Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:09
Static task
static1
Behavioral task
behavioral1
Sample
59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe
Resource
win10v2004-20241007-en
General
-
Target
59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe
-
Size
658KB
-
MD5
e31de6293a24ac7e243fefe30893b408
-
SHA1
7a0a8dd92ee9eba060649791751c2cd5e3c78b78
-
SHA256
59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b
-
SHA512
c0db64717f6e6f4197283a03213a11eb79f9b95643e63227770b248bd5ec777b3cc2ffa41070cba4c9a4aa3cbf7026d88cbf3dffe46c5b75fb76f856a1cc1dbd
-
SSDEEP
12288:aMrOy90QReITw4cab0sZqn01zixzQJPZ31R4IP7lQdgfPbeY9B6G:YypRHwywsZ401+xsFyy7lQ+fPSY9V
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2540-18-0x0000000004A40000-0x0000000004A5A000-memory.dmp healer behavioral1/memory/2540-20-0x0000000007110000-0x0000000007128000-memory.dmp healer behavioral1/memory/2540-23-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/2540-48-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/2540-46-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/2540-44-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/2540-42-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/2540-40-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/2540-38-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/2540-36-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/2540-34-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/2540-32-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/2540-30-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/2540-28-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/2540-26-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/2540-24-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/2540-21-0x0000000007110000-0x0000000007122000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro5652.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro5652.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro5652.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro5652.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro5652.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro5652.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4464-60-0x0000000004B50000-0x0000000004B96000-memory.dmp family_redline behavioral1/memory/4464-61-0x0000000007740000-0x0000000007784000-memory.dmp family_redline behavioral1/memory/4464-93-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/4464-95-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/4464-91-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/4464-89-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/4464-87-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/4464-85-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/4464-83-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/4464-81-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/4464-77-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/4464-75-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/4464-73-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/4464-71-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/4464-69-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/4464-67-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/4464-65-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/4464-63-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/4464-79-0x0000000007740000-0x000000000777F000-memory.dmp family_redline behavioral1/memory/4464-62-0x0000000007740000-0x000000000777F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2192 un193496.exe 2540 pro5652.exe 4464 qu3104.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro5652.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro5652.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un193496.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1780 2540 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro5652.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu3104.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un193496.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2540 pro5652.exe 2540 pro5652.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2540 pro5652.exe Token: SeDebugPrivilege 4464 qu3104.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2192 2252 59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe 83 PID 2252 wrote to memory of 2192 2252 59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe 83 PID 2252 wrote to memory of 2192 2252 59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe 83 PID 2192 wrote to memory of 2540 2192 un193496.exe 84 PID 2192 wrote to memory of 2540 2192 un193496.exe 84 PID 2192 wrote to memory of 2540 2192 un193496.exe 84 PID 2192 wrote to memory of 4464 2192 un193496.exe 98 PID 2192 wrote to memory of 4464 2192 un193496.exe 98 PID 2192 wrote to memory of 4464 2192 un193496.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe"C:\Users\Admin\AppData\Local\Temp\59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 10844⤵
- Program crash
PID:1780
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3104.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3104.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2540 -ip 25401⤵PID:4852
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
516KB
MD50b6757967148f63d4646e3a9962fdba1
SHA11d0f9a80dd5e993b2137ed1ec4d1d6341e620568
SHA256569347686f1b4bfa455c32796f0d2316f046ec6304d4d16cb60d3eb5398b5b62
SHA5120cc45c188edde411652b0b735f5356cef1b79af77fc1d45f26f25e065957de9078eec6acf7165a23d4d71b218bedf7f729d5b92dbfde184e4a8cc707d24f1b38
-
Filesize
284KB
MD55a6c217d8e38307a56e57cdf154abc7c
SHA1ede9eef581013d7050befce767ebd7b9cbcfd3d2
SHA2567b75883394b37d6d42f9a1fd0ec3d8516e48441935ea51b128a7f6da9c0f8f7f
SHA5124ea36a456e2cb0e12ef560f483920b536adf07021e34ae7e67af1941ca766e7482dd768dfbc480b1dd7bdcf65c7614297700330705a403d17ece0d5ce93b8759
-
Filesize
342KB
MD5812153ffaf3811afdc07d1e5811043e6
SHA17ee9e034ce8bb5cd3cf1bbf084365f210c13b0b0
SHA256935a1a653308fe7c376f305eda28b5c62ef9aa8ffa4863a6c90bfb29ba05d0c0
SHA51266d8788d45826a3bd173f5bc4b30e02d640ad4226ed5978988027b551c7a3657ce0f5244cf2eac8806ac4259fa0e9942f61f445ef2a7de959a17dc7ee9a3efe6