c5f85c442040a9e30d8b26a258b0668084ae6fe599307453b38f58.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ycZQ43qr88.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language urld75fl67.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wrey59kC60.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3796 urld75fl67.exe 3796 urld75fl67.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3796 urld75fl67.exe Token: SeDebugPrivilege 1064 wrey59kC60.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2884 wrote to memory of 3840 2884 eec8006a53c5f85c442040a9e30d8b26a258b0668084ae6fe599307453b38f58.exe 83 PID 2884 wrote to memory of 3840 2884 eec8006a53c5f85c442040a9e30d8b26a258b0668084ae6fe599307453b38f58.exe 83 PID 2884 wrote to memory of 3840 2884 eec8006a53c5f85c442040a9e30d8b26a258b0668084ae6fe599307453b38f58.exe 83 PID 3840 wrote to memory of 3796 3840 ycZQ43qr88.exe 84 PID 3840 wrote to memory of 3796 3840 ycZQ43qr88.exe 84 PID 3840 wrote to memory of 3796 3840 ycZQ43qr88.exe 84 PID 3840 wrote to memory of 1064 3840 ycZQ43qr88.exe 100 PID 3840 wrote to memory of 1064 3840 ycZQ43qr88.exe 100 PID 3840 wrote to memory of 1064 3840 ycZQ43qr88.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\eec8006a53c5f85c442040a9e30d8b26a258b0668084ae6fe599307453b38f58.exe"C:\Users\Admin\AppData\Local\Temp\eec8006a53c5f85c442040a9e30d8b26a258b0668084ae6fe599307453b38f58.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycZQ43qr88.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycZQ43qr88.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urld75fl67.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urld75fl67.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 11004⤵
- Program crash
PID:4528
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrey59kC60.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrey59kC60.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3796 -ip 37961⤵PID:216
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
515KB
MD5bb00bda1a34cf85a7024b49365348dae
SHA12f1b2684d28d8ae32f0405a762480aabf77a18d2
SHA25650bed3800f12301650947a559f1c9a357f960c7dda5e19d08afff32c8254e167
SHA5121fc1af38663b2c444109add571b6dd7bc18cadd899490b47065ca25d8244bdc2fb88e45bf95a1df98d3ca746427631658c7afe6024511f7a8b23d79e5f50ffdc
-
Filesize
231KB
MD5dc44e178c4f3a817757c50068412a977
SHA17bcdf70b213b0db4a895c7156172b5ce70ed9f57
SHA25687d065445ce37fdcd5725c65e839baaf217ba8dbc0f8635f289f44c7627b0646
SHA512718b1751f1333f98c33a96527895f5c376e5db709787e3ae8b61a49689e3b687835169abf8373c8e71b761e6537078728a5776bebda73eba60dbac53edffa7f0
-
Filesize
290KB
MD575160aa498b0f13e4f6106ffe98857f3
SHA1154296294b8700f46187245fdb9a2c4d5aa7da3c
SHA25657ad72d53871e2d2f5576eca5bbf30e6c86fffef549ab740e9b2f89a81968547
SHA5128aade9003760df690e83dd35a309c64a67d7f10a37fb3e3138d4373d69a420885883417a1421f3bcdfb78776f5d6d38f83dab13b1f3f824186eae94ee1263813