Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:13
Static task
static1
Behavioral task
behavioral1
Sample
cea2f8215e3d2a79fcc0437ac6122424053e0460509d41b3d7fd3a942ffdec80.exe
Resource
win10v2004-20241007-en
General
-
Target
cea2f8215e3d2a79fcc0437ac6122424053e0460509d41b3d7fd3a942ffdec80.exe
-
Size
836KB
-
MD5
94c41b5e0871315431a47c0459c3df92
-
SHA1
9c39bfc5af37dc8568e0547d07605361c8175835
-
SHA256
cea2f8215e3d2a79fcc0437ac6122424053e0460509d41b3d7fd3a942ffdec80
-
SHA512
c86275c06cfec1ff468aff68282207d3df66fd19c4945e15c292f9498750b418a7eafbb44c056d53d58e27241d026ea291e53acd397bc703810ae6ffc742d304
-
SSDEEP
12288:yMrpy902dWBjXNCt7YLYncP8qACn8HCMjAgh+tqjrlVv+Qixhm0u6qkpTvKMcON:jykjXwpYkngq0fAVhjjbBixnHqkBKxk
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x0008000000023cc9-19.dat healer behavioral1/memory/2544-22-0x0000000000650000-0x000000000065A000-memory.dmp healer behavioral1/memory/2156-29-0x0000000004980000-0x000000000499A000-memory.dmp healer behavioral1/memory/2156-31-0x0000000004D90000-0x0000000004DA8000-memory.dmp healer behavioral1/memory/2156-32-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/2156-41-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/2156-59-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/2156-57-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/2156-55-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/2156-53-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/2156-51-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/2156-49-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/2156-47-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/2156-45-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/2156-43-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/2156-33-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/2156-39-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/2156-37-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/2156-35-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection pro8848.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8848.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8848.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection qu3442.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" qu3442.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" qu3442.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8848.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8848.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8848.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" qu3442.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" qu3442.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" qu3442.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1336-67-0x0000000004B70000-0x0000000004BB6000-memory.dmp family_redline behavioral1/memory/1336-68-0x0000000004CA0000-0x0000000004CE4000-memory.dmp family_redline behavioral1/memory/1336-96-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/1336-102-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/1336-100-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/1336-98-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/1336-94-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/1336-93-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/1336-90-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/1336-88-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/1336-86-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/1336-84-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/1336-82-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/1336-80-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/1336-78-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/1336-76-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/1336-74-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/1336-72-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/1336-70-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/1336-69-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 2744 unio9268.exe 4244 unio7093.exe 2544 pro8848.exe 2156 qu3442.exe 1336 rRs66s72.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features qu3442.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" qu3442.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8848.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" unio7093.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cea2f8215e3d2a79fcc0437ac6122424053e0460509d41b3d7fd3a942ffdec80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio9268.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1392 2156 WerFault.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio7093.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu3442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rRs66s72.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cea2f8215e3d2a79fcc0437ac6122424053e0460509d41b3d7fd3a942ffdec80.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio9268.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2544 pro8848.exe 2544 pro8848.exe 2156 qu3442.exe 2156 qu3442.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2544 pro8848.exe Token: SeDebugPrivilege 2156 qu3442.exe Token: SeDebugPrivilege 1336 rRs66s72.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1596 wrote to memory of 2744 1596 cea2f8215e3d2a79fcc0437ac6122424053e0460509d41b3d7fd3a942ffdec80.exe 83 PID 1596 wrote to memory of 2744 1596 cea2f8215e3d2a79fcc0437ac6122424053e0460509d41b3d7fd3a942ffdec80.exe 83 PID 1596 wrote to memory of 2744 1596 cea2f8215e3d2a79fcc0437ac6122424053e0460509d41b3d7fd3a942ffdec80.exe 83 PID 2744 wrote to memory of 4244 2744 unio9268.exe 85 PID 2744 wrote to memory of 4244 2744 unio9268.exe 85 PID 2744 wrote to memory of 4244 2744 unio9268.exe 85 PID 4244 wrote to memory of 2544 4244 unio7093.exe 86 PID 4244 wrote to memory of 2544 4244 unio7093.exe 86 PID 4244 wrote to memory of 2156 4244 unio7093.exe 96 PID 4244 wrote to memory of 2156 4244 unio7093.exe 96 PID 4244 wrote to memory of 2156 4244 unio7093.exe 96 PID 2744 wrote to memory of 1336 2744 unio9268.exe 101 PID 2744 wrote to memory of 1336 2744 unio9268.exe 101 PID 2744 wrote to memory of 1336 2744 unio9268.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\cea2f8215e3d2a79fcc0437ac6122424053e0460509d41b3d7fd3a942ffdec80.exe"C:\Users\Admin\AppData\Local\Temp\cea2f8215e3d2a79fcc0437ac6122424053e0460509d41b3d7fd3a942ffdec80.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio9268.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio9268.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio7093.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio7093.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro8848.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro8848.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu3442.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu3442.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 10805⤵
- Program crash
PID:1392
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rRs66s72.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rRs66s72.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2156 -ip 21561⤵PID:1972
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
694KB
MD55bf1de849799919c89d508d67d197fed
SHA1b3b36d8cde8eccb36fbe9a3a0ab9ace405950f30
SHA256c14070826b846d1e318a40b32035b071c706ca8a3d1cdc30a66d480227a64741
SHA5128bb438cfc278024188e11148faa32c8be0beeac1d6fd4ea86a537d7c898961421c18cfadefafc3c36eb46499cfa21eec38f23a2ea287c9fbbde7750697a14e2e
-
Filesize
391KB
MD5a1e23a1d5cc681538995c968254f13c4
SHA19c852fd322c2c7af275a269a1f28eea7835d1907
SHA256dfa15dea61c738aabd9d5455d2b1013b8615b710202998f6dded7d1fe6004e00
SHA5120e072b2b3367e9515447eeb22af945a18587d47192e2e0db1440a40570b5bd6ca4024f3073392058bdd59f83af129d8b8c5a113d60d213b1f4b980a13fa0a877
-
Filesize
344KB
MD5b6e50e43ee5ae81437808cbf267d325c
SHA1ab92399388166d5bf769df469ef2dca88ed20276
SHA256a1e1abafb5879f8c8222c21e44ec970e06eba5cec807e7e86367d2f468df1195
SHA5127b03cadd7c64dd95d740c510d6ad93251840bec3abdeb1e11bd3b37d80429d68ff8e6ffa6b7c10c60325c5bdf6f03e2b6c5274a3d7173fe20bb587ebae8cca5b
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
334KB
MD5833e6d44e166e731d590e497cc505629
SHA1f3864db90e21544452776ba4dd8102a4c52e8ac9
SHA2568377949a0e4fee4f9002960a0243112ed6fc162ade625c319211ef6227c74569
SHA512c0f006751a9b6ddd5388a26551964b56fd8b1fe0401b70e181a064b4b7c5cd4f58eeb3d4ae81bd9a28fce0e320a2ced1c6fec18b8733e57aaaf4ac1d10bebc6c