Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:58
Static task
static1
Behavioral task
behavioral1
Sample
5fc9dc93977acdbed25b5461f74267e6ce1c8cc796923e611afe84159a990b29.exe
Resource
win10v2004-20241007-en
General
-
Target
5fc9dc93977acdbed25b5461f74267e6ce1c8cc796923e611afe84159a990b29.exe
-
Size
673KB
-
MD5
67434f9d24f6165eb393225772adea15
-
SHA1
8dc17e50bba2cb9a8d0878ed89c92d056fa8fb03
-
SHA256
5fc9dc93977acdbed25b5461f74267e6ce1c8cc796923e611afe84159a990b29
-
SHA512
ae025357dc2bd59670a9e9ee0ab35d4ca63c2e206d8cf194a4eb5cc23049fbc9c69c2faa38fb2a3480f6737597d80c62450979a09d2e78913f673834dd80b342
-
SSDEEP
12288:KMriy90YPLWgHRbHC6+QPyqD5GsB0Ddmc4WOvFoGZUbFomNM+YXgKIpE0mTR:syTSM9PySG/dV4WSFoGipo4aIUR
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3840-19-0x00000000024C0000-0x00000000024DA000-memory.dmp healer behavioral1/memory/3840-21-0x0000000004A50000-0x0000000004A68000-memory.dmp healer behavioral1/memory/3840-31-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/3840-49-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/3840-47-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/3840-45-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/3840-43-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/3840-41-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/3840-39-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/3840-37-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/3840-35-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/3840-33-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/3840-29-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/3840-27-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/3840-25-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/3840-23-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/3840-22-0x0000000004A50000-0x0000000004A62000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro4305.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro4305.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro4305.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro4305.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro4305.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro4305.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/5096-61-0x0000000004A30000-0x0000000004A76000-memory.dmp family_redline behavioral1/memory/5096-62-0x0000000004AB0000-0x0000000004AF4000-memory.dmp family_redline behavioral1/memory/5096-64-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/5096-74-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/5096-96-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/5096-94-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/5096-92-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/5096-90-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/5096-88-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/5096-86-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/5096-82-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/5096-80-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/5096-78-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/5096-76-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/5096-72-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/5096-70-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/5096-68-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/5096-66-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/5096-84-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/5096-63-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1020 un527880.exe 3840 pro4305.exe 5096 qu0069.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro4305.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro4305.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5fc9dc93977acdbed25b5461f74267e6ce1c8cc796923e611afe84159a990b29.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un527880.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2780 3840 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fc9dc93977acdbed25b5461f74267e6ce1c8cc796923e611afe84159a990b29.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un527880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro4305.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu0069.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3840 pro4305.exe 3840 pro4305.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3840 pro4305.exe Token: SeDebugPrivilege 5096 qu0069.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1868 wrote to memory of 1020 1868 5fc9dc93977acdbed25b5461f74267e6ce1c8cc796923e611afe84159a990b29.exe 83 PID 1868 wrote to memory of 1020 1868 5fc9dc93977acdbed25b5461f74267e6ce1c8cc796923e611afe84159a990b29.exe 83 PID 1868 wrote to memory of 1020 1868 5fc9dc93977acdbed25b5461f74267e6ce1c8cc796923e611afe84159a990b29.exe 83 PID 1020 wrote to memory of 3840 1020 un527880.exe 84 PID 1020 wrote to memory of 3840 1020 un527880.exe 84 PID 1020 wrote to memory of 3840 1020 un527880.exe 84 PID 1020 wrote to memory of 5096 1020 un527880.exe 95 PID 1020 wrote to memory of 5096 1020 un527880.exe 95 PID 1020 wrote to memory of 5096 1020 un527880.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fc9dc93977acdbed25b5461f74267e6ce1c8cc796923e611afe84159a990b29.exe"C:\Users\Admin\AppData\Local\Temp\5fc9dc93977acdbed25b5461f74267e6ce1c8cc796923e611afe84159a990b29.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un527880.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un527880.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4305.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4305.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 10804⤵
- Program crash
PID:2780
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0069.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0069.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5096
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3840 -ip 38401⤵PID:1776
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
531KB
MD573b91abb15d6eb108d3920196739574f
SHA19dbea56c600f619f51bb4c86aa4440646c082124
SHA256c93cafa34b1cd4f6bf73e3eaccfaedc03d00b07e352c6b3075be1e746af3d8dd
SHA512f702274eeffb30496c7e297eb4c1c1a3c9f8440dd2a466e66bf6861a7981f6951bf4be441248f777071ce28b6f4b620114c61ec42502a92fe1dd32b538a9de03
-
Filesize
259KB
MD5ad96a3f17599da9b3b2554ca6050abc4
SHA1a9a2ceb774ecae2356abe72d27279874fa0636f2
SHA2562a1a2c545827c1674e578e9bd7f01fc9abe8ccbfbdcd0cce5b2e408c893c516c
SHA512a5cbf7d2402122b4291a5bd5df7a993b9a9e491f6fbf933306be9fb60ce7547b95e149876e4354462924251cb3338c4badea7640af090c412a617efbe0918fbc
-
Filesize
318KB
MD55ba6e74734c703a9a4c3ccd4f6ae0292
SHA1ec24492749fec3eee3670b9a210ba1adacc8046b
SHA2565360d560481c85f2d83266c736791fcf91cad1feddf382143820404dd4147bce
SHA5126b8fce64afd374d177904e1b4a1f6329e850abb2f03ad0823647c7ba375b77594b7151f556905bd95c49c278cf4546d645e695a8b2272f093d48f8df0ebe5a07