Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:04
Static task
static1
Behavioral task
behavioral1
Sample
293c7419343e6ed4440a63aca7e2e268718d9462547c4461b0840af433abd84b.exe
Resource
win10v2004-20241007-en
General
-
Target
293c7419343e6ed4440a63aca7e2e268718d9462547c4461b0840af433abd84b.exe
-
Size
663KB
-
MD5
ea646b4237b247721cc397ff4062ac5d
-
SHA1
888eff0a049ec68e2ac2a601d3289cd96aba6e75
-
SHA256
293c7419343e6ed4440a63aca7e2e268718d9462547c4461b0840af433abd84b
-
SHA512
81777b9d0849b1d270ee625f7e3bf890ced25cac99145440f5672bf1f1be3a56cf1ce2edbac87cfb78dbcac099cae6f319587e84f8b96bbccdcf566f055fab21
-
SSDEEP
12288:NMr8y90X80AgZS7zwSDprl72vkEuZMrFm2qE70um62u8Xo:VycybfVrhKoaxm2qE70s2uN
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4584-19-0x0000000002570000-0x000000000258A000-memory.dmp healer behavioral1/memory/4584-21-0x0000000002700000-0x0000000002718000-memory.dmp healer behavioral1/memory/4584-22-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/4584-37-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/4584-49-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/4584-47-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/4584-45-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/4584-43-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/4584-41-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/4584-39-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/4584-35-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/4584-33-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/4584-31-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/4584-29-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/4584-27-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/4584-25-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/4584-23-0x0000000002700000-0x0000000002712000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9282.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro9282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9282.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4712-60-0x00000000023C0000-0x0000000002406000-memory.dmp family_redline behavioral1/memory/4712-61-0x0000000004AD0000-0x0000000004B14000-memory.dmp family_redline behavioral1/memory/4712-65-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/4712-63-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/4712-62-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/4712-79-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/4712-95-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/4712-93-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/4712-91-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/4712-87-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/4712-85-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/4712-84-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/4712-77-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/4712-75-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/4712-73-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/4712-72-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/4712-69-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/4712-68-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/4712-89-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline behavioral1/memory/4712-81-0x0000000004AD0000-0x0000000004B0F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4648 un986624.exe 4584 pro9282.exe 4712 qu3458.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9282.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 293c7419343e6ed4440a63aca7e2e268718d9462547c4461b0840af433abd84b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un986624.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 293c7419343e6ed4440a63aca7e2e268718d9462547c4461b0840af433abd84b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un986624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro9282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu3458.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4584 pro9282.exe 4584 pro9282.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4584 pro9282.exe Token: SeDebugPrivilege 4712 qu3458.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1612 wrote to memory of 4648 1612 293c7419343e6ed4440a63aca7e2e268718d9462547c4461b0840af433abd84b.exe 83 PID 1612 wrote to memory of 4648 1612 293c7419343e6ed4440a63aca7e2e268718d9462547c4461b0840af433abd84b.exe 83 PID 1612 wrote to memory of 4648 1612 293c7419343e6ed4440a63aca7e2e268718d9462547c4461b0840af433abd84b.exe 83 PID 4648 wrote to memory of 4584 4648 un986624.exe 84 PID 4648 wrote to memory of 4584 4648 un986624.exe 84 PID 4648 wrote to memory of 4584 4648 un986624.exe 84 PID 4648 wrote to memory of 4712 4648 un986624.exe 97 PID 4648 wrote to memory of 4712 4648 un986624.exe 97 PID 4648 wrote to memory of 4712 4648 un986624.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\293c7419343e6ed4440a63aca7e2e268718d9462547c4461b0840af433abd84b.exe"C:\Users\Admin\AppData\Local\Temp\293c7419343e6ed4440a63aca7e2e268718d9462547c4461b0840af433abd84b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un986624.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un986624.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9282.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9282.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3458.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3458.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4712
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
521KB
MD5bc7e8f80f37c8421e0a8cc28f1b935f0
SHA128cb0137298019588e6ac7ef89bda4c20f374df8
SHA2563a1db85e182fbca5ac7c604a9a22d3bfcebe8eec55e95772df446fe38134663c
SHA5126e4d5a4e44cc62c3787b45bd51b146f54177063c0206e8e9d8d7727e3d24c13b2bf8ee94c95597eb8b6b77ca42be837a83817186d3ffd3b6a8a9d191bfac4ea4
-
Filesize
236KB
MD510233ca6892fdece6d57faafb641d3f5
SHA1fb47ce1f3acdf1dc6730f102c028532bac1af375
SHA256909a907a61c37121599fd2997b7b234c68f97c757b6061e86bb7d4ae4770c478
SHA512a4aec83f905fb9deb820604a2400fa77eff6aadb3cdaeeb18671ce3110e4a9c3514f10b84474ea1e158a42f12695bccfa867a41a2f262f5deac96222890c56d2
-
Filesize
295KB
MD5eb9ab35b51431ef860e2384079699bd4
SHA14b800bdd763b217fb33ba6237cd1355e2b8a6625
SHA256c5c643d024ca73e992b1ead9751cf7b5f28a584dfc6194d7a52a8036b49eed44
SHA51253332183bdda5384ddc38e315260af6306da89f9436910b4ecb4c3f4017c10a4ee25631d223de7e3dca2d950a2577f3dea9eaf258575f9566964845aecaf679e