Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:36
Static task
static1
Behavioral task
behavioral1
Sample
4e8f9c999067e9726b13be1827c8cb87f888292772783f23131c6c8db1938985.exe
Resource
win10v2004-20241007-en
General
-
Target
4e8f9c999067e9726b13be1827c8cb87f888292772783f23131c6c8db1938985.exe
-
Size
686KB
-
MD5
6b53f06d117982b8c96590b61b7ece8a
-
SHA1
d39489d6483c6df76ed26440c11d9a960a8d5dbb
-
SHA256
4e8f9c999067e9726b13be1827c8cb87f888292772783f23131c6c8db1938985
-
SHA512
5e3ce5af4d2101f2d7cc54c41e04bea8eddc7bcd30a82755985d994692533c719001fee560e18543cbf2fd207ef63582465f615617a7378eb1b54f706d46f03a
-
SSDEEP
12288:4MrOy901K2+VcGeMCZvlpXQtKUeB6N0z7vHgc06cyMKr964uSJX6V/dtq:2yJ2n7ZvgeB6Nq7vHDNR/JqVFI
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/732-17-0x0000000004A30000-0x0000000004A4A000-memory.dmp healer behavioral1/memory/732-19-0x0000000004AF0000-0x0000000004B08000-memory.dmp healer behavioral1/memory/732-48-0x0000000004AF0000-0x0000000004B02000-memory.dmp healer behavioral1/memory/732-46-0x0000000004AF0000-0x0000000004B02000-memory.dmp healer behavioral1/memory/732-44-0x0000000004AF0000-0x0000000004B02000-memory.dmp healer behavioral1/memory/732-42-0x0000000004AF0000-0x0000000004B02000-memory.dmp healer behavioral1/memory/732-40-0x0000000004AF0000-0x0000000004B02000-memory.dmp healer behavioral1/memory/732-38-0x0000000004AF0000-0x0000000004B02000-memory.dmp healer behavioral1/memory/732-36-0x0000000004AF0000-0x0000000004B02000-memory.dmp healer behavioral1/memory/732-34-0x0000000004AF0000-0x0000000004B02000-memory.dmp healer behavioral1/memory/732-32-0x0000000004AF0000-0x0000000004B02000-memory.dmp healer behavioral1/memory/732-30-0x0000000004AF0000-0x0000000004B02000-memory.dmp healer behavioral1/memory/732-28-0x0000000004AF0000-0x0000000004B02000-memory.dmp healer behavioral1/memory/732-26-0x0000000004AF0000-0x0000000004B02000-memory.dmp healer behavioral1/memory/732-24-0x0000000004AF0000-0x0000000004B02000-memory.dmp healer behavioral1/memory/732-22-0x0000000004AF0000-0x0000000004B02000-memory.dmp healer behavioral1/memory/732-21-0x0000000004AF0000-0x0000000004B02000-memory.dmp healer -
Healer family
-
Processes:
pro2162.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro2162.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro2162.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro2162.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro2162.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro2162.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro2162.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/3864-59-0x0000000004A30000-0x0000000004A76000-memory.dmp family_redline behavioral1/memory/3864-60-0x0000000004D30000-0x0000000004D74000-memory.dmp family_redline behavioral1/memory/3864-66-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/3864-74-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/3864-94-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/3864-92-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/3864-90-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/3864-88-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/3864-86-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/3864-84-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/3864-82-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/3864-80-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/3864-78-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/3864-76-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/3864-72-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/3864-70-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/3864-68-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/3864-64-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/3864-62-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/3864-61-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un704103.exepro2162.exequ5531.exepid Process 1960 un704103.exe 732 pro2162.exe 3864 qu5531.exe -
Processes:
pro2162.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro2162.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro2162.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
un704103.exe4e8f9c999067e9726b13be1827c8cb87f888292772783f23131c6c8db1938985.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un704103.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4e8f9c999067e9726b13be1827c8cb87f888292772783f23131c6c8db1938985.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4596 732 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
4e8f9c999067e9726b13be1827c8cb87f888292772783f23131c6c8db1938985.exeun704103.exepro2162.exequ5531.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4e8f9c999067e9726b13be1827c8cb87f888292772783f23131c6c8db1938985.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un704103.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro2162.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu5531.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro2162.exepid Process 732 pro2162.exe 732 pro2162.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro2162.exequ5531.exedescription pid Process Token: SeDebugPrivilege 732 pro2162.exe Token: SeDebugPrivilege 3864 qu5531.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4e8f9c999067e9726b13be1827c8cb87f888292772783f23131c6c8db1938985.exeun704103.exedescription pid Process procid_target PID 2984 wrote to memory of 1960 2984 4e8f9c999067e9726b13be1827c8cb87f888292772783f23131c6c8db1938985.exe 83 PID 2984 wrote to memory of 1960 2984 4e8f9c999067e9726b13be1827c8cb87f888292772783f23131c6c8db1938985.exe 83 PID 2984 wrote to memory of 1960 2984 4e8f9c999067e9726b13be1827c8cb87f888292772783f23131c6c8db1938985.exe 83 PID 1960 wrote to memory of 732 1960 un704103.exe 84 PID 1960 wrote to memory of 732 1960 un704103.exe 84 PID 1960 wrote to memory of 732 1960 un704103.exe 84 PID 1960 wrote to memory of 3864 1960 un704103.exe 95 PID 1960 wrote to memory of 3864 1960 un704103.exe 95 PID 1960 wrote to memory of 3864 1960 un704103.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e8f9c999067e9726b13be1827c8cb87f888292772783f23131c6c8db1938985.exe"C:\Users\Admin\AppData\Local\Temp\4e8f9c999067e9726b13be1827c8cb87f888292772783f23131c6c8db1938985.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un704103.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un704103.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2162.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2162.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:732 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 10844⤵
- Program crash
PID:4596
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5531.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5531.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3864
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 732 -ip 7321⤵PID:3964
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
544KB
MD5ff031c38fb6fc645a7e2cab06eae2773
SHA1277c24eae31b7b514f1d1bd3e8466882a74a8022
SHA25672d7a09bc3a2146d4995c3b2a6c057f053a0a8e07696a1a02f51290cbb6e85fa
SHA51256ed54b74fdc82e836710d5398ee166a2632956587af06571ea1ddfae6616ed50a38d2e090d01628a96b7215437219b51be618563c8236278b22f50540abb703
-
Filesize
326KB
MD5215c3ba3b076c9d0b67b73b7aa311e30
SHA1daddd443fe16fa7d36eabe660195df762fce1ebf
SHA256c8208b90d3029255b847b84bfba9332d815d54260f250211f6e09773181371f9
SHA512518b0d878f5676438962376d389f1d3be3f6c49b038671c760576c6d70c77d7d1134c4bd53b715a3fca3a90b28ec2d2840e125783145908b31d1a8cec69b973f
-
Filesize
384KB
MD58c579520bc70eb6df6afb3cff9d40b50
SHA1ab91925a2b2970e8c8e29dc5097abfb93a7b911e
SHA25663a564e90042b4c705932b9a6eb21c0448f1bf1b6e2189a2afa76ef2861165d1
SHA512588b990ed964800e99a772bbe54457bd179d554aeb5bee6ac892013a0ced3f178eb528096d243a21cc6001f2932bf993168eae8ac2c9b8362c36dc745e97291e