Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 06:05
Static task
static1
Behavioral task
behavioral1
Sample
aa28a688eead307a11e2eb0a78fe7e10086f7d311cd53cee54a6c415bbd87f43.exe
Resource
win10v2004-20241007-en
General
-
Target
aa28a688eead307a11e2eb0a78fe7e10086f7d311cd53cee54a6c415bbd87f43.exe
-
Size
658KB
-
MD5
bd499b9b7ce3864bb0faa8bd2b9f01e2
-
SHA1
0719c0a4a9724bd4138d7eb73ec0d39567d978ca
-
SHA256
aa28a688eead307a11e2eb0a78fe7e10086f7d311cd53cee54a6c415bbd87f43
-
SHA512
03a6392d5a60534569c36871b3cf8951788d5d3e72b1f073896d8e6fa3f35adfff94d78fa398dc1c289abed9064500bb7201fd9b502438552f9e4efe2bf18e7f
-
SSDEEP
12288:sMr5y90fTAuNx3Vk3QN6OIc3F1+s+bViVXo2pzuiGs4bf4NO1OKjZEH2z:Ny6AyVV4D80rWXohiGsOOEmWz
Malware Config
Extracted
redline
rosto
hueref.eu:4162
-
auth_value
07d81eba8cad42bbd0ae60042d48eac6
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3236-19-0x0000000002650000-0x000000000266A000-memory.dmp healer behavioral1/memory/3236-21-0x0000000004BD0000-0x0000000004BE8000-memory.dmp healer behavioral1/memory/3236-39-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/3236-49-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/3236-47-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/3236-45-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/3236-43-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/3236-41-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/3236-37-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/3236-35-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/3236-33-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/3236-32-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/3236-29-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/3236-27-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/3236-25-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/3236-23-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/3236-22-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection urcq58LX24.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" urcq58LX24.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" urcq58LX24.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" urcq58LX24.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" urcq58LX24.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" urcq58LX24.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4672-60-0x00000000022C0000-0x0000000002306000-memory.dmp family_redline behavioral1/memory/4672-61-0x0000000004B90000-0x0000000004BD4000-memory.dmp family_redline behavioral1/memory/4672-71-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/4672-93-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/4672-95-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/4672-92-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/4672-89-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/4672-85-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/4672-83-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/4672-81-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/4672-79-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/4672-77-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/4672-75-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/4672-73-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/4672-69-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/4672-67-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/4672-87-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/4672-65-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/4672-63-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/4672-62-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4812 ycXl47PD20.exe 3236 urcq58LX24.exe 4672 wryB90yX94.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features urcq58LX24.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" urcq58LX24.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" aa28a688eead307a11e2eb0a78fe7e10086f7d311cd53cee54a6c415bbd87f43.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ycXl47PD20.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4904 3236 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wryB90yX94.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa28a688eead307a11e2eb0a78fe7e10086f7d311cd53cee54a6c415bbd87f43.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ycXl47PD20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language urcq58LX24.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3236 urcq58LX24.exe 3236 urcq58LX24.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3236 urcq58LX24.exe Token: SeDebugPrivilege 4672 wryB90yX94.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2580 wrote to memory of 4812 2580 aa28a688eead307a11e2eb0a78fe7e10086f7d311cd53cee54a6c415bbd87f43.exe 84 PID 2580 wrote to memory of 4812 2580 aa28a688eead307a11e2eb0a78fe7e10086f7d311cd53cee54a6c415bbd87f43.exe 84 PID 2580 wrote to memory of 4812 2580 aa28a688eead307a11e2eb0a78fe7e10086f7d311cd53cee54a6c415bbd87f43.exe 84 PID 4812 wrote to memory of 3236 4812 ycXl47PD20.exe 85 PID 4812 wrote to memory of 3236 4812 ycXl47PD20.exe 85 PID 4812 wrote to memory of 3236 4812 ycXl47PD20.exe 85 PID 4812 wrote to memory of 4672 4812 ycXl47PD20.exe 99 PID 4812 wrote to memory of 4672 4812 ycXl47PD20.exe 99 PID 4812 wrote to memory of 4672 4812 ycXl47PD20.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa28a688eead307a11e2eb0a78fe7e10086f7d311cd53cee54a6c415bbd87f43.exe"C:\Users\Admin\AppData\Local\Temp\aa28a688eead307a11e2eb0a78fe7e10086f7d311cd53cee54a6c415bbd87f43.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycXl47PD20.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycXl47PD20.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urcq58LX24.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urcq58LX24.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 10564⤵
- Program crash
PID:4904
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wryB90yX94.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wryB90yX94.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3236 -ip 32361⤵PID:4692
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
513KB
MD50f20b20b9a2ccb4a11889997a9bb1967
SHA1dcba48a83f4cb6322253c25a7a1f485dd6386671
SHA256358ca3b6aaf289d7f98d725749dcdcdad8f80f11b936863b129b174ef47f6536
SHA51234714cb316d5864b9d558960793010e449129c8822e19f4bdc600c388b5adc8c917fbd1c02462ba8dca535219bdd3fecf317b88ce04a8db8d5261cf9268fdc28
-
Filesize
232KB
MD5f3485715fe2d80d33e70701bcd2cef21
SHA1bff701ea0725c258d5b502dedd9ff1f7747ad837
SHA2563fff6a5d12b2a38f9c1df1004dd8dcd1323c1e79e487f94497b78b021f27479a
SHA512df92c03245e43b1c6f63895873247106f829676e83db6aca5aee8f46488b4c9c756ce42c04b3524d04ca60d0988e7d697ecf50ead1cf3f3f0f8f3be5bd3b215e
-
Filesize
289KB
MD52f4cc1f23eb48e82efaebf3a1896f859
SHA14ab1e0c840ff9a17750eb2d04f83232e405ba4aa
SHA256d8c6b8b67be7dff9b41a2698e9e243f50e9ad18cd93e72eef94364ff33af80c5
SHA51262a32e76aaad71a247765270b993d8da7f6b8a4c9c1bd309c152cb7daaee208994cde3bda2d568882dc73d7a5ff8698deec22ca63344c721c8c096453aaf1520