Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:04
Static task
static1
Behavioral task
behavioral1
Sample
40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02.exe
Resource
win10v2004-20241007-en
General
-
Target
40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02.exe
-
Size
658KB
-
MD5
e76c9decb4ae1e283ac29e3c8c28dcad
-
SHA1
dd2066708aef2cf9613b666c08e5843fc0744e40
-
SHA256
40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02
-
SHA512
002290e913d69637e2095bb899f9f27d56dd0552e04c581e9d50466f9aef8e2b285f2cfeb5e7d80c3b7c1ce4ebf8836e2988693e950f3d8a5dec91f4a34d102c
-
SSDEEP
12288:2Mrmy900KKL9Sqe7RojJrkNBntysHQTsEWUR/qnm447zWKly8vEpE:MykCSqeVUruttFwAFURinP4mKAE
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4080-19-0x0000000002390000-0x00000000023AA000-memory.dmp healer behavioral1/memory/4080-21-0x00000000024F0000-0x0000000002508000-memory.dmp healer behavioral1/memory/4080-49-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4080-47-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4080-45-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4080-43-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4080-41-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4080-39-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4080-37-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4080-35-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4080-33-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4080-31-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4080-29-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4080-27-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4080-25-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4080-23-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4080-22-0x00000000024F0000-0x0000000002502000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro2661.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro2661.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro2661.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro2661.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro2661.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro2661.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3656-61-0x00000000025B0000-0x00000000025F6000-memory.dmp family_redline behavioral1/memory/3656-62-0x0000000005090000-0x00000000050D4000-memory.dmp family_redline behavioral1/memory/3656-63-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/3656-90-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/3656-96-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/3656-94-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/3656-92-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/3656-88-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/3656-86-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/3656-84-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/3656-82-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/3656-80-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/3656-78-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/3656-76-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/3656-74-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/3656-72-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/3656-70-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/3656-68-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/3656-66-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline behavioral1/memory/3656-64-0x0000000005090000-0x00000000050CF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4472 un322341.exe 4080 pro2661.exe 3656 qu2714.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro2661.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro2661.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un322341.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2340 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3092 4080 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un322341.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro2661.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu2714.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4080 pro2661.exe 4080 pro2661.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4080 pro2661.exe Token: SeDebugPrivilege 3656 qu2714.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4192 wrote to memory of 4472 4192 40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02.exe 84 PID 4192 wrote to memory of 4472 4192 40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02.exe 84 PID 4192 wrote to memory of 4472 4192 40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02.exe 84 PID 4472 wrote to memory of 4080 4472 un322341.exe 85 PID 4472 wrote to memory of 4080 4472 un322341.exe 85 PID 4472 wrote to memory of 4080 4472 un322341.exe 85 PID 4472 wrote to memory of 3656 4472 un322341.exe 99 PID 4472 wrote to memory of 3656 4472 un322341.exe 99 PID 4472 wrote to memory of 3656 4472 un322341.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02.exe"C:\Users\Admin\AppData\Local\Temp\40debdc3203049a1b34d09bf6c992dc4d717aa823af985b63a4582148f46ff02.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un322341.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un322341.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2661.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2661.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 10804⤵
- Program crash
PID:3092
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2714.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2714.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3656
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4080 -ip 40801⤵PID:4384
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2340
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
516KB
MD51f307a1a7b80f7908bb08dafe52b1819
SHA1e9cb64384442edeebdc25b03bad645536c06d4f9
SHA256ef5b47561b63d83e2b5d7f8e6497f0733887790cf6c04b40b5cfa0bac3496657
SHA51238c1bb3bcaa16d13c5b7c1e14941d72dbea80d80e1892c6d1154dd3919d94a902b55e17336dddbfaa9ab25b98a39cc87f8030e4f185f5378054a99e67e9452b7
-
Filesize
235KB
MD50a33dbcec92209755479c3e12cad1be7
SHA116c893e0ebc0cf66f014a73f480e2e27ece99bac
SHA256510fd307adcbeda3dea25da0b7fa8b2aa4538ad9d0197a4264cf4c5a275d1232
SHA5125b1569291eee448f515601881b9427a996acbd65b519a9f0b72e0243caed82876035be2cbac44e6052fddaf01e6a6f8c0349897f3ed1d0733ec49b17f0206b4e
-
Filesize
294KB
MD508f2dbcc96c74faa0bf8b38ea50cc6dd
SHA1c39898b0af837a6f14e4214ea1e27a5a9a070333
SHA25669bc869da8cf5863e8598e60799de9aef0b760661e5e4b07386fb73130ab6c95
SHA512777985ba2edf51c29b07629898caec3e07508eae0e86a0785a2f77f53f9e8ea748693734e04dedd9c5c4b8bf3c31ee9037d295e16511501bc5642e7d5cb91cbe