Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:58
Static task
static1
Behavioral task
behavioral1
Sample
06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16.exe
Resource
win10v2004-20241007-en
General
-
Target
06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16.exe
-
Size
660KB
-
MD5
cfb46ea2c280872c2457a32829704e36
-
SHA1
fbbc4ffabb1b865cc89e006924a8e6a4e01bd715
-
SHA256
06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16
-
SHA512
c23984ec0cd59b478203b83dc12133fa1b4359e7227368e5ca974a7196f41833062755a776a261e8c5f82e8e5630ed88f8f4bee3cabc5965ab2ed8982b0d3627
-
SSDEEP
12288:wMrcy90WpSc0R6M+EiiH3l86crIrqukW5PRFl0dBVF6w6Ekzm0zQM2TCj:8yNpTd432Irqi55E6w6EkzxrECj
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4024-18-0x00000000038B0000-0x00000000038CA000-memory.dmp healer behavioral1/memory/4024-21-0x0000000003960000-0x0000000003978000-memory.dmp healer behavioral1/memory/4024-49-0x0000000003960000-0x0000000003972000-memory.dmp healer behavioral1/memory/4024-47-0x0000000003960000-0x0000000003972000-memory.dmp healer behavioral1/memory/4024-45-0x0000000003960000-0x0000000003972000-memory.dmp healer behavioral1/memory/4024-43-0x0000000003960000-0x0000000003972000-memory.dmp healer behavioral1/memory/4024-41-0x0000000003960000-0x0000000003972000-memory.dmp healer behavioral1/memory/4024-39-0x0000000003960000-0x0000000003972000-memory.dmp healer behavioral1/memory/4024-37-0x0000000003960000-0x0000000003972000-memory.dmp healer behavioral1/memory/4024-35-0x0000000003960000-0x0000000003972000-memory.dmp healer behavioral1/memory/4024-33-0x0000000003960000-0x0000000003972000-memory.dmp healer behavioral1/memory/4024-31-0x0000000003960000-0x0000000003972000-memory.dmp healer behavioral1/memory/4024-29-0x0000000003960000-0x0000000003972000-memory.dmp healer behavioral1/memory/4024-27-0x0000000003960000-0x0000000003972000-memory.dmp healer behavioral1/memory/4024-25-0x0000000003960000-0x0000000003972000-memory.dmp healer behavioral1/memory/4024-23-0x0000000003960000-0x0000000003972000-memory.dmp healer behavioral1/memory/4024-22-0x0000000003960000-0x0000000003972000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro3932.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro3932.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro3932.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro3932.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro3932.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro3932.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4988-61-0x00000000022D0000-0x0000000002316000-memory.dmp family_redline behavioral1/memory/4988-62-0x0000000004AC0000-0x0000000004B04000-memory.dmp family_redline behavioral1/memory/4988-66-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4988-76-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4988-96-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4988-94-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4988-92-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4988-90-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4988-88-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4988-86-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4988-82-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4988-80-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4988-78-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4988-74-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4988-72-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4988-70-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4988-68-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4988-84-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4988-64-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4988-63-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2332 un171706.exe 4024 pro3932.exe 4988 qu5802.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro3932.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro3932.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un171706.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 6416 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 940 4024 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un171706.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro3932.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu5802.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4024 pro3932.exe 4024 pro3932.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4024 pro3932.exe Token: SeDebugPrivilege 4988 qu5802.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2332 2400 06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16.exe 83 PID 2400 wrote to memory of 2332 2400 06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16.exe 83 PID 2400 wrote to memory of 2332 2400 06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16.exe 83 PID 2332 wrote to memory of 4024 2332 un171706.exe 84 PID 2332 wrote to memory of 4024 2332 un171706.exe 84 PID 2332 wrote to memory of 4024 2332 un171706.exe 84 PID 2332 wrote to memory of 4988 2332 un171706.exe 98 PID 2332 wrote to memory of 4988 2332 un171706.exe 98 PID 2332 wrote to memory of 4988 2332 un171706.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16.exe"C:\Users\Admin\AppData\Local\Temp\06439e37a05c2865479c9f14e8fbd01beaf97d1700be9e48574b7f0968879f16.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un171706.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un171706.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3932.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3932.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 10804⤵
- Program crash
PID:940
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5802.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5802.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4024 -ip 40241⤵PID:1580
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:6416
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
518KB
MD508f8fad8508193e387cabc9139599d1d
SHA144d99fd5f84a9470f36db3b80c852b9ee088f893
SHA256e78ebf3b49810a8020f5f7f6c16cca7619fd2834136159a6c76480411ecb6bbb
SHA5125e42cbd4f6c107fc0027e5720eec1dc276cd540fc9eb0b95200b4d100ce433be69b9017cb772b84d30a4cb7fc0d9e21e5097225170e6beb2b246a489fc20cd75
-
Filesize
276KB
MD5d47cae380e21366723dd1061722b227d
SHA1d6a4e11148d823ba4423d5c9c692c99591dfde2b
SHA256f3e6c353f4a5af7c266c9873a7bb89a22173c94e06c9e3f1afbec6320715cfd6
SHA51217f4c71513743c3836171d84492b6f66bb1794e521173b82bd7140ca9494400e45ad0a604f5b91782e23c5ede02966aff943b2f6682cf7bba7954cec01b496cd
-
Filesize
295KB
MD59cbfe70cab5606e4a2ec17426234c8ba
SHA1b81c8d3a09c5bbc8064c94be0aeb48e9f6360b87
SHA25675603c775465340a67c91943fde602e6e9983cbd3f66533e13181cfde7c0804d
SHA51279f069b0c3bbc6ff9c66459e05148b3a707b1b32fc00942d8e762c4359bae633f43b02258b54c20e9ee9a5bb4f812782421684dbe9b38f907b9ad3cc6bde1b9a