Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:18
Static task
static1
Behavioral task
behavioral1
Sample
12002c65c826db15042756419695a5072b58ce881275098052b292f9cc2e934d.exe
Resource
win10v2004-20241007-en
General
-
Target
12002c65c826db15042756419695a5072b58ce881275098052b292f9cc2e934d.exe
-
Size
836KB
-
MD5
7c201f635dae71300649ff8d055afe9e
-
SHA1
0fe6d369b41e85ba878a50a9d6d94a3cbed2ae0b
-
SHA256
12002c65c826db15042756419695a5072b58ce881275098052b292f9cc2e934d
-
SHA512
cc6e0cba21f18aee4f4d1bdde38b9cafaa8df2e80e76c8b6b5d5105721b64f83768c956449629b2e68f783b82052377dbb263c6627132b23964731ae3bae8ad8
-
SSDEEP
24576:Mybf5o/8qc8eZuLX0XAFraioJaFT+eU/K:7j504jMLXl7xweU
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x0008000000023c9a-19.dat healer behavioral1/memory/2960-22-0x0000000000590000-0x000000000059A000-memory.dmp healer behavioral1/memory/4908-29-0x0000000004820000-0x000000000483A000-memory.dmp healer behavioral1/memory/4908-31-0x00000000049F0000-0x0000000004A08000-memory.dmp healer behavioral1/memory/4908-32-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/4908-39-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/4908-59-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/4908-57-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/4908-55-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/4908-53-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/4908-51-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/4908-49-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/4908-47-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/4908-45-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/4908-43-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/4908-41-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/4908-37-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/4908-35-0x00000000049F0000-0x0000000004A02000-memory.dmp healer behavioral1/memory/4908-33-0x00000000049F0000-0x0000000004A02000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" qu0609.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection pro6855.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" qu0609.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro6855.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro6855.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro6855.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection qu0609.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" qu0609.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" qu0609.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro6855.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro6855.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" qu0609.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/460-67-0x0000000004C40000-0x0000000004C86000-memory.dmp family_redline behavioral1/memory/460-68-0x0000000007150000-0x0000000007194000-memory.dmp family_redline behavioral1/memory/460-69-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/460-90-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/460-102-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/460-100-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/460-98-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/460-96-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/460-94-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/460-92-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/460-88-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/460-86-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/460-84-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/460-82-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/460-78-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/460-76-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/460-74-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/460-80-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/460-72-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/460-70-0x0000000007150000-0x000000000718E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 2088 unio0618.exe 2996 unio3078.exe 2960 pro6855.exe 4908 qu0609.exe 460 rjs47s23.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" pro6855.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features qu0609.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" qu0609.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" unio3078.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 12002c65c826db15042756419695a5072b58ce881275098052b292f9cc2e934d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio0618.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1848 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 100 4908 WerFault.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio3078.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu0609.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjs47s23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12002c65c826db15042756419695a5072b58ce881275098052b292f9cc2e934d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio0618.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2960 pro6855.exe 2960 pro6855.exe 4908 qu0609.exe 4908 qu0609.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2960 pro6855.exe Token: SeDebugPrivilege 4908 qu0609.exe Token: SeDebugPrivilege 460 rjs47s23.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1148 wrote to memory of 2088 1148 12002c65c826db15042756419695a5072b58ce881275098052b292f9cc2e934d.exe 83 PID 1148 wrote to memory of 2088 1148 12002c65c826db15042756419695a5072b58ce881275098052b292f9cc2e934d.exe 83 PID 1148 wrote to memory of 2088 1148 12002c65c826db15042756419695a5072b58ce881275098052b292f9cc2e934d.exe 83 PID 2088 wrote to memory of 2996 2088 unio0618.exe 85 PID 2088 wrote to memory of 2996 2088 unio0618.exe 85 PID 2088 wrote to memory of 2996 2088 unio0618.exe 85 PID 2996 wrote to memory of 2960 2996 unio3078.exe 86 PID 2996 wrote to memory of 2960 2996 unio3078.exe 86 PID 2996 wrote to memory of 4908 2996 unio3078.exe 94 PID 2996 wrote to memory of 4908 2996 unio3078.exe 94 PID 2996 wrote to memory of 4908 2996 unio3078.exe 94 PID 2088 wrote to memory of 460 2088 unio0618.exe 98 PID 2088 wrote to memory of 460 2088 unio0618.exe 98 PID 2088 wrote to memory of 460 2088 unio0618.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\12002c65c826db15042756419695a5072b58ce881275098052b292f9cc2e934d.exe"C:\Users\Admin\AppData\Local\Temp\12002c65c826db15042756419695a5072b58ce881275098052b292f9cc2e934d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0618.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0618.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio3078.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio3078.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro6855.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro6855.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu0609.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu0609.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2365⤵
- Program crash
PID:100
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rjs47s23.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rjs47s23.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:460
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4908 -ip 49081⤵PID:2468
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1848
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
694KB
MD5cedc16fbbc40d4b375c198b5252056ed
SHA14cd223b46b0c813a8cbe537d56427d6cfbf9b692
SHA256928909adff9a417c36b29e3af923bd73aefe88237ccc2f33f38ca746107aebdd
SHA512db98d234be5d78b475eedc7699e618a6a18d5e9f44443c8f52763b0cd1823b1142998b87e072999a57152a6c43a5617a5483d3bc4f43c87806d4243524582e27
-
Filesize
391KB
MD540c6a7ed9b21e92571518bbb6771e7b4
SHA109d6be60141b6e0d767b93ddbfd3afd9cd1ba9bb
SHA25685a328e80d2055308942519614b9d91210be589e0e4d7604be65504ba7d6901b
SHA512c48c83c7728791961c09b6cc92b0084a64e81876932953a2418cc70f9f55c29f6d1c89e0ad8cd45603917202b8ce470f00b7141845de1d996aa60af62ee9339a
-
Filesize
344KB
MD572286f6a981d52d639bd9fe0e26131b6
SHA1457bd7f03a28bf3271563870df152ffa7b368f32
SHA256daa8b350162ec53aca264d3dea6c470e0637d920e3705db877e83b1b8f484307
SHA512fb12902a59bc6093e1a2eea91520b29213bac99516b137fc8ae45d3052917f6ae20cea9909de1e2dfa00491b0a98bc395ca35fbb7a1a8f26fed68f635ed0bc3c
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
333KB
MD5009297cc50328f77a784d6e44b84a271
SHA1366402287e6019f5c792b6a0d1233618783f908d
SHA256d29682bf2c4e8ce10935348053d1f3229d379a5e3bd9f63a2a93b31d299716bc
SHA51217480d926f183382f7f9b8710c74c8d21ac1316e0162f14c962f252b7e40f31516fd6c7755d9441693238e2b02531afd49e3facb2760b6b48cccf26d1c0d7277