Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:11
Static task
static1
Behavioral task
behavioral1
Sample
066eb74effa9b7200d513820a776209f8d18842dedf2c0b73f89ff41226c7127.exe
Resource
win10v2004-20241007-en
General
-
Target
066eb74effa9b7200d513820a776209f8d18842dedf2c0b73f89ff41226c7127.exe
-
Size
659KB
-
MD5
6d0fcf0ce04cceb11e59d6f1804693da
-
SHA1
07368acd56563dd90fe0a212a6363a9513e5d656
-
SHA256
066eb74effa9b7200d513820a776209f8d18842dedf2c0b73f89ff41226c7127
-
SHA512
39c46f8a21dee781c1e1a95a28146f6ab4f2a83217414139008badd7c18e17bf8056f2b237dbf4f0f7eabe592924577fe614363c7b8348b001e65079c4e51c9f
-
SSDEEP
12288:OMrvy90Z3yZBHCXfwa6Tqlm1fK92tXxPhhz9/CZra/+EjZxz3CSBY:Fys3ymXfwa6TN1s2h/5SY+EjzzySe
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1596-18-0x0000000004AF0000-0x0000000004B0A000-memory.dmp healer behavioral1/memory/1596-20-0x0000000004B60000-0x0000000004B78000-memory.dmp healer behavioral1/memory/1596-48-0x0000000004B60000-0x0000000004B72000-memory.dmp healer behavioral1/memory/1596-46-0x0000000004B60000-0x0000000004B72000-memory.dmp healer behavioral1/memory/1596-44-0x0000000004B60000-0x0000000004B72000-memory.dmp healer behavioral1/memory/1596-42-0x0000000004B60000-0x0000000004B72000-memory.dmp healer behavioral1/memory/1596-34-0x0000000004B60000-0x0000000004B72000-memory.dmp healer behavioral1/memory/1596-40-0x0000000004B60000-0x0000000004B72000-memory.dmp healer behavioral1/memory/1596-38-0x0000000004B60000-0x0000000004B72000-memory.dmp healer behavioral1/memory/1596-36-0x0000000004B60000-0x0000000004B72000-memory.dmp healer behavioral1/memory/1596-32-0x0000000004B60000-0x0000000004B72000-memory.dmp healer behavioral1/memory/1596-30-0x0000000004B60000-0x0000000004B72000-memory.dmp healer behavioral1/memory/1596-28-0x0000000004B60000-0x0000000004B72000-memory.dmp healer behavioral1/memory/1596-27-0x0000000004B60000-0x0000000004B72000-memory.dmp healer behavioral1/memory/1596-24-0x0000000004B60000-0x0000000004B72000-memory.dmp healer behavioral1/memory/1596-23-0x0000000004B60000-0x0000000004B72000-memory.dmp healer behavioral1/memory/1596-21-0x0000000004B60000-0x0000000004B72000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9435.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9435.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9435.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9435.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro9435.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9435.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4652-60-0x0000000004B40000-0x0000000004B86000-memory.dmp family_redline behavioral1/memory/4652-61-0x0000000004C40000-0x0000000004C84000-memory.dmp family_redline behavioral1/memory/4652-63-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/4652-75-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/4652-95-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/4652-93-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/4652-91-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/4652-89-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/4652-87-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/4652-85-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/4652-83-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/4652-81-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/4652-79-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/4652-77-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/4652-73-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/4652-71-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/4652-69-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/4652-67-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/4652-65-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline behavioral1/memory/4652-62-0x0000000004C40000-0x0000000004C7F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 856 un259900.exe 1596 pro9435.exe 4652 qu8248.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9435.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9435.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un259900.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 066eb74effa9b7200d513820a776209f8d18842dedf2c0b73f89ff41226c7127.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 688 1596 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu8248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 066eb74effa9b7200d513820a776209f8d18842dedf2c0b73f89ff41226c7127.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un259900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro9435.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1596 pro9435.exe 1596 pro9435.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1596 pro9435.exe Token: SeDebugPrivilege 4652 qu8248.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3420 wrote to memory of 856 3420 066eb74effa9b7200d513820a776209f8d18842dedf2c0b73f89ff41226c7127.exe 83 PID 3420 wrote to memory of 856 3420 066eb74effa9b7200d513820a776209f8d18842dedf2c0b73f89ff41226c7127.exe 83 PID 3420 wrote to memory of 856 3420 066eb74effa9b7200d513820a776209f8d18842dedf2c0b73f89ff41226c7127.exe 83 PID 856 wrote to memory of 1596 856 un259900.exe 84 PID 856 wrote to memory of 1596 856 un259900.exe 84 PID 856 wrote to memory of 1596 856 un259900.exe 84 PID 856 wrote to memory of 4652 856 un259900.exe 97 PID 856 wrote to memory of 4652 856 un259900.exe 97 PID 856 wrote to memory of 4652 856 un259900.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\066eb74effa9b7200d513820a776209f8d18842dedf2c0b73f89ff41226c7127.exe"C:\Users\Admin\AppData\Local\Temp\066eb74effa9b7200d513820a776209f8d18842dedf2c0b73f89ff41226c7127.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un259900.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un259900.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9435.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9435.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 10764⤵
- Program crash
PID:688
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8248.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8248.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4652
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1596 -ip 15961⤵PID:3968
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517KB
MD5aa6f8ac20c03451ea7c54d60069b31c8
SHA14c08c12fe6baab1aa07828c1d3eb903a73fcf9c6
SHA25612d495fa344347a0c5c55392496db77fc97df7ee6f37c77957bdd3c6bbdeea7f
SHA5125597cf34d879fcbb83e6d58cf66239dc92ac5f4d9953ca95613e407b6b5c3528cb97664b2c921cc27c459ff9ec97ccdcd5308508c6d736c00dd773b7dc26ee51
-
Filesize
295KB
MD552097806dad5071db7c1bf083ded084b
SHA16a6ef9091ff471be8a1ab3b170eeb07d2768c4df
SHA256dcae21d57d67365e16eb1684e1aaa82c9e9f6897a452c53fd9e87ce389002a64
SHA512ee6198f596780bcd0a8c1116fb35f2d1536eaa60285db6bc05f4d9a0e88256db58d720c2e8e5966e93c80dcdd4763f7484437da6ffe4e839612e4d8eacf02986
-
Filesize
354KB
MD50a83d7d9b5a27743cc0f6dd0b7d5f4c2
SHA1af1f132c501f9e9f4e710d9519665798f4d508e0
SHA25644834e4ae785e7fe155d7e0335ee1d7c70c40ba54b715ee05b9a499021971e6e
SHA5122faed8eb6dc98982c27e47b7cd703862e10277a0b44455ffcc138100006849ae0f515db5d03e9e7a105404e16c58c75f2732020d4a357e927eff29bd6b7e25d4