Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:11
Static task
static1
Behavioral task
behavioral1
Sample
3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe
Resource
win10v2004-20241007-en
General
-
Target
3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe
-
Size
1.0MB
-
MD5
a6d11460f8b92c97a552fe876ef7740d
-
SHA1
b46e53a1fc5fb267783118f9603917265c55f9a1
-
SHA256
3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8
-
SHA512
b96a0db4c4f4a46730ffe8272f41745a27ed3b33e78f2c3b869ca763ab4e2f6590f087025e8cfd5efccc95dff76571ad736f4a0346afeb747be446bfab9645f0
-
SSDEEP
24576:3y9XKQ8YlxAhjuw7gd16FcXYf2yw/gTazjqxKWuAF:CpKVYlxU97K16LuzOaSoWuA
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4032-29-0x0000000002500000-0x000000000251A000-memory.dmp healer behavioral1/memory/4032-31-0x00000000026C0000-0x00000000026D8000-memory.dmp healer behavioral1/memory/4032-35-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/4032-59-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/4032-58-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/4032-55-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/4032-53-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/4032-51-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/4032-49-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/4032-47-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/4032-45-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/4032-43-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/4032-41-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/4032-39-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/4032-37-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/4032-32-0x00000000026C0000-0x00000000026D2000-memory.dmp healer behavioral1/memory/4032-33-0x00000000026C0000-0x00000000026D2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" iVW07wr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" iVW07wr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" iVW07wr.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection iVW07wr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" iVW07wr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" iVW07wr.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 21 IoCs
resource yara_rule behavioral1/memory/1140-67-0x00000000025E0000-0x0000000002626000-memory.dmp family_redline behavioral1/memory/1140-68-0x0000000002720000-0x0000000002764000-memory.dmp family_redline behavioral1/memory/1140-80-0x0000000002720000-0x000000000275E000-memory.dmp family_redline behavioral1/memory/1140-92-0x0000000002720000-0x000000000275E000-memory.dmp family_redline behavioral1/memory/1140-102-0x0000000002720000-0x000000000275E000-memory.dmp family_redline behavioral1/memory/1140-100-0x0000000002720000-0x000000000275E000-memory.dmp family_redline behavioral1/memory/1140-98-0x0000000002720000-0x000000000275E000-memory.dmp family_redline behavioral1/memory/1140-96-0x0000000002720000-0x000000000275E000-memory.dmp family_redline behavioral1/memory/1140-94-0x0000000002720000-0x000000000275E000-memory.dmp family_redline behavioral1/memory/1140-90-0x0000000002720000-0x000000000275E000-memory.dmp family_redline behavioral1/memory/1140-88-0x0000000002720000-0x000000000275E000-memory.dmp family_redline behavioral1/memory/1140-86-0x0000000002720000-0x000000000275E000-memory.dmp family_redline behavioral1/memory/1140-84-0x0000000002720000-0x000000000275E000-memory.dmp family_redline behavioral1/memory/1140-82-0x0000000002720000-0x000000000275E000-memory.dmp family_redline behavioral1/memory/1140-81-0x0000000002720000-0x000000000275E000-memory.dmp family_redline behavioral1/memory/1140-78-0x0000000002720000-0x000000000275E000-memory.dmp family_redline behavioral1/memory/1140-76-0x0000000002720000-0x000000000275E000-memory.dmp family_redline behavioral1/memory/1140-74-0x0000000002720000-0x000000000275E000-memory.dmp family_redline behavioral1/memory/1140-72-0x0000000002720000-0x000000000275E000-memory.dmp family_redline behavioral1/memory/1140-70-0x0000000002720000-0x000000000275E000-memory.dmp family_redline behavioral1/memory/1140-69-0x0000000002720000-0x000000000275E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 2056 swN11hP.exe 1160 skV69rw.exe 3484 sRo69cx.exe 4032 iVW07wr.exe 1140 koo98Ar.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features iVW07wr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" iVW07wr.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" skV69rw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" sRo69cx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" swN11hP.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2772 4032 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swN11hP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skV69rw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sRo69cx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iVW07wr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language koo98Ar.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4032 iVW07wr.exe 4032 iVW07wr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4032 iVW07wr.exe Token: SeDebugPrivilege 1140 koo98Ar.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3360 wrote to memory of 2056 3360 3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe 84 PID 3360 wrote to memory of 2056 3360 3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe 84 PID 3360 wrote to memory of 2056 3360 3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe 84 PID 2056 wrote to memory of 1160 2056 swN11hP.exe 86 PID 2056 wrote to memory of 1160 2056 swN11hP.exe 86 PID 2056 wrote to memory of 1160 2056 swN11hP.exe 86 PID 1160 wrote to memory of 3484 1160 skV69rw.exe 87 PID 1160 wrote to memory of 3484 1160 skV69rw.exe 87 PID 1160 wrote to memory of 3484 1160 skV69rw.exe 87 PID 3484 wrote to memory of 4032 3484 sRo69cx.exe 88 PID 3484 wrote to memory of 4032 3484 sRo69cx.exe 88 PID 3484 wrote to memory of 4032 3484 sRo69cx.exe 88 PID 3484 wrote to memory of 1140 3484 sRo69cx.exe 109 PID 3484 wrote to memory of 1140 3484 sRo69cx.exe 109 PID 3484 wrote to memory of 1140 3484 sRo69cx.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe"C:\Users\Admin\AppData\Local\Temp\3e641d9d0751a7f979a510bfe83acddd6506589342b65285f6b946765d923ec8.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swN11hP.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swN11hP.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skV69rw.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\skV69rw.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sRo69cx.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iVW07wr.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 10766⤵
- Program crash
PID:2772
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koo98Ar.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koo98Ar.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4032 -ip 40321⤵PID:3120
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
883KB
MD5f3e1709aab51a6a135bbdb29d83f77d9
SHA1adb143171137a23b41968a07e43d38b4186848c2
SHA256d33df68fc9eec68e31d69b1abdc0fb82ab8e2b0e2fee7cd985dd3acfda022bfb
SHA512d7941ec4e350762e79baf141098285ba4039032630ec95db3634c5f2bd87a3ebc25337f647cc4a8a43affb7beb5f1f61dac8c17832e1ed93242cdf8d45c3e309
-
Filesize
658KB
MD5c0018a166fb236e3a8fd15f31ae48bbc
SHA1378ff7d739193420c1e50b17a7ccf8012b9773f0
SHA256804d0a95dff89959609f92afddd708cebc42149597b96e611b60967d6a0ad4d7
SHA512cc1cc89786baab3344422e267f5ed98caec1f337d495040de06763307a318d29ba3b6e7595e1cd903d01734de737cfd4ef11b982dd2ab9c8a3a171553bd21e95
-
Filesize
513KB
MD51004bc7075588f55644ec77b8b633fdb
SHA1056c0cc4e18c9f156fb69b071dd60416247bd0b3
SHA256923a2d0e5c4976768479d77a7f0c0ae53bdd52a36fb1916d4f063e4773b02f61
SHA51212bf55bb03c6cf3dbf14646bfd3a14df18f93b1c03bdc5b802c557b07b7819b2822cb478a2a022b53cc3859e8d3c720f139fd7b37b97c78dff18a569082384db
-
Filesize
219KB
MD52c5c8d29cafcf8e7dd907d96976fa83f
SHA10d7b42b55e766c71ecd427a3d1acf1a04b16be7c
SHA2565cd65c80d1f7f92886584a08003e6f31ed0b37b20c7bad622ee0ae43ec928f3a
SHA51267d0f1649e1c7494e865fbb2cf1806b2e05119671ffea6e1fb84e7dd82f0782f678d1f2bddeed6f2e64a9814cea860efc280e8a727a99bdc181a50b951c97d09
-
Filesize
277KB
MD5444008956d19b2d37e0e2c25888548b0
SHA10b64e74e3c648f0a9023fe2308a3ab7b13607ad3
SHA256b4eedc40338b319b5527d55f9f50d8941fb4905a464a2babf2036492aaa4d94b
SHA5121a00813b1f3d64613b8d57f0e70c09980b07c3c23f86bfbbf3f677a2eac15405e150a512e542703d044f2713f98de91550c5dd2717cbec80ecbc1e59878cce74