Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:08
Static task
static1
Behavioral task
behavioral1
Sample
74fe061630473f36b4b40299496ba7e0b6ce119e42a08f97c5ac2377694afdc4.exe
Resource
win10v2004-20241007-en
General
-
Target
74fe061630473f36b4b40299496ba7e0b6ce119e42a08f97c5ac2377694afdc4.exe
-
Size
776KB
-
MD5
dca5b9c8024d33be822baf851f083a25
-
SHA1
da33bf98a7f7a7686be196d5810a9a35ec6079fc
-
SHA256
74fe061630473f36b4b40299496ba7e0b6ce119e42a08f97c5ac2377694afdc4
-
SHA512
601a6d5a03542f2b60b709d5ea56ff4649eef1ee12155bd14e1b635d71f6f6084903086d1fd3b8cbd783d05835001f1d23c3edc98910c1d264df08b0353244e5
-
SSDEEP
12288:cMrLy90edxnvFXqjq3EWBXqDodRLRy+PEagcJLrc9mJ3KVFIraQ5Ua9urVkiBto:Py77nN73E4dby+PEahc9mJTrUmp
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x0009000000023bac-19.dat healer behavioral1/memory/1616-22-0x00000000006B0000-0x00000000006BA000-memory.dmp healer behavioral1/memory/1824-29-0x0000000002270000-0x000000000228A000-memory.dmp healer behavioral1/memory/1824-31-0x0000000004A50000-0x0000000004A68000-memory.dmp healer behavioral1/memory/1824-59-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/1824-57-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/1824-55-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/1824-53-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/1824-51-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/1824-49-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/1824-47-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/1824-45-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/1824-43-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/1824-41-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/1824-39-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/1824-37-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/1824-36-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/1824-33-0x0000000004A50000-0x0000000004A62000-memory.dmp healer behavioral1/memory/1824-32-0x0000000004A50000-0x0000000004A62000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" f3085Ep.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection h15ie28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" h15ie28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" h15ie28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" h15ie28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" h15ie28.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection f3085Ep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" f3085Ep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" f3085Ep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" f3085Ep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" f3085Ep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" h15ie28.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/224-67-0x0000000004910000-0x0000000004956000-memory.dmp family_redline behavioral1/memory/224-68-0x00000000050B0000-0x00000000050F4000-memory.dmp family_redline behavioral1/memory/224-88-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/224-96-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/224-100-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/224-98-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/224-94-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/224-92-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/224-90-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/224-86-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/224-84-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/224-82-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/224-80-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/224-78-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/224-74-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/224-102-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/224-76-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/224-72-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/224-70-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/224-69-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 3696 niba2851.exe 3248 niba0817.exe 1616 f3085Ep.exe 1824 h15ie28.exe 224 iAWkJ90.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" f3085Ep.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features h15ie28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" h15ie28.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 74fe061630473f36b4b40299496ba7e0b6ce119e42a08f97c5ac2377694afdc4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" niba2851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" niba0817.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1744 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1116 1824 WerFault.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74fe061630473f36b4b40299496ba7e0b6ce119e42a08f97c5ac2377694afdc4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language niba2851.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language niba0817.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language h15ie28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iAWkJ90.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1616 f3085Ep.exe 1616 f3085Ep.exe 1824 h15ie28.exe 1824 h15ie28.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1616 f3085Ep.exe Token: SeDebugPrivilege 1824 h15ie28.exe Token: SeDebugPrivilege 224 iAWkJ90.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4504 wrote to memory of 3696 4504 74fe061630473f36b4b40299496ba7e0b6ce119e42a08f97c5ac2377694afdc4.exe 85 PID 4504 wrote to memory of 3696 4504 74fe061630473f36b4b40299496ba7e0b6ce119e42a08f97c5ac2377694afdc4.exe 85 PID 4504 wrote to memory of 3696 4504 74fe061630473f36b4b40299496ba7e0b6ce119e42a08f97c5ac2377694afdc4.exe 85 PID 3696 wrote to memory of 3248 3696 niba2851.exe 87 PID 3696 wrote to memory of 3248 3696 niba2851.exe 87 PID 3696 wrote to memory of 3248 3696 niba2851.exe 87 PID 3248 wrote to memory of 1616 3248 niba0817.exe 88 PID 3248 wrote to memory of 1616 3248 niba0817.exe 88 PID 3248 wrote to memory of 1824 3248 niba0817.exe 99 PID 3248 wrote to memory of 1824 3248 niba0817.exe 99 PID 3248 wrote to memory of 1824 3248 niba0817.exe 99 PID 3696 wrote to memory of 224 3696 niba2851.exe 104 PID 3696 wrote to memory of 224 3696 niba2851.exe 104 PID 3696 wrote to memory of 224 3696 niba2851.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\74fe061630473f36b4b40299496ba7e0b6ce119e42a08f97c5ac2377694afdc4.exe"C:\Users\Admin\AppData\Local\Temp\74fe061630473f36b4b40299496ba7e0b6ce119e42a08f97c5ac2377694afdc4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2851.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2851.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba0817.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba0817.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3085Ep.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3085Ep.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h15ie28.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h15ie28.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 10205⤵
- Program crash
PID:1116
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iAWkJ90.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iAWkJ90.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:224
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1824 -ip 18241⤵PID:2440
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1744
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
634KB
MD566ebe7afdbc5df68346e6993028a6763
SHA1400d683097fe3ee9eef8f25cef70e3a191bd380e
SHA25604e7073cc770e4b5005a42948c50db9196d8156a9e820513dc08efcdb5d1e3cf
SHA512589739511d7b0c6cffea5db4d31b848d442fed74bd68903e30f8d81f21c16d4dd6650e446a2d7914f9048775af47deadd7e14b27f7625e94f5e86ab4236b28ef
-
Filesize
288KB
MD57b032e51b1229c602e2ade2ba41a5373
SHA10d5f40e998db231d7a13eaab611db92f8f2f9498
SHA2561931ab4d285aedc346cadabadcb058332f2b82d4f04754d93f245e847e65f9a6
SHA51207ffd79b3818400489fd384c10829b8c3a4f6a9ae48f154be1e44a2d5a7a0824fd4dde59e738b2521f4f3fae0fff68fd38cecd3dd791d34c045caa215c2e58d2
-
Filesize
314KB
MD5e0c69c03a00e571fd0b37083c473d196
SHA1c79b01e675759f1f2dd3dddd114b6de73003c9fe
SHA2568695daf7dce5a22dab4ac4fe0723fec1c59aed68307144ff2bf32c654fdea3d4
SHA5127d64e0a2d1d55fc402d381ed9655eba756c7fe00bed0cfd1b6e6cea0746a23eb32d2a9a9569ae1de27ccf3deaa664c4299077f179bac291d47dfe35f781c6fdb
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
230KB
MD56976242d8d1e8ecfe7adc7ee64651153
SHA19174cf8d81f2492f572f6f417ffce032b6d7a8e0
SHA2563f10e4094378879e007355558567070840b02769a6d00aba8e803912bf0fe79c
SHA5125b28ba3ee6657ec09c434bcfdff7957f65ba6962759c95ecd16fdf69ddf937a58ef64743c24d4a8e2c49cfc9d5f41356e08d22923fc519e440ad243a75a87a26