Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 06:05
Static task
static1
Behavioral task
behavioral1
Sample
122776d9d14372320d62eac0e70cc036fc0ce22f70c5ff760ac142aac95a71c8.exe
Resource
win10v2004-20241007-en
General
-
Target
122776d9d14372320d62eac0e70cc036fc0ce22f70c5ff760ac142aac95a71c8.exe
-
Size
659KB
-
MD5
b82e627aebda0a61ff38cc6370a21e85
-
SHA1
e1a7658281c9edac8801286c07b25b0099627b84
-
SHA256
122776d9d14372320d62eac0e70cc036fc0ce22f70c5ff760ac142aac95a71c8
-
SHA512
cfe8a176d98daa0db7eccb7b65483bc1fdcca3664060486f52ed55c736ebff063368770e9f5aeac66792483e0d93ab2a67d11c43a14bba2b55d628d8dec61bb0
-
SSDEEP
12288:ZMrOy90XQHM1+FuoA0ZGtleEix6qRamWHQM90mk0JH:7yPU2GDeN6qRan/A05
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3716-18-0x0000000003AE0000-0x0000000003AFA000-memory.dmp healer behavioral1/memory/3716-21-0x0000000003C20000-0x0000000003C38000-memory.dmp healer behavioral1/memory/3716-27-0x0000000003C20000-0x0000000003C32000-memory.dmp healer behavioral1/memory/3716-49-0x0000000003C20000-0x0000000003C32000-memory.dmp healer behavioral1/memory/3716-47-0x0000000003C20000-0x0000000003C32000-memory.dmp healer behavioral1/memory/3716-46-0x0000000003C20000-0x0000000003C32000-memory.dmp healer behavioral1/memory/3716-43-0x0000000003C20000-0x0000000003C32000-memory.dmp healer behavioral1/memory/3716-41-0x0000000003C20000-0x0000000003C32000-memory.dmp healer behavioral1/memory/3716-39-0x0000000003C20000-0x0000000003C32000-memory.dmp healer behavioral1/memory/3716-37-0x0000000003C20000-0x0000000003C32000-memory.dmp healer behavioral1/memory/3716-25-0x0000000003C20000-0x0000000003C32000-memory.dmp healer behavioral1/memory/3716-23-0x0000000003C20000-0x0000000003C32000-memory.dmp healer behavioral1/memory/3716-22-0x0000000003C20000-0x0000000003C32000-memory.dmp healer behavioral1/memory/3716-35-0x0000000003C20000-0x0000000003C32000-memory.dmp healer behavioral1/memory/3716-33-0x0000000003C20000-0x0000000003C32000-memory.dmp healer behavioral1/memory/3716-31-0x0000000003C20000-0x0000000003C32000-memory.dmp healer behavioral1/memory/3716-29-0x0000000003C20000-0x0000000003C32000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro1896.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro1896.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro1896.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro1896.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro1896.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro1896.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2640-63-0x0000000002650000-0x0000000002694000-memory.dmp family_redline behavioral1/memory/2640-62-0x00000000023D0000-0x0000000002416000-memory.dmp family_redline behavioral1/memory/2640-71-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/2640-97-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/2640-95-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/2640-93-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/2640-91-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/2640-89-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/2640-85-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/2640-83-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/2640-81-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/2640-80-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/2640-77-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/2640-75-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/2640-74-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/2640-69-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/2640-67-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/2640-65-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/2640-64-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/2640-87-0x0000000002650000-0x000000000268F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2692 un206656.exe 3716 pro1896.exe 2640 qu5462.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro1896.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro1896.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 122776d9d14372320d62eac0e70cc036fc0ce22f70c5ff760ac142aac95a71c8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un206656.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2800 3716 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 122776d9d14372320d62eac0e70cc036fc0ce22f70c5ff760ac142aac95a71c8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un206656.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro1896.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu5462.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3716 pro1896.exe 3716 pro1896.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3716 pro1896.exe Token: SeDebugPrivilege 2640 qu5462.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2692 1732 122776d9d14372320d62eac0e70cc036fc0ce22f70c5ff760ac142aac95a71c8.exe 83 PID 1732 wrote to memory of 2692 1732 122776d9d14372320d62eac0e70cc036fc0ce22f70c5ff760ac142aac95a71c8.exe 83 PID 1732 wrote to memory of 2692 1732 122776d9d14372320d62eac0e70cc036fc0ce22f70c5ff760ac142aac95a71c8.exe 83 PID 2692 wrote to memory of 3716 2692 un206656.exe 84 PID 2692 wrote to memory of 3716 2692 un206656.exe 84 PID 2692 wrote to memory of 3716 2692 un206656.exe 84 PID 2692 wrote to memory of 2640 2692 un206656.exe 96 PID 2692 wrote to memory of 2640 2692 un206656.exe 96 PID 2692 wrote to memory of 2640 2692 un206656.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\122776d9d14372320d62eac0e70cc036fc0ce22f70c5ff760ac142aac95a71c8.exe"C:\Users\Admin\AppData\Local\Temp\122776d9d14372320d62eac0e70cc036fc0ce22f70c5ff760ac142aac95a71c8.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un206656.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un206656.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1896.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1896.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 10844⤵
- Program crash
PID:2800
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5462.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5462.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3716 -ip 37161⤵PID:2180
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517KB
MD51a56b2f6d633eeef472f8fe57b23e5b4
SHA15209305239baf766542cf327136c15d9d9126ae7
SHA256926021be9e5e3fdd40e96b24b89b9fce21cd9437ba2a9a75f2ea0b80cc7071a0
SHA5127db87099b3aa0decfa926e11665c5cbe741c4b9d586c3f989322512199e305378b9d2e9150dc2004f9cb2cebf3191774b0503376b57010d6371a67c30c7e8aa2
-
Filesize
276KB
MD5712588af0761d4107e8e3a743da0e834
SHA15ce985d2e080319b33b052a63d1ba13ddcd83053
SHA2561895b6a0d071e9be36e9f0d17f346e6b256bdd90437dc5d9427ea498c9ef27bc
SHA512cbe4d16aecdcb6dbf2978940aad0b56932cdfa9b219430e9ee9d8157f151bd74093ae3b364213af1f3c4ae87951f931f555daf48eb51583bb71b94b14ab40199
-
Filesize
295KB
MD5e68a74b974ed33528d676c6c401299fb
SHA1f36e99bbb18a62e1be815fdddf4d2af66f572dd0
SHA256bee8bb63e4d7dd4ee1be2ddb7fdeca39db7da5c2118c83b1566deba3518e5b90
SHA51293c33ca455abfe5ccf81d31f0dcc02b05f1ca044467b8e007ba6c6655deb363940b31fd9a375b3285816e0735f1909b1b96210c3f7c53d1e92108fa62a6b9153