Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:13
Static task
static1
Behavioral task
behavioral1
Sample
443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe
Resource
win10v2004-20241007-en
General
-
Target
443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe
-
Size
659KB
-
MD5
46755d6cd8003c1a720db0c3c26d0e81
-
SHA1
6ee084b939d5444337814069430c2cce51b85dd6
-
SHA256
443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb
-
SHA512
95a885de2fe558105a15a6fffef5d0e70bbad158e864d73c61978951ddc7ae8589bc668de84e9bafabf5ba64e1ee5bd1bb06c9e8db24011f5e6626d3367a0965
-
SSDEEP
12288:qMrfy90ohAXXCzMuX/NSsxiaadLyHZo2xYqouYdQoz8F1FP1CMd:5yPm7uXVYYxYqopzEd
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1428-18-0x00000000049C0000-0x00000000049DA000-memory.dmp healer behavioral1/memory/1428-20-0x0000000004BD0000-0x0000000004BE8000-memory.dmp healer behavioral1/memory/1428-24-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/1428-48-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/1428-46-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/1428-44-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/1428-42-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/1428-40-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/1428-38-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/1428-36-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/1428-34-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/1428-32-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/1428-30-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/1428-28-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/1428-26-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/1428-22-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer behavioral1/memory/1428-21-0x0000000004BD0000-0x0000000004BE2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7307.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7307.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro7307.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7307.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7307.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7307.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4044-60-0x00000000070A0000-0x00000000070E6000-memory.dmp family_redline behavioral1/memory/4044-61-0x0000000007720000-0x0000000007764000-memory.dmp family_redline behavioral1/memory/4044-85-0x0000000007720000-0x000000000775F000-memory.dmp family_redline behavioral1/memory/4044-95-0x0000000007720000-0x000000000775F000-memory.dmp family_redline behavioral1/memory/4044-93-0x0000000007720000-0x000000000775F000-memory.dmp family_redline behavioral1/memory/4044-91-0x0000000007720000-0x000000000775F000-memory.dmp family_redline behavioral1/memory/4044-89-0x0000000007720000-0x000000000775F000-memory.dmp family_redline behavioral1/memory/4044-87-0x0000000007720000-0x000000000775F000-memory.dmp family_redline behavioral1/memory/4044-83-0x0000000007720000-0x000000000775F000-memory.dmp family_redline behavioral1/memory/4044-81-0x0000000007720000-0x000000000775F000-memory.dmp family_redline behavioral1/memory/4044-80-0x0000000007720000-0x000000000775F000-memory.dmp family_redline behavioral1/memory/4044-77-0x0000000007720000-0x000000000775F000-memory.dmp family_redline behavioral1/memory/4044-75-0x0000000007720000-0x000000000775F000-memory.dmp family_redline behavioral1/memory/4044-73-0x0000000007720000-0x000000000775F000-memory.dmp family_redline behavioral1/memory/4044-71-0x0000000007720000-0x000000000775F000-memory.dmp family_redline behavioral1/memory/4044-69-0x0000000007720000-0x000000000775F000-memory.dmp family_redline behavioral1/memory/4044-67-0x0000000007720000-0x000000000775F000-memory.dmp family_redline behavioral1/memory/4044-65-0x0000000007720000-0x000000000775F000-memory.dmp family_redline behavioral1/memory/4044-63-0x0000000007720000-0x000000000775F000-memory.dmp family_redline behavioral1/memory/4044-62-0x0000000007720000-0x000000000775F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3852 un316952.exe 1428 pro7307.exe 4044 qu0666.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro7307.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7307.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un316952.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1700 1428 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro7307.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu0666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un316952.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1428 pro7307.exe 1428 pro7307.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1428 pro7307.exe Token: SeDebugPrivilege 4044 qu0666.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4272 wrote to memory of 3852 4272 443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe 83 PID 4272 wrote to memory of 3852 4272 443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe 83 PID 4272 wrote to memory of 3852 4272 443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe 83 PID 3852 wrote to memory of 1428 3852 un316952.exe 85 PID 3852 wrote to memory of 1428 3852 un316952.exe 85 PID 3852 wrote to memory of 1428 3852 un316952.exe 85 PID 3852 wrote to memory of 4044 3852 un316952.exe 100 PID 3852 wrote to memory of 4044 3852 un316952.exe 100 PID 3852 wrote to memory of 4044 3852 un316952.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe"C:\Users\Admin\AppData\Local\Temp\443f88888e35e65e8a315d36c1950eb9bf456d1581c5cc31266344ad594062cb.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316952.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7307.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 10884⤵
- Program crash
PID:1700
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0666.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0666.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4044
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1428 -ip 14281⤵PID:544
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517KB
MD57552bbde8b3b393c764d9f8a5613b2d3
SHA18f7a1fc74ee6ec8d44814c5f552ac009f541e8b8
SHA256a4e7f79f58b63693402e81cac8cf86e7d675b87be38b2a99f89c7d3b7155730e
SHA512759262448b499ece9f3819fa4d5096697ca2102d523776e8dc9e6c1c67f35a273a86111aba0c470f9d66c8d56300d2f7fd69166c7ed01acbeb1369558b9b3a18
-
Filesize
275KB
MD5e0bfbd2dd58dc58e50dd5b84db144e68
SHA1cb89406988b5d64853fb1d81ad87816065633515
SHA2569a5bdb013bca8525392c0b18a80064412aad9ae009ad1984c23e64f745a662ad
SHA512f1edaede3b6a28b1845b76c1ee5ec0f2fd63b6731b1b252c381c31795ea358d0f24f4e9662a8d5032986efce9a248b08440c50b3e9257606a27ecc5e8d0409bc
-
Filesize
333KB
MD5d79592e215d83e404a236ccc61e987cd
SHA15e67bf7d6b8f99ae1f6fa8215437fa9538802f0e
SHA256a699c6c929b5e6156043d49ba19e77637b2961a13913b78e8409ca16d7930d1b
SHA512dacd0c2fc6d6d7fe36fcfdd31eb47b40c8bf36da05c413d8aae5e6929d4085ed6b06779281b81ee2bcbbebd0c21716e68a8580d34cafc7aee15e3df7a6c08f4b