Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:58
Static task
static1
Behavioral task
behavioral1
Sample
7a48648f003a6e73df32a03ca23bba789f1f683b20cb3ab25f95ff4f3b5cfb1a.exe
Resource
win10v2004-20241007-en
General
-
Target
7a48648f003a6e73df32a03ca23bba789f1f683b20cb3ab25f95ff4f3b5cfb1a.exe
-
Size
666KB
-
MD5
12a553c0debd8d4dfe440f83a2b8f967
-
SHA1
dcbdd03f6c5ca62d2b1503a9df0d0f8b33b90698
-
SHA256
7a48648f003a6e73df32a03ca23bba789f1f683b20cb3ab25f95ff4f3b5cfb1a
-
SHA512
99604ba2697e750aef18c1d37bdd20893b21e5b9a196a86d9d70d87561bc9a681b96ffa1dc5bd7074fd5d1dc93b1245329cc67bad2ac5249ca70ab98d8975f59
-
SSDEEP
12288:XMrmy90Urv+VTJ+Gi9N/djJ2CaaNiW67groJNPpFlCVUs0zVVrU1po/wNFjoVA3G:lyBrv+VZMNS4NiNgWHT0DuVrSGw7j8YG
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3388-19-0x0000000002880000-0x000000000289A000-memory.dmp healer behavioral1/memory/3388-21-0x0000000004DA0000-0x0000000004DB8000-memory.dmp healer behavioral1/memory/3388-49-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3388-47-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3388-45-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3388-43-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3388-41-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3388-39-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3388-37-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3388-35-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3388-33-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3388-31-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3388-29-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3388-27-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3388-25-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3388-23-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer behavioral1/memory/3388-22-0x0000000004DA0000-0x0000000004DB2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9277.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9277.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9277.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9277.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9277.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro9277.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4596-61-0x0000000002830000-0x0000000002876000-memory.dmp family_redline behavioral1/memory/4596-62-0x0000000004DF0000-0x0000000004E34000-memory.dmp family_redline behavioral1/memory/4596-72-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4596-70-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4596-96-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4596-94-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4596-90-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4596-88-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4596-87-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4596-84-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4596-82-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4596-80-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4596-78-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4596-76-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4596-74-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4596-68-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4596-67-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4596-92-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4596-64-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4596-63-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 412 un625662.exe 3388 pro9277.exe 4596 qu7507.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9277.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9277.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7a48648f003a6e73df32a03ca23bba789f1f683b20cb3ab25f95ff4f3b5cfb1a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un625662.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1728 3388 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7a48648f003a6e73df32a03ca23bba789f1f683b20cb3ab25f95ff4f3b5cfb1a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un625662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro9277.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu7507.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3388 pro9277.exe 3388 pro9277.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3388 pro9277.exe Token: SeDebugPrivilege 4596 qu7507.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2680 wrote to memory of 412 2680 7a48648f003a6e73df32a03ca23bba789f1f683b20cb3ab25f95ff4f3b5cfb1a.exe 83 PID 2680 wrote to memory of 412 2680 7a48648f003a6e73df32a03ca23bba789f1f683b20cb3ab25f95ff4f3b5cfb1a.exe 83 PID 2680 wrote to memory of 412 2680 7a48648f003a6e73df32a03ca23bba789f1f683b20cb3ab25f95ff4f3b5cfb1a.exe 83 PID 412 wrote to memory of 3388 412 un625662.exe 85 PID 412 wrote to memory of 3388 412 un625662.exe 85 PID 412 wrote to memory of 3388 412 un625662.exe 85 PID 412 wrote to memory of 4596 412 un625662.exe 99 PID 412 wrote to memory of 4596 412 un625662.exe 99 PID 412 wrote to memory of 4596 412 un625662.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a48648f003a6e73df32a03ca23bba789f1f683b20cb3ab25f95ff4f3b5cfb1a.exe"C:\Users\Admin\AppData\Local\Temp\7a48648f003a6e73df32a03ca23bba789f1f683b20cb3ab25f95ff4f3b5cfb1a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un625662.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un625662.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9277.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9277.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3388 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 10044⤵
- Program crash
PID:1728
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7507.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7507.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3388 -ip 33881⤵PID:4788
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
524KB
MD5191325ddae77e574d914e186b89bb7b9
SHA1d2a77c6e5ea3d7a59ccf07b4a3d0f1cf7389f7dc
SHA256e8b65e7e720589b6479f6abd90ad4ab98992371da90d0a96cf9895b111984bf0
SHA51260598e7f669a7e038d50ec8f4d9aa039feaa3185d1607557c8b0951478cc1275697b907d84a9c734f0d9d2001a707f456fc982c2f80b9dfcd58e47186b8e8ed6
-
Filesize
294KB
MD53b60d87fafb57c0e40da1bc0ac53c840
SHA11b4eb4cf63870942a18dd9d71aefc1c43a649e92
SHA2562f863a2d64d125d6a439a413fdab0b05b06bd2bb060e5a24e31fe040563bc061
SHA51271439fcad99c2aeeac4d72c8e6f0cf09c339ff0839b7441ce964a59eead185b488055a92f1fe7a8c8272c05738ff31fc2fa3f2c7f88a5191bd15db2cf437d432
-
Filesize
352KB
MD5a948350de3ac12b995ca7bb7d52db51c
SHA1858befdff12f7a2ae9b1777b93182dc08af1ce44
SHA2567176eb922cf2dfa05ebaafe9ab5edea84190e0e15639e73e7774c3588e45e262
SHA512c83fd75c40fd718467639ca519cd514bf951e5c26c7e6420c1d7080497ca462754b398925e7f9de048c2eab5b9ee1371b109ebeab977dc9fdf363329af323929