Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:15
Static task
static1
Behavioral task
behavioral1
Sample
065600c07c7106d57b8b62058f2c15b1e2c51b3ccf1463d613fa162b398a3ed2.exe
Resource
win10v2004-20241007-en
General
-
Target
065600c07c7106d57b8b62058f2c15b1e2c51b3ccf1463d613fa162b398a3ed2.exe
-
Size
725KB
-
MD5
bf2734b1b1fde5d8d8dc5042da124bf6
-
SHA1
c6a9b3fee4a9e28aabb6bddcb36f6d92622f4a34
-
SHA256
065600c07c7106d57b8b62058f2c15b1e2c51b3ccf1463d613fa162b398a3ed2
-
SHA512
ff68d7d5eff33e403feb89b37370c586c3cc791277bb8b3dbca5cb93765880d55eaab080657b24967f9b2bda037df99743a994cf67fb90f951008660f5c5fb4e
-
SSDEEP
12288:MMrqy90lL2irpGFRifzqVREaa6nMZV0+F8e65mN0xX/QRWHqmRhYlPbCXlhnWJtv:2yULFGqfzSEBu+uhxX/Q4KmRGcXlhS
Malware Config
Extracted
redline
fud
193.233.20.27:4123
-
auth_value
cddc991efd6918ad5321d80dac884b40
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4080-17-0x00000000048B0000-0x00000000048CA000-memory.dmp healer behavioral1/memory/4080-19-0x0000000004B50000-0x0000000004B68000-memory.dmp healer behavioral1/memory/4080-22-0x0000000004B50000-0x0000000004B62000-memory.dmp healer behavioral1/memory/4080-48-0x0000000004B50000-0x0000000004B62000-memory.dmp healer behavioral1/memory/4080-46-0x0000000004B50000-0x0000000004B62000-memory.dmp healer behavioral1/memory/4080-44-0x0000000004B50000-0x0000000004B62000-memory.dmp healer behavioral1/memory/4080-42-0x0000000004B50000-0x0000000004B62000-memory.dmp healer behavioral1/memory/4080-40-0x0000000004B50000-0x0000000004B62000-memory.dmp healer behavioral1/memory/4080-38-0x0000000004B50000-0x0000000004B62000-memory.dmp healer behavioral1/memory/4080-36-0x0000000004B50000-0x0000000004B62000-memory.dmp healer behavioral1/memory/4080-34-0x0000000004B50000-0x0000000004B62000-memory.dmp healer behavioral1/memory/4080-32-0x0000000004B50000-0x0000000004B62000-memory.dmp healer behavioral1/memory/4080-30-0x0000000004B50000-0x0000000004B62000-memory.dmp healer behavioral1/memory/4080-28-0x0000000004B50000-0x0000000004B62000-memory.dmp healer behavioral1/memory/4080-26-0x0000000004B50000-0x0000000004B62000-memory.dmp healer behavioral1/memory/4080-24-0x0000000004B50000-0x0000000004B62000-memory.dmp healer behavioral1/memory/4080-21-0x0000000004B50000-0x0000000004B62000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection r1235oi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" r1235oi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" r1235oi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" r1235oi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" r1235oi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" r1235oi.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2332-59-0x0000000002620000-0x0000000002666000-memory.dmp family_redline behavioral1/memory/2332-60-0x0000000004B00000-0x0000000004B44000-memory.dmp family_redline behavioral1/memory/2332-76-0x0000000004B00000-0x0000000004B3E000-memory.dmp family_redline behavioral1/memory/2332-94-0x0000000004B00000-0x0000000004B3E000-memory.dmp family_redline behavioral1/memory/2332-92-0x0000000004B00000-0x0000000004B3E000-memory.dmp family_redline behavioral1/memory/2332-90-0x0000000004B00000-0x0000000004B3E000-memory.dmp family_redline behavioral1/memory/2332-88-0x0000000004B00000-0x0000000004B3E000-memory.dmp family_redline behavioral1/memory/2332-86-0x0000000004B00000-0x0000000004B3E000-memory.dmp family_redline behavioral1/memory/2332-84-0x0000000004B00000-0x0000000004B3E000-memory.dmp family_redline behavioral1/memory/2332-82-0x0000000004B00000-0x0000000004B3E000-memory.dmp family_redline behavioral1/memory/2332-80-0x0000000004B00000-0x0000000004B3E000-memory.dmp family_redline behavioral1/memory/2332-78-0x0000000004B00000-0x0000000004B3E000-memory.dmp family_redline behavioral1/memory/2332-74-0x0000000004B00000-0x0000000004B3E000-memory.dmp family_redline behavioral1/memory/2332-72-0x0000000004B00000-0x0000000004B3E000-memory.dmp family_redline behavioral1/memory/2332-71-0x0000000004B00000-0x0000000004B3E000-memory.dmp family_redline behavioral1/memory/2332-68-0x0000000004B00000-0x0000000004B3E000-memory.dmp family_redline behavioral1/memory/2332-66-0x0000000004B00000-0x0000000004B3E000-memory.dmp family_redline behavioral1/memory/2332-64-0x0000000004B00000-0x0000000004B3E000-memory.dmp family_redline behavioral1/memory/2332-62-0x0000000004B00000-0x0000000004B3E000-memory.dmp family_redline behavioral1/memory/2332-61-0x0000000004B00000-0x0000000004B3E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3992 ycuN3159zc.exe 4080 r1235oi.exe 2332 w30ZD47.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features r1235oi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" r1235oi.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 065600c07c7106d57b8b62058f2c15b1e2c51b3ccf1463d613fa162b398a3ed2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ycuN3159zc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4024 4080 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 065600c07c7106d57b8b62058f2c15b1e2c51b3ccf1463d613fa162b398a3ed2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ycuN3159zc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language r1235oi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w30ZD47.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4080 r1235oi.exe 4080 r1235oi.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4080 r1235oi.exe Token: SeDebugPrivilege 2332 w30ZD47.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4272 wrote to memory of 3992 4272 065600c07c7106d57b8b62058f2c15b1e2c51b3ccf1463d613fa162b398a3ed2.exe 85 PID 4272 wrote to memory of 3992 4272 065600c07c7106d57b8b62058f2c15b1e2c51b3ccf1463d613fa162b398a3ed2.exe 85 PID 4272 wrote to memory of 3992 4272 065600c07c7106d57b8b62058f2c15b1e2c51b3ccf1463d613fa162b398a3ed2.exe 85 PID 3992 wrote to memory of 4080 3992 ycuN3159zc.exe 86 PID 3992 wrote to memory of 4080 3992 ycuN3159zc.exe 86 PID 3992 wrote to memory of 4080 3992 ycuN3159zc.exe 86 PID 3992 wrote to memory of 2332 3992 ycuN3159zc.exe 98 PID 3992 wrote to memory of 2332 3992 ycuN3159zc.exe 98 PID 3992 wrote to memory of 2332 3992 ycuN3159zc.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\065600c07c7106d57b8b62058f2c15b1e2c51b3ccf1463d613fa162b398a3ed2.exe"C:\Users\Admin\AppData\Local\Temp\065600c07c7106d57b8b62058f2c15b1e2c51b3ccf1463d613fa162b398a3ed2.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycuN3159zc.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycuN3159zc.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1235oi.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1235oi.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 10084⤵
- Program crash
PID:4024
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\w30ZD47.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\w30ZD47.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4080 -ip 40801⤵PID:2836
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
581KB
MD5b24f7e7652ef93b7251ece88b7b24504
SHA19731f33b5e48362d8c9a15961024de45b141f2cb
SHA256b8b68c0dcd8c00d216bf7a95ba28aa598cc5ac4b467eb7f9d3e46d535a9a93f9
SHA51248082b73a7ecafbf0da115eee9f11bfead0efb75ea5bd2eef9f3ee7359e23201f9a02df63cf6f8c4524c5a748e8a20c8a02c3ec369c206643c2c7ba13a36761d
-
Filesize
363KB
MD55f9106c1a4ae0150887ac3eadc521f31
SHA1b7c59f033e09829e70ebf380ef9c33aff98d2bf4
SHA256ddda2d12c18f4944b44af8c6bb030ae608060d087483c423acf217c4c4ed5411
SHA51280ab71ecb332f2316abf7cb73c4811bf2162c2e95fc0670fcd8d26370158e2b2f342328ece12e9edeed90a7568d24d0048bdb9ee3ea928fd80d1499851c5caf3
-
Filesize
391KB
MD5f4a3e231a550fb23f6ae4ca3b665867e
SHA195385ee65c82259f32afa57e615cbd5b6765814c
SHA256b0ee82f1c87220f31eff4098076aad767fd602006b8c661e53a5dc867152a5d0
SHA5126cf614308a733d14fff859a46b5d8d7f082f2c6f7a0314e78be8b0b413efda3a36aa3772514f837192d9a147466197f2f669718341e8fe998840d6f1724ba183