Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:08
Static task
static1
Behavioral task
behavioral1
Sample
6ddd914c678737361da22ba25a84deb28639ae87dc1b7fc5ef38e2ca674b4ef8.exe
Resource
win10v2004-20241007-en
General
-
Target
6ddd914c678737361da22ba25a84deb28639ae87dc1b7fc5ef38e2ca674b4ef8.exe
-
Size
892KB
-
MD5
6b5c9861b6eb2470bf72254b0515038d
-
SHA1
c72409d3c525d4f3ed730d1dc9c5c163abe1a5cf
-
SHA256
6ddd914c678737361da22ba25a84deb28639ae87dc1b7fc5ef38e2ca674b4ef8
-
SHA512
bf8ddde225fb768779f36e4633ae4a918d716816b5b040ef16e8c2dc4309d84e8a484b3d99d65dbd67b661aa544268ad480399ea7cf399fa0cf75ea537e69793
-
SSDEEP
12288:XMrly90oG/7GAHlgMEKzTLDKi+CfumMNDVnxaew9BEb0d0grXHcgapC3VueJtXSL:qymTGAFOUqi3WmMNVMzd9rbdJYlJ
Malware Config
Extracted
redline
ruzhpe
pepunn.com:4162
-
auth_value
f735ced96ae8d01d0bd1d514240e54e0
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/memory/3892-22-0x0000000004CF0000-0x0000000004D0A000-memory.dmp healer behavioral1/memory/3892-24-0x00000000072A0000-0x00000000072B8000-memory.dmp healer behavioral1/memory/3892-25-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/3892-50-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/3892-48-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/3892-46-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/3892-45-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/3892-42-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/3892-40-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/3892-38-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/3892-36-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/3892-34-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/3892-32-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/3892-30-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/3892-28-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/3892-27-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/memory/3892-52-0x00000000072A0000-0x00000000072B2000-memory.dmp healer behavioral1/files/0x0007000000023ca9-57.dat healer behavioral1/memory/2076-59-0x0000000000590000-0x000000000059A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection beIs80yU85.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" beIs80yU85.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ctuj55YQ70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ctuj55YQ70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ctuj55YQ70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ctuj55YQ70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" beIs80yU85.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" beIs80yU85.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" beIs80yU85.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" beIs80yU85.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection ctuj55YQ70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ctuj55YQ70.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4980-65-0x0000000007020000-0x0000000007066000-memory.dmp family_redline behavioral1/memory/4980-66-0x00000000070E0000-0x0000000007124000-memory.dmp family_redline behavioral1/memory/4980-70-0x00000000070E0000-0x000000000711E000-memory.dmp family_redline behavioral1/memory/4980-80-0x00000000070E0000-0x000000000711E000-memory.dmp family_redline behavioral1/memory/4980-100-0x00000000070E0000-0x000000000711E000-memory.dmp family_redline behavioral1/memory/4980-98-0x00000000070E0000-0x000000000711E000-memory.dmp family_redline behavioral1/memory/4980-96-0x00000000070E0000-0x000000000711E000-memory.dmp family_redline behavioral1/memory/4980-94-0x00000000070E0000-0x000000000711E000-memory.dmp family_redline behavioral1/memory/4980-92-0x00000000070E0000-0x000000000711E000-memory.dmp family_redline behavioral1/memory/4980-88-0x00000000070E0000-0x000000000711E000-memory.dmp family_redline behavioral1/memory/4980-86-0x00000000070E0000-0x000000000711E000-memory.dmp family_redline behavioral1/memory/4980-84-0x00000000070E0000-0x000000000711E000-memory.dmp family_redline behavioral1/memory/4980-82-0x00000000070E0000-0x000000000711E000-memory.dmp family_redline behavioral1/memory/4980-78-0x00000000070E0000-0x000000000711E000-memory.dmp family_redline behavioral1/memory/4980-76-0x00000000070E0000-0x000000000711E000-memory.dmp family_redline behavioral1/memory/4980-74-0x00000000070E0000-0x000000000711E000-memory.dmp family_redline behavioral1/memory/4980-72-0x00000000070E0000-0x000000000711E000-memory.dmp family_redline behavioral1/memory/4980-90-0x00000000070E0000-0x000000000711E000-memory.dmp family_redline behavioral1/memory/4980-68-0x00000000070E0000-0x000000000711E000-memory.dmp family_redline behavioral1/memory/4980-67-0x00000000070E0000-0x000000000711E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 2932 ptwo9630RU.exe 5008 ptNf9956Ar.exe 3892 beIs80yU85.exe 2076 ctuj55YQ70.exe 4980 hk71FL04rc05.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" ctuj55YQ70.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features beIs80yU85.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" beIs80yU85.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6ddd914c678737361da22ba25a84deb28639ae87dc1b7fc5ef38e2ca674b4ef8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ptwo9630RU.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ptNf9956Ar.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5804 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4372 3892 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language beIs80yU85.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hk71FL04rc05.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6ddd914c678737361da22ba25a84deb28639ae87dc1b7fc5ef38e2ca674b4ef8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptwo9630RU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptNf9956Ar.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3892 beIs80yU85.exe 3892 beIs80yU85.exe 2076 ctuj55YQ70.exe 2076 ctuj55YQ70.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3892 beIs80yU85.exe Token: SeDebugPrivilege 2076 ctuj55YQ70.exe Token: SeDebugPrivilege 4980 hk71FL04rc05.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4432 wrote to memory of 2932 4432 6ddd914c678737361da22ba25a84deb28639ae87dc1b7fc5ef38e2ca674b4ef8.exe 84 PID 4432 wrote to memory of 2932 4432 6ddd914c678737361da22ba25a84deb28639ae87dc1b7fc5ef38e2ca674b4ef8.exe 84 PID 4432 wrote to memory of 2932 4432 6ddd914c678737361da22ba25a84deb28639ae87dc1b7fc5ef38e2ca674b4ef8.exe 84 PID 2932 wrote to memory of 5008 2932 ptwo9630RU.exe 85 PID 2932 wrote to memory of 5008 2932 ptwo9630RU.exe 85 PID 2932 wrote to memory of 5008 2932 ptwo9630RU.exe 85 PID 5008 wrote to memory of 3892 5008 ptNf9956Ar.exe 88 PID 5008 wrote to memory of 3892 5008 ptNf9956Ar.exe 88 PID 5008 wrote to memory of 3892 5008 ptNf9956Ar.exe 88 PID 5008 wrote to memory of 2076 5008 ptNf9956Ar.exe 97 PID 5008 wrote to memory of 2076 5008 ptNf9956Ar.exe 97 PID 2932 wrote to memory of 4980 2932 ptwo9630RU.exe 98 PID 2932 wrote to memory of 4980 2932 ptwo9630RU.exe 98 PID 2932 wrote to memory of 4980 2932 ptwo9630RU.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ddd914c678737361da22ba25a84deb28639ae87dc1b7fc5ef38e2ca674b4ef8.exe"C:\Users\Admin\AppData\Local\Temp\6ddd914c678737361da22ba25a84deb28639ae87dc1b7fc5ef38e2ca674b4ef8.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptwo9630RU.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptwo9630RU.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptNf9956Ar.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptNf9956Ar.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\beIs80yU85.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\beIs80yU85.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3892 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 10845⤵
- Program crash
PID:4372
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ctuj55YQ70.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ctuj55YQ70.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk71FL04rc05.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk71FL04rc05.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3892 -ip 38921⤵PID:5028
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:5804
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
705KB
MD518004f1a618aad222fe0af2c9f1a63cd
SHA18b166302f5e5a61e9ff12cd404082e03d70d1b50
SHA256e8d3dad71fa703c65ea87bbea2045d39471ccfccb9d76811b12d75f637991ba4
SHA5128f2e510713c48bd1cdaf4b755f51a77b080814941a86580c5f360ce830f2fec34ba1dcff76365af890db18fbadebb446dce080b768ad30d5e2985483f6cfacfc
-
Filesize
410KB
MD5cc1e39c942634bbd04ef3eb880af3cb4
SHA1390ee64e70074c204d8c7fc736e69b91940375bc
SHA25698f330627fe244da794aa21cd74d45861fab6d06f9fedc1bcc02eaf434adacec
SHA512f66cac5ccd3318e7c9baca955b64b22f9cb96693557dcf13a7e334878a0e3c2bc18f1757432b78b6c06c28c91881fb2436fc0641f6eb75a57167a4254cb470d2
-
Filesize
353KB
MD5fe5674e09a1f75f50fdf33a1a7db248e
SHA1b6d7598928e4a89b0231b854157cbc98eab32409
SHA25677a7ddfd6a5e2772384c649211b51c0882bf1da2599f723184951b7d5af76f84
SHA512d539ccda364d8b31ef8e10a1c4092b7f5cfcc76c54c9ca679869d9d996c3da492a7ad833c69fc4c0c4654f49d6f3283e2daac338b1491dde50d45bd947a92ca1
-
Filesize
352KB
MD56345b3da7da3d9a3012ba87a252a29f6
SHA1a36f23e5d0802652705df132bce0a8589ff5e7bf
SHA256caf994d14f8b0767df1e38508af9bb7816673aa0b6fc7fbf591a135e3173b7df
SHA5123d82f717809ab81fa0fdb60d262af1547d12a69331b755d02ec94a250f4e25c5aa1adc910381e91bf4d9b32aa8f281f1252e5912068d0378461890a5893fae82
-
Filesize
13KB
MD5509a43f278645c0b9dd10497db99a1ad
SHA11f7e1fc91c81f6c7a2b09bea8caf2ad2b756c71c
SHA2569c229f2174392b7bb35cc5761384796f2a05d4b00503979e7b3b0ddad6c8672e
SHA5121af8fc70063b33ac9df31d6e510511fe37f685017383fbe6a702fd2012954809cfeaf6c8b3e186839f0df80b947ace931d604c216e53fa11a47302cf7b604fe8