Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 06:05
Static task
static1
Behavioral task
behavioral1
Sample
455f2a035fe625508f42a80dbfe70e176f934ee3aee4d3217e92c3611c632fb3.exe
Resource
win10v2004-20241007-en
General
-
Target
455f2a035fe625508f42a80dbfe70e176f934ee3aee4d3217e92c3611c632fb3.exe
-
Size
687KB
-
MD5
e6c787b3b118bc67f94a7ce4d0f8741a
-
SHA1
45dfb9ca9ae71a771968ca8d6071822f0e96eef8
-
SHA256
455f2a035fe625508f42a80dbfe70e176f934ee3aee4d3217e92c3611c632fb3
-
SHA512
36a71af602e8204d010cdd7cafc4891dc982ba7d4f68af8b7e8957fa44754e38991a8034c7fbfa9136b3a7c71f6e37816a7b1f00a1cc5a80f98714bfc9482d4b
-
SSDEEP
12288:RMrKy90BLO4jVk2+u9GmC75pLtPpCe8FOZTx9qO/qT7iVBPs6t3reK7VYCzZl95:jyeS4nwmC75JftjJqvikwn7VYCh5
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3932-17-0x0000000004A40000-0x0000000004A5A000-memory.dmp healer behavioral1/memory/3932-19-0x0000000007110000-0x0000000007128000-memory.dmp healer behavioral1/memory/3932-48-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/3932-46-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/3932-44-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/3932-42-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/3932-40-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/3932-38-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/3932-36-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/3932-34-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/3932-32-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/3932-30-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/3932-28-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/3932-26-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/3932-24-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/3932-22-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/3932-21-0x0000000007110000-0x0000000007122000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro5940.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro5940.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro5940.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro5940.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro5940.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro5940.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4796-59-0x00000000070C0000-0x0000000007106000-memory.dmp family_redline behavioral1/memory/4796-60-0x0000000007180000-0x00000000071C4000-memory.dmp family_redline behavioral1/memory/4796-61-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4796-64-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4796-62-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4796-94-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4796-92-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4796-90-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4796-88-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4796-86-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4796-84-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4796-82-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4796-80-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4796-78-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4796-76-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4796-74-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4796-72-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4796-70-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4796-68-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4796-66-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4928 un727892.exe 3932 pro5940.exe 4796 qu1103.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro5940.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro5940.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 455f2a035fe625508f42a80dbfe70e176f934ee3aee4d3217e92c3611c632fb3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un727892.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5428 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2176 3932 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro5940.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu1103.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 455f2a035fe625508f42a80dbfe70e176f934ee3aee4d3217e92c3611c632fb3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un727892.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3932 pro5940.exe 3932 pro5940.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3932 pro5940.exe Token: SeDebugPrivilege 4796 qu1103.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4768 wrote to memory of 4928 4768 455f2a035fe625508f42a80dbfe70e176f934ee3aee4d3217e92c3611c632fb3.exe 83 PID 4768 wrote to memory of 4928 4768 455f2a035fe625508f42a80dbfe70e176f934ee3aee4d3217e92c3611c632fb3.exe 83 PID 4768 wrote to memory of 4928 4768 455f2a035fe625508f42a80dbfe70e176f934ee3aee4d3217e92c3611c632fb3.exe 83 PID 4928 wrote to memory of 3932 4928 un727892.exe 84 PID 4928 wrote to memory of 3932 4928 un727892.exe 84 PID 4928 wrote to memory of 3932 4928 un727892.exe 84 PID 4928 wrote to memory of 4796 4928 un727892.exe 98 PID 4928 wrote to memory of 4796 4928 un727892.exe 98 PID 4928 wrote to memory of 4796 4928 un727892.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\455f2a035fe625508f42a80dbfe70e176f934ee3aee4d3217e92c3611c632fb3.exe"C:\Users\Admin\AppData\Local\Temp\455f2a035fe625508f42a80dbfe70e176f934ee3aee4d3217e92c3611c632fb3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727892.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727892.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5940.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5940.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3932 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 10844⤵
- Program crash
PID:2176
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1103.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1103.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4796
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3932 -ip 39321⤵PID:2704
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:5428
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
545KB
MD53112b78ddb90d640fd2c5cd42692c217
SHA1cf0b905dad9021b266259196b28f9372d82a7d92
SHA25681ff70ce4a7eceae84de26cddbb79e2968c39d3036392f80d7620d38bbd6b2fc
SHA512b1b4cb0fac539fe87370314ce753ef9de8df5d52610c012f45688e7be041de934dfde79dc10b6818827eedccc4a2cbfcd497ab221b902f5af5bed660d74b78d3
-
Filesize
324KB
MD512283bd19a29672b70ab4b5aaa7fa45b
SHA16b7f61f53e65462377c49877d39caa331e792975
SHA2561b96eedabbbd447cebd379ba46ef41a7c4cc7ca28bbe404bc84e1cb5f7798c14
SHA512d428bb47c414ba4e67e1e0e7df666fedbee79a03dae84408a3b23b056f99b10f832d2fa7db2b5feb0e140fbcc3123260f6b935cf1c5eb2ffd0a16e75341b62d1
-
Filesize
383KB
MD5a247649d8cb2268901226c0dc986c962
SHA16bd60ae0b971cab1ffb3cec1b8d765498e89b960
SHA2569badb50837bd90a4a857b50fe1607d3d1da3d26abbe6f6ee361996c8e9b69b1b
SHA51249ef05cca300b03ab94bbc8ddd3f590152b5418e8a7a6dec4da58f9c6f3b123eb4f40d8f7c02b8a9649c154447ca091ed047cb51800981838be79a86f2146057