Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:07
Static task
static1
Behavioral task
behavioral1
Sample
62ac37bea8be7f768ebdaea78a3575a3c88133e31854e8dd8ccfd719f3e0e7f1.exe
Resource
win10v2004-20241007-en
General
-
Target
62ac37bea8be7f768ebdaea78a3575a3c88133e31854e8dd8ccfd719f3e0e7f1.exe
-
Size
659KB
-
MD5
deec95eef463f6b0ab4948e017e83995
-
SHA1
a9f61acc3d814244c7fc746a37a245d83117ff77
-
SHA256
62ac37bea8be7f768ebdaea78a3575a3c88133e31854e8dd8ccfd719f3e0e7f1
-
SHA512
5ef3e06d5336b0b972d6d1b92ae110953c2abb558e80798232d7fb1467c39a29e7c97af167a19c74ddc5e7d4bf1046395833f25b7d18dd0cafb25c72e8387828
-
SSDEEP
12288:JMrty90wSoyC/zR3F/5EGPXR8IquBZjQZax51SFMzOhgg:8y7SLOzpFFPefaf4Gyig
Malware Config
Extracted
redline
rosto
hueref.eu:4162
-
auth_value
07d81eba8cad42bbd0ae60042d48eac6
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3780-19-0x00000000021D0000-0x00000000021EA000-memory.dmp healer behavioral1/memory/3780-21-0x00000000025C0000-0x00000000025D8000-memory.dmp healer behavioral1/memory/3780-31-0x00000000025C0000-0x00000000025D2000-memory.dmp healer behavioral1/memory/3780-29-0x00000000025C0000-0x00000000025D2000-memory.dmp healer behavioral1/memory/3780-22-0x00000000025C0000-0x00000000025D2000-memory.dmp healer behavioral1/memory/3780-27-0x00000000025C0000-0x00000000025D2000-memory.dmp healer behavioral1/memory/3780-49-0x00000000025C0000-0x00000000025D2000-memory.dmp healer behavioral1/memory/3780-47-0x00000000025C0000-0x00000000025D2000-memory.dmp healer behavioral1/memory/3780-45-0x00000000025C0000-0x00000000025D2000-memory.dmp healer behavioral1/memory/3780-43-0x00000000025C0000-0x00000000025D2000-memory.dmp healer behavioral1/memory/3780-41-0x00000000025C0000-0x00000000025D2000-memory.dmp healer behavioral1/memory/3780-39-0x00000000025C0000-0x00000000025D2000-memory.dmp healer behavioral1/memory/3780-37-0x00000000025C0000-0x00000000025D2000-memory.dmp healer behavioral1/memory/3780-35-0x00000000025C0000-0x00000000025D2000-memory.dmp healer behavioral1/memory/3780-33-0x00000000025C0000-0x00000000025D2000-memory.dmp healer behavioral1/memory/3780-25-0x00000000025C0000-0x00000000025D2000-memory.dmp healer behavioral1/memory/3780-23-0x00000000025C0000-0x00000000025D2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ursx89cf56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ursx89cf56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ursx89cf56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ursx89cf56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ursx89cf56.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection ursx89cf56.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4520-60-0x0000000002450000-0x0000000002496000-memory.dmp family_redline behavioral1/memory/4520-61-0x0000000004B80000-0x0000000004BC4000-memory.dmp family_redline behavioral1/memory/4520-73-0x0000000004B80000-0x0000000004BBE000-memory.dmp family_redline behavioral1/memory/4520-75-0x0000000004B80000-0x0000000004BBE000-memory.dmp family_redline behavioral1/memory/4520-71-0x0000000004B80000-0x0000000004BBE000-memory.dmp family_redline behavioral1/memory/4520-69-0x0000000004B80000-0x0000000004BBE000-memory.dmp family_redline behavioral1/memory/4520-67-0x0000000004B80000-0x0000000004BBE000-memory.dmp family_redline behavioral1/memory/4520-65-0x0000000004B80000-0x0000000004BBE000-memory.dmp family_redline behavioral1/memory/4520-63-0x0000000004B80000-0x0000000004BBE000-memory.dmp family_redline behavioral1/memory/4520-62-0x0000000004B80000-0x0000000004BBE000-memory.dmp family_redline behavioral1/memory/4520-95-0x0000000004B80000-0x0000000004BBE000-memory.dmp family_redline behavioral1/memory/4520-93-0x0000000004B80000-0x0000000004BBE000-memory.dmp family_redline behavioral1/memory/4520-91-0x0000000004B80000-0x0000000004BBE000-memory.dmp family_redline behavioral1/memory/4520-89-0x0000000004B80000-0x0000000004BBE000-memory.dmp family_redline behavioral1/memory/4520-87-0x0000000004B80000-0x0000000004BBE000-memory.dmp family_redline behavioral1/memory/4520-85-0x0000000004B80000-0x0000000004BBE000-memory.dmp family_redline behavioral1/memory/4520-83-0x0000000004B80000-0x0000000004BBE000-memory.dmp family_redline behavioral1/memory/4520-81-0x0000000004B80000-0x0000000004BBE000-memory.dmp family_redline behavioral1/memory/4520-79-0x0000000004B80000-0x0000000004BBE000-memory.dmp family_redline behavioral1/memory/4520-77-0x0000000004B80000-0x0000000004BBE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3604 yctD80Kq28.exe 3780 ursx89cf56.exe 4520 wrcT53AU03.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features ursx89cf56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ursx89cf56.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 62ac37bea8be7f768ebdaea78a3575a3c88133e31854e8dd8ccfd719f3e0e7f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" yctD80Kq28.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4264 3780 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62ac37bea8be7f768ebdaea78a3575a3c88133e31854e8dd8ccfd719f3e0e7f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yctD80Kq28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ursx89cf56.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wrcT53AU03.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3780 ursx89cf56.exe 3780 ursx89cf56.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3780 ursx89cf56.exe Token: SeDebugPrivilege 4520 wrcT53AU03.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3860 wrote to memory of 3604 3860 62ac37bea8be7f768ebdaea78a3575a3c88133e31854e8dd8ccfd719f3e0e7f1.exe 83 PID 3860 wrote to memory of 3604 3860 62ac37bea8be7f768ebdaea78a3575a3c88133e31854e8dd8ccfd719f3e0e7f1.exe 83 PID 3860 wrote to memory of 3604 3860 62ac37bea8be7f768ebdaea78a3575a3c88133e31854e8dd8ccfd719f3e0e7f1.exe 83 PID 3604 wrote to memory of 3780 3604 yctD80Kq28.exe 84 PID 3604 wrote to memory of 3780 3604 yctD80Kq28.exe 84 PID 3604 wrote to memory of 3780 3604 yctD80Kq28.exe 84 PID 3604 wrote to memory of 4520 3604 yctD80Kq28.exe 99 PID 3604 wrote to memory of 4520 3604 yctD80Kq28.exe 99 PID 3604 wrote to memory of 4520 3604 yctD80Kq28.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\62ac37bea8be7f768ebdaea78a3575a3c88133e31854e8dd8ccfd719f3e0e7f1.exe"C:\Users\Admin\AppData\Local\Temp\62ac37bea8be7f768ebdaea78a3575a3c88133e31854e8dd8ccfd719f3e0e7f1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yctD80Kq28.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yctD80Kq28.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ursx89cf56.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ursx89cf56.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3780 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 10804⤵
- Program crash
PID:4264
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrcT53AU03.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrcT53AU03.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3780 -ip 37801⤵PID:3444
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
514KB
MD59bd6fdc36d00a0da3bdd1391b090ead9
SHA1d142f7dbf017159a67023d862ab6d0afa74b5034
SHA256f92f46e9d31cc7b5425a7166f440cb7d1c91497b5c18c75e596251065f13edc2
SHA512e4caa27a5d1aef8bba5f626ba1e33c6fcecad6c46b1d6d6fead847df9c870cf2bab1945d5b6f4ec9997e54979369731e088682148c6d406efec51c6536f3b0a4
-
Filesize
232KB
MD5654d38a192aa90f8f2d4c64647ed64d1
SHA1366c844b2fc2b4c0b0191754d4a1470e1763ccb4
SHA25693f2d867562d5187beac7b8d7a55a8f435b7bbab77152b0c7bb3f8c22c2d23a2
SHA5129ce88068e0e4cfac55467fbccc2621bbe431353bf4faf6a0957a6ae38f083023fbd130abb423e35f344e4d3952aed8470eba47c3ab71ff7ec61ff5a79aa80303
-
Filesize
289KB
MD51c795044102f7759152f7661b15c22bf
SHA166e3fee6ce5c4fd8974bb493b8ea7f63f0de4224
SHA2568f76de3f10a19e704eaaa544d8b0aea616b3b55e5e9d4f91afed3db0c60714a4
SHA5128c6313c1b71200f905a41b131ebb5a54f4057dd14fe062565674b4d86ebdb8ca2faf8655c970bb3ba279d34ea761c0d71d81c94f3fc9cec7dd2c49737b7653a1