Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:17
Static task
static1
Behavioral task
behavioral1
Sample
f5338c7280f9c15970c22b499f8c86548fb057b45dd6e1ed3ba5bce3d4eabe4d.exe
Resource
win10v2004-20241007-en
General
-
Target
f5338c7280f9c15970c22b499f8c86548fb057b45dd6e1ed3ba5bce3d4eabe4d.exe
-
Size
667KB
-
MD5
97071a6f7aef90fd582b7723e7c91f6c
-
SHA1
a1cc015aa2990948f83b53503d5a08c6e39277ae
-
SHA256
f5338c7280f9c15970c22b499f8c86548fb057b45dd6e1ed3ba5bce3d4eabe4d
-
SHA512
aaf643357eb85152b2e7d2115c429e9a85cc861e6665cb22e19f6ce5fd97154b5adaf732dc2d3d940ffa1c29b045552dc655783c77242660e194f059f2b81f8f
-
SSDEEP
12288:YMrRy90ZThhCwgMUDvRskt447o2Wi8eV6lT2bKbPKxLlyohbfDbvU9RMfeCLof0n:5ynvTmO4So2GeV6ixLlpbbb8RPCYc
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/5060-19-0x0000000002870000-0x000000000288A000-memory.dmp healer behavioral1/memory/5060-21-0x0000000002A50000-0x0000000002A68000-memory.dmp healer behavioral1/memory/5060-41-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/5060-49-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/5060-47-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/5060-45-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/5060-43-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/5060-39-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/5060-37-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/5060-35-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/5060-33-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/5060-31-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/5060-29-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/5060-27-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/5060-25-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/5060-24-0x0000000002A50000-0x0000000002A62000-memory.dmp healer behavioral1/memory/5060-22-0x0000000002A50000-0x0000000002A62000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0429.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0429.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0429.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0429.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0429.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro0429.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3032-61-0x0000000002910000-0x0000000002956000-memory.dmp family_redline behavioral1/memory/3032-62-0x0000000004E50000-0x0000000004E94000-memory.dmp family_redline behavioral1/memory/3032-68-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3032-70-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3032-96-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3032-94-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3032-92-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3032-90-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3032-88-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3032-86-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3032-84-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3032-82-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3032-80-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3032-76-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3032-74-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3032-72-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3032-78-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3032-66-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3032-64-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3032-63-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3836 un926987.exe 5060 pro0429.exe 3032 qu1179.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro0429.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0429.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f5338c7280f9c15970c22b499f8c86548fb057b45dd6e1ed3ba5bce3d4eabe4d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un926987.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1020 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1020 5060 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro0429.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu1179.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5338c7280f9c15970c22b499f8c86548fb057b45dd6e1ed3ba5bce3d4eabe4d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un926987.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5060 pro0429.exe 5060 pro0429.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5060 pro0429.exe Token: SeDebugPrivilege 3032 qu1179.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4520 wrote to memory of 3836 4520 f5338c7280f9c15970c22b499f8c86548fb057b45dd6e1ed3ba5bce3d4eabe4d.exe 84 PID 4520 wrote to memory of 3836 4520 f5338c7280f9c15970c22b499f8c86548fb057b45dd6e1ed3ba5bce3d4eabe4d.exe 84 PID 4520 wrote to memory of 3836 4520 f5338c7280f9c15970c22b499f8c86548fb057b45dd6e1ed3ba5bce3d4eabe4d.exe 84 PID 3836 wrote to memory of 5060 3836 un926987.exe 85 PID 3836 wrote to memory of 5060 3836 un926987.exe 85 PID 3836 wrote to memory of 5060 3836 un926987.exe 85 PID 3836 wrote to memory of 3032 3836 un926987.exe 95 PID 3836 wrote to memory of 3032 3836 un926987.exe 95 PID 3836 wrote to memory of 3032 3836 un926987.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5338c7280f9c15970c22b499f8c86548fb057b45dd6e1ed3ba5bce3d4eabe4d.exe"C:\Users\Admin\AppData\Local\Temp\f5338c7280f9c15970c22b499f8c86548fb057b45dd6e1ed3ba5bce3d4eabe4d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un926987.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un926987.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0429.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0429.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 10844⤵
- Program crash
PID:1020
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1179.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1179.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5060 -ip 50601⤵PID:4532
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1020
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
526KB
MD5d96b98b7b71cb1f21c1bc829cb5046c4
SHA187f1ce986ee0f13a1578dd85739bf9f7e2bce614
SHA256caadaedd5bf80e5f756633b0d24c208bd9d11d2c2fca646a2cbf68734b951fd6
SHA512e8bcae3d7d0e388c35b083de117a02791b3fb90a0e843bb6fdcaf58b09438cac115c96b86fa080454d94110f0383e0c095580638836419521096eb86409ec0a4
-
Filesize
295KB
MD5a3ccb399e57badd4b19a2f237463b404
SHA174c99ec02dac518316264bae3b52abe691e48dee
SHA2568417392ab36c99e114134b3227865c44ea9f0ff7c95bb84cf64e19878fcffe11
SHA51216d71e996ac231e5d97871fa21fb83b0eb82858596311b564529d5c4b992758340ed4e8ce38ba81b5b284daef701fc806670e38559a9365594e73679418a216d
-
Filesize
353KB
MD563d2e20866d9b45ae21233ba6ae4188f
SHA10e94562b22dac1c1328a86bcc116825e5507e043
SHA2566c801852380b57bab500e97d6d4411444bba62325096e73dfe9ad57169a39b99
SHA5124c882679fed2256404efef37b8cbbf0cd8348a96b19a6a839335bbb7472e36986dc1141b09539c2417a84aac19ed92d5a9006a8546d97ae086106a08031f621c