Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:08
Static task
static1
Behavioral task
behavioral1
Sample
33e8c4342843c8ec98beee3eae67dd93c47222be73fd9dd2355e0cb5b2eabbaa.exe
Resource
win10v2004-20241007-en
General
-
Target
33e8c4342843c8ec98beee3eae67dd93c47222be73fd9dd2355e0cb5b2eabbaa.exe
-
Size
678KB
-
MD5
6e4a450b1b7dbcfa44c24291ee9f5144
-
SHA1
f1a2827b0b0cd0aaeb3147d1bf9c00bbbcb904f7
-
SHA256
33e8c4342843c8ec98beee3eae67dd93c47222be73fd9dd2355e0cb5b2eabbaa
-
SHA512
2196f1a70a7f94f30848257ca51f7311945a8190c578ec9405a4fe2a0a1a3187655347d48dd4e6dbc3a1e679f69dbe74336554367327f31352d42b93e0552d24
-
SSDEEP
12288:5Mrmy90hHkUEgMZtPH6OqaDFZnUvW0+44XKZQdAJtmEXken7Rxc7ljw1/:7y7rtNK+ZaZVbXflx+jw1/
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4820-19-0x0000000002360000-0x000000000237A000-memory.dmp healer behavioral1/memory/4820-21-0x00000000025E0000-0x00000000025F8000-memory.dmp healer behavioral1/memory/4820-23-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/4820-49-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/4820-47-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/4820-45-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/4820-41-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/4820-40-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/4820-37-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/4820-35-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/4820-33-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/4820-31-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/4820-29-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/4820-27-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/4820-25-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/4820-22-0x00000000025E0000-0x00000000025F2000-memory.dmp healer behavioral1/memory/4820-43-0x00000000025E0000-0x00000000025F2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro5030.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro5030.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro5030.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro5030.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro5030.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro5030.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/5056-60-0x0000000002790000-0x00000000027D6000-memory.dmp family_redline behavioral1/memory/5056-61-0x0000000002990000-0x00000000029D4000-memory.dmp family_redline behavioral1/memory/5056-81-0x0000000002990000-0x00000000029CF000-memory.dmp family_redline behavioral1/memory/5056-85-0x0000000002990000-0x00000000029CF000-memory.dmp family_redline behavioral1/memory/5056-96-0x0000000002990000-0x00000000029CF000-memory.dmp family_redline behavioral1/memory/5056-93-0x0000000002990000-0x00000000029CF000-memory.dmp family_redline behavioral1/memory/5056-91-0x0000000002990000-0x00000000029CF000-memory.dmp family_redline behavioral1/memory/5056-89-0x0000000002990000-0x00000000029CF000-memory.dmp family_redline behavioral1/memory/5056-87-0x0000000002990000-0x00000000029CF000-memory.dmp family_redline behavioral1/memory/5056-83-0x0000000002990000-0x00000000029CF000-memory.dmp family_redline behavioral1/memory/5056-79-0x0000000002990000-0x00000000029CF000-memory.dmp family_redline behavioral1/memory/5056-77-0x0000000002990000-0x00000000029CF000-memory.dmp family_redline behavioral1/memory/5056-73-0x0000000002990000-0x00000000029CF000-memory.dmp family_redline behavioral1/memory/5056-75-0x0000000002990000-0x00000000029CF000-memory.dmp family_redline behavioral1/memory/5056-71-0x0000000002990000-0x00000000029CF000-memory.dmp family_redline behavioral1/memory/5056-69-0x0000000002990000-0x00000000029CF000-memory.dmp family_redline behavioral1/memory/5056-67-0x0000000002990000-0x00000000029CF000-memory.dmp family_redline behavioral1/memory/5056-65-0x0000000002990000-0x00000000029CF000-memory.dmp family_redline behavioral1/memory/5056-63-0x0000000002990000-0x00000000029CF000-memory.dmp family_redline behavioral1/memory/5056-62-0x0000000002990000-0x00000000029CF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2648 un289129.exe 4820 pro5030.exe 5056 qu8757.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro5030.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro5030.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 33e8c4342843c8ec98beee3eae67dd93c47222be73fd9dd2355e0cb5b2eabbaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un289129.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4944 4820 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33e8c4342843c8ec98beee3eae67dd93c47222be73fd9dd2355e0cb5b2eabbaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un289129.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro5030.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu8757.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4820 pro5030.exe 4820 pro5030.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4820 pro5030.exe Token: SeDebugPrivilege 5056 qu8757.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1708 wrote to memory of 2648 1708 33e8c4342843c8ec98beee3eae67dd93c47222be73fd9dd2355e0cb5b2eabbaa.exe 85 PID 1708 wrote to memory of 2648 1708 33e8c4342843c8ec98beee3eae67dd93c47222be73fd9dd2355e0cb5b2eabbaa.exe 85 PID 1708 wrote to memory of 2648 1708 33e8c4342843c8ec98beee3eae67dd93c47222be73fd9dd2355e0cb5b2eabbaa.exe 85 PID 2648 wrote to memory of 4820 2648 un289129.exe 86 PID 2648 wrote to memory of 4820 2648 un289129.exe 86 PID 2648 wrote to memory of 4820 2648 un289129.exe 86 PID 2648 wrote to memory of 5056 2648 un289129.exe 96 PID 2648 wrote to memory of 5056 2648 un289129.exe 96 PID 2648 wrote to memory of 5056 2648 un289129.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\33e8c4342843c8ec98beee3eae67dd93c47222be73fd9dd2355e0cb5b2eabbaa.exe"C:\Users\Admin\AppData\Local\Temp\33e8c4342843c8ec98beee3eae67dd93c47222be73fd9dd2355e0cb5b2eabbaa.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un289129.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un289129.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5030.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5030.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 11044⤵
- Program crash
PID:4944
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8757.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8757.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4820 -ip 48201⤵PID:2604
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
524KB
MD5c9590a62034f56aac562120dd0e17788
SHA160a9f28e9c78417d21938fe1891a4805057169f0
SHA2564c67a5cb022a74335bf7d78a26d106494de6e444732275ec29b5dc8c27a328b6
SHA5126e0502b613873e91bd225b4359859cba2c64d8b1a06920f5be98ed69f1bb0518a2265e873177b0de3dcbc52bb20940b04a23355f24ecef23fad0ed73070b8b67
-
Filesize
289KB
MD5a03288b0bd561eab8c55d9d2087c4895
SHA13d5f2f1e3c99292910d79d44e9e3f6ba68732c9a
SHA256f85d28a1227215ad7ea7b73e5eca8506bb7b7cd22cdaef3936338b8be6349a2a
SHA512d6ed7285ddedb941aec3b50528b8829098a6f1d64a83bfd25dade8265375d5396a88ae1f584a67db9911aea7f617e73ef71c8a656cddcde2b013a8dbde91de74
-
Filesize
348KB
MD54daeaeee1ef86d648d92322f81c3445f
SHA14e3730174357b5b73eec8fbb9371a663dfc9264c
SHA25679ace76454bd4322b5a2a75b09e417ce941115ebfec1b876fcd38e012de92f0d
SHA5122136755d27fe18dc1b57de4437f1afd747ad9b4f074b281d677dfb6d7e9eabdd891c212563ce67042ebda6b11f1d51270cfc8c0e39edc0522ba855edfd095fb7