Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:32
Static task
static1
Behavioral task
behavioral1
Sample
1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe
Resource
win10v2004-20241007-en
General
-
Target
1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe
-
Size
1.5MB
-
MD5
f54597d892dd7598b6400343a3a2b6b6
-
SHA1
ae3579a61fef3255b481cb335673dc4923e0a5ea
-
SHA256
1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720
-
SHA512
186f7688aadd5cd6b0a57e1b0ab1ac5b743d8e95dc9e8dd521e9e93c1f8e5ad56b9738c11b28391bbd5174b94a16127ee20fcaf0db208fbb5b17751a0bcae193
-
SSDEEP
24576:0yMSMN9X7SHAIyClpI86dPoSjEfl6IabV109vgY+NSs7oGWCf:DQbSHAIHn2dPEt8xKpvKh7o
Malware Config
Extracted
redline
maxbi
185.161.248.73:4164
-
auth_value
6aa7dba884fe45693dfa04c91440daef
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4004-36-0x00000000028C0000-0x00000000028DA000-memory.dmp healer behavioral1/memory/4004-38-0x0000000002CC0000-0x0000000002CD8000-memory.dmp healer behavioral1/memory/4004-39-0x0000000002CC0000-0x0000000002CD2000-memory.dmp healer behavioral1/memory/4004-50-0x0000000002CC0000-0x0000000002CD2000-memory.dmp healer behavioral1/memory/4004-66-0x0000000002CC0000-0x0000000002CD2000-memory.dmp healer behavioral1/memory/4004-64-0x0000000002CC0000-0x0000000002CD2000-memory.dmp healer behavioral1/memory/4004-62-0x0000000002CC0000-0x0000000002CD2000-memory.dmp healer behavioral1/memory/4004-60-0x0000000002CC0000-0x0000000002CD2000-memory.dmp healer behavioral1/memory/4004-58-0x0000000002CC0000-0x0000000002CD2000-memory.dmp healer behavioral1/memory/4004-56-0x0000000002CC0000-0x0000000002CD2000-memory.dmp healer behavioral1/memory/4004-54-0x0000000002CC0000-0x0000000002CD2000-memory.dmp healer behavioral1/memory/4004-53-0x0000000002CC0000-0x0000000002CD2000-memory.dmp healer behavioral1/memory/4004-48-0x0000000002CC0000-0x0000000002CD2000-memory.dmp healer behavioral1/memory/4004-46-0x0000000002CC0000-0x0000000002CD2000-memory.dmp healer behavioral1/memory/4004-44-0x0000000002CC0000-0x0000000002CD2000-memory.dmp healer behavioral1/memory/4004-42-0x0000000002CC0000-0x0000000002CD2000-memory.dmp healer behavioral1/memory/4004-40-0x0000000002CC0000-0x0000000002CD2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a18564388.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a18564388.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a18564388.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a18564388.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a18564388.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a18564388.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cca-71.dat family_redline behavioral1/memory/4988-73-0x0000000000570000-0x00000000005A0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 4604 i86597507.exe 232 i86932797.exe 1148 i39248320.exe 3992 i07232341.exe 4004 a18564388.exe 4988 b60109714.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a18564388.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a18564388.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i86932797.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i39248320.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i07232341.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i86597507.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 516 4004 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i39248320.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i07232341.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a18564388.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b60109714.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i86597507.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i86932797.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4004 a18564388.exe 4004 a18564388.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4004 a18564388.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2228 wrote to memory of 4604 2228 1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe 85 PID 2228 wrote to memory of 4604 2228 1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe 85 PID 2228 wrote to memory of 4604 2228 1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe 85 PID 4604 wrote to memory of 232 4604 i86597507.exe 86 PID 4604 wrote to memory of 232 4604 i86597507.exe 86 PID 4604 wrote to memory of 232 4604 i86597507.exe 86 PID 232 wrote to memory of 1148 232 i86932797.exe 88 PID 232 wrote to memory of 1148 232 i86932797.exe 88 PID 232 wrote to memory of 1148 232 i86932797.exe 88 PID 1148 wrote to memory of 3992 1148 i39248320.exe 89 PID 1148 wrote to memory of 3992 1148 i39248320.exe 89 PID 1148 wrote to memory of 3992 1148 i39248320.exe 89 PID 3992 wrote to memory of 4004 3992 i07232341.exe 90 PID 3992 wrote to memory of 4004 3992 i07232341.exe 90 PID 3992 wrote to memory of 4004 3992 i07232341.exe 90 PID 3992 wrote to memory of 4988 3992 i07232341.exe 99 PID 3992 wrote to memory of 4988 3992 i07232341.exe 99 PID 3992 wrote to memory of 4988 3992 i07232341.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe"C:\Users\Admin\AppData\Local\Temp\1af14c31e572c199bb1b25b3ac96cda635659a44940d258c6659b7974a4ae720.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86597507.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i86597507.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86932797.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86932797.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39248320.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39248320.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07232341.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a18564388.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 10847⤵
- Program crash
PID:516
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b60109714.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b60109714.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4988
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4004 -ip 40041⤵PID:4448
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5bade830b6be2c8423bc07b40b036c355
SHA1898abf99c2e2c5ed9d0a7b49962b98def318a70a
SHA2560c3d3498a73cdcce125aa65747d59dd36b1e18ce7460c8794b604158093ff765
SHA5124e14ce24d12c853548c9e9cfef5210bbebf2046bdf349efd7099b6ea377899421ae5b93a1359d25c493386825bca7db1622b6b68ad37e9522972103412939d81
-
Filesize
1.1MB
MD525fa32563594dedbc5792bf00a544255
SHA1d2f5e561db31492fd12b126d92a4a45981ff9115
SHA25600d30f23d69ef8963e109179db2d10817be8de06b085dfe5bd9e6daf43fcec0e
SHA5126a47dc333692d3cefbf278378323606ef11c6df9230ce299ab5583fde499fcd7065048b8053a3ae44c1d2beaad6a9ea47916e0e98fa06272129c1cb19b5cf034
-
Filesize
683KB
MD585d64e14a876cd43c5c831adb66bc141
SHA1eef22caa3d04a00e243ae578478d7d7c88a11311
SHA2560119f0d319602e9368bf259bed1488797d1821e0da48c2a1e7c249009eba9333
SHA512aa9da40d95d503b123e61c88d5f37a3c59edf9aefbf0075c135a8a5dfbf0ff62f92ba6b185ca9519078259624c1f5fcc40c941622c4c3e4fd31574a9ee6c0b26
-
Filesize
404KB
MD58d387cb163bbbace0c0a9911dafba0ea
SHA1fe258560ba5b18642dc8838f1e3090d7e0c352e6
SHA256ef287055b6b496fa1d19ea8d7f31d534997a38164c20c98decc545f1b212ff50
SHA512bdcd36913bab668494a7752fed8858bc8d5a399881433f352876c4818966443d6a96cb16045cf101320d5da9fd5bbe258491868426c83ceb841ebcbb46fc5043
-
Filesize
344KB
MD5ef4e78dd23e95f16b8dfe38b143836e9
SHA17ec4af068b1a51897ac4ad915b0bfb215dcb0d31
SHA256f406665f4e992d11a5757514f5fe3385b4506a4b65a0722ad1886f0b2151e136
SHA5120ceb37c96e4606a577eafe0ff8845fd79c8417400fbe34f2daf76af3dc5911f02990ad40347f39a234406ee7598edec6d4f9479b0b08cc20b2b929121cf370c2
-
Filesize
168KB
MD54cecbe1e5ab3368eed7cae4a47304a95
SHA1396b5387462a850518ba10876cfa16d44ea18229
SHA256cea16d6e72293940245c6c7ea7582eb2f974cbc18498a46e1f31738a3a22d6f7
SHA512104f1301f076d6b83ce70722130f436267dd02895635de6851ba470da15cf058522d98c344d77d45feaaa2fe63a05d1a64985748bd349f4c7130d313bc3d532e