Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:08
Static task
static1
Behavioral task
behavioral1
Sample
b0600ac6c8dfbf80304661271530fee1d19bda29b03b05a4eb88845b5ff2548f.exe
Resource
win10v2004-20241007-en
General
-
Target
b0600ac6c8dfbf80304661271530fee1d19bda29b03b05a4eb88845b5ff2548f.exe
-
Size
670KB
-
MD5
ff36442303a8588e807189f07893c500
-
SHA1
34484a6e87792c376e028d59f8f41f7ddee02482
-
SHA256
b0600ac6c8dfbf80304661271530fee1d19bda29b03b05a4eb88845b5ff2548f
-
SHA512
96448bfae2f0e00af906fa5b448b927e196125a415d343bac48b0552bfdb579a7b57fc30d4fbe9201e18bff5ca71dde2b513be62406417dc4b8e2c2726b25454
-
SSDEEP
12288:VMrSy90CFLiTbl9i2EW31U9TK7jka+7rHhYYMcRgxcpDzj3U4mbT/W:ny/+lIW31OLtPhYqRfpDf3ebDW
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1588-19-0x00000000023B0000-0x00000000023CA000-memory.dmp healer behavioral1/memory/1588-21-0x0000000002600000-0x0000000002618000-memory.dmp healer behavioral1/memory/1588-39-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/1588-49-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/1588-47-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/1588-46-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/1588-43-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/1588-41-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/1588-37-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/1588-33-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/1588-31-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/1588-29-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/1588-27-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/1588-25-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/1588-23-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/1588-22-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/1588-35-0x0000000002600000-0x0000000002612000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro4468.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro4468.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro4468.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro4468.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro4468.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro4468.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1484-60-0x0000000002700000-0x0000000002746000-memory.dmp family_redline behavioral1/memory/1484-61-0x0000000002780000-0x00000000027C4000-memory.dmp family_redline behavioral1/memory/1484-69-0x0000000002780000-0x00000000027BF000-memory.dmp family_redline behavioral1/memory/1484-75-0x0000000002780000-0x00000000027BF000-memory.dmp family_redline behavioral1/memory/1484-73-0x0000000002780000-0x00000000027BF000-memory.dmp family_redline behavioral1/memory/1484-71-0x0000000002780000-0x00000000027BF000-memory.dmp family_redline behavioral1/memory/1484-87-0x0000000002780000-0x00000000027BF000-memory.dmp family_redline behavioral1/memory/1484-67-0x0000000002780000-0x00000000027BF000-memory.dmp family_redline behavioral1/memory/1484-65-0x0000000002780000-0x00000000027BF000-memory.dmp family_redline behavioral1/memory/1484-63-0x0000000002780000-0x00000000027BF000-memory.dmp family_redline behavioral1/memory/1484-62-0x0000000002780000-0x00000000027BF000-memory.dmp family_redline behavioral1/memory/1484-95-0x0000000002780000-0x00000000027BF000-memory.dmp family_redline behavioral1/memory/1484-93-0x0000000002780000-0x00000000027BF000-memory.dmp family_redline behavioral1/memory/1484-91-0x0000000002780000-0x00000000027BF000-memory.dmp family_redline behavioral1/memory/1484-89-0x0000000002780000-0x00000000027BF000-memory.dmp family_redline behavioral1/memory/1484-85-0x0000000002780000-0x00000000027BF000-memory.dmp family_redline behavioral1/memory/1484-84-0x0000000002780000-0x00000000027BF000-memory.dmp family_redline behavioral1/memory/1484-81-0x0000000002780000-0x00000000027BF000-memory.dmp family_redline behavioral1/memory/1484-79-0x0000000002780000-0x00000000027BF000-memory.dmp family_redline behavioral1/memory/1484-77-0x0000000002780000-0x00000000027BF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2040 un209392.exe 1588 pro4468.exe 1484 qu6404.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro4468.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro4468.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b0600ac6c8dfbf80304661271530fee1d19bda29b03b05a4eb88845b5ff2548f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un209392.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1176 1588 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0600ac6c8dfbf80304661271530fee1d19bda29b03b05a4eb88845b5ff2548f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un209392.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro4468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu6404.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1588 pro4468.exe 1588 pro4468.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1588 pro4468.exe Token: SeDebugPrivilege 1484 qu6404.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1268 wrote to memory of 2040 1268 b0600ac6c8dfbf80304661271530fee1d19bda29b03b05a4eb88845b5ff2548f.exe 84 PID 1268 wrote to memory of 2040 1268 b0600ac6c8dfbf80304661271530fee1d19bda29b03b05a4eb88845b5ff2548f.exe 84 PID 1268 wrote to memory of 2040 1268 b0600ac6c8dfbf80304661271530fee1d19bda29b03b05a4eb88845b5ff2548f.exe 84 PID 2040 wrote to memory of 1588 2040 un209392.exe 86 PID 2040 wrote to memory of 1588 2040 un209392.exe 86 PID 2040 wrote to memory of 1588 2040 un209392.exe 86 PID 2040 wrote to memory of 1484 2040 un209392.exe 95 PID 2040 wrote to memory of 1484 2040 un209392.exe 95 PID 2040 wrote to memory of 1484 2040 un209392.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0600ac6c8dfbf80304661271530fee1d19bda29b03b05a4eb88845b5ff2548f.exe"C:\Users\Admin\AppData\Local\Temp\b0600ac6c8dfbf80304661271530fee1d19bda29b03b05a4eb88845b5ff2548f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un209392.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un209392.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4468.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4468.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 11004⤵
- Program crash
PID:1176
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6404.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6404.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1588 -ip 15881⤵PID:4500
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517KB
MD5aef21b4474fa2bd682c0e05f60ce6374
SHA1368c6978b20f12d20f7140fb604cd3a04acd0584
SHA256a5f60dfb05e6a07e486b3f539488e26e68eb51c4ace5cfb56cca121e2d6f1910
SHA512d1650609281ebcdc959347c9a9ca0116ca9166bd332ca9297538c9af41f9dd9adfa6c8e7f90bc9dc9021ba29f62f534a90f8c5176ea89fb6c1fa720c1be39c07
-
Filesize
237KB
MD566d2d362adc0111a1d8deb6edc161f16
SHA1800042fc4cef1aa60d4f21722d1dc1430ac4c68b
SHA256251d59ae8fb5b72eb0a29bff19de7df4e5ccdcd8d47ed0231c59d153421a37f0
SHA51273eb9d513e02c94c4a0745ed392ad5ffb8be5dcdcbacfb2985008a26b15befe0aa17f7af23d4d43dffc133ea5df3ca6fb8d10868c205876a3a0d2b37c48c5559
-
Filesize
295KB
MD59ed87843c09688dbeae148ab20805c07
SHA104a177c6962d302b5a6c65fe9238883587a50ee7
SHA25646508a93b1ff836af0126d059e929885efe5edf2acfc20c2894540b8c0ac8de2
SHA5127c8e2443e1261ff06dbbcc8bd3329d35a5ef22e74666a9e4930c5f681cb70f37d666903afd845dcafa7bb7a142c9bd41c4f947a2f387b1e7c5711fe7b2c342f9