Analysis
-
max time kernel
114s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:35
Static task
static1
Behavioral task
behavioral1
Sample
e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N.exe
Resource
win10v2004-20241007-en
General
-
Target
e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N.exe
-
Size
689KB
-
MD5
f01ae6c1e7ccd5b6f3e5d88d795f02c0
-
SHA1
4c6e51a11eda0df401c6b59fc562af09415b294b
-
SHA256
e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8
-
SHA512
7e81fd7dbe1f854426fcc7ecdf47b04efb42e1f9893c80636209f34310e42e59b257d2dde574732cafe353a0c08967b240303da3877c6e53f9f706d65f1f7cb0
-
SSDEEP
12288:3Mr4y90QOEvG3gskqZtOzI4VVm33SVQrpVVcYpq6w43xnYMDKbQxgBlf+IFuq1D:byeEu3uYOJmSVeDV8d4hYMuUxqk6D
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/4376-17-0x0000000002E50000-0x0000000002E6A000-memory.dmp healer behavioral1/memory/4376-19-0x0000000007250000-0x0000000007268000-memory.dmp healer behavioral1/memory/4376-48-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/4376-46-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/4376-44-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/4376-42-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/4376-40-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/4376-38-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/4376-36-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/4376-34-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/4376-32-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/4376-30-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/4376-28-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/4376-26-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/4376-24-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/4376-22-0x0000000007250000-0x0000000007262000-memory.dmp healer behavioral1/memory/4376-21-0x0000000007250000-0x0000000007262000-memory.dmp healer -
Healer family
-
Processes:
pro4034.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro4034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro4034.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro4034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro4034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro4034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro4034.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/4440-60-0x0000000004C60000-0x0000000004CA6000-memory.dmp family_redline behavioral1/memory/4440-61-0x0000000007190000-0x00000000071D4000-memory.dmp family_redline behavioral1/memory/4440-81-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4440-65-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4440-63-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4440-62-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4440-95-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4440-93-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4440-91-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4440-89-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4440-87-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4440-85-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4440-83-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4440-79-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4440-77-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4440-75-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4440-73-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4440-71-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4440-69-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4440-67-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
unio6560.exepro4034.exequ7364.exepid Process 4512 unio6560.exe 4376 pro4034.exe 4440 qu7364.exe -
Processes:
pro4034.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro4034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro4034.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N.exeunio6560.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio6560.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3228 4376 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
pro4034.exequ7364.exee902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N.exeunio6560.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro4034.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu7364.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio6560.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro4034.exepid Process 4376 pro4034.exe 4376 pro4034.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro4034.exequ7364.exedescription pid Process Token: SeDebugPrivilege 4376 pro4034.exe Token: SeDebugPrivilege 4440 qu7364.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N.exeunio6560.exedescription pid Process procid_target PID 3124 wrote to memory of 4512 3124 e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N.exe 83 PID 3124 wrote to memory of 4512 3124 e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N.exe 83 PID 3124 wrote to memory of 4512 3124 e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N.exe 83 PID 4512 wrote to memory of 4376 4512 unio6560.exe 85 PID 4512 wrote to memory of 4376 4512 unio6560.exe 85 PID 4512 wrote to memory of 4376 4512 unio6560.exe 85 PID 4512 wrote to memory of 4440 4512 unio6560.exe 97 PID 4512 wrote to memory of 4440 4512 unio6560.exe 97 PID 4512 wrote to memory of 4440 4512 unio6560.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N.exe"C:\Users\Admin\AppData\Local\Temp\e902bcea836127c9115baa5f7b32124d4b562b4e944e6165ec76b8206ed6eff8N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6560.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6560.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4034.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4034.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 10884⤵
- Program crash
PID:3228
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7364.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7364.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4376 -ip 43761⤵PID:1236
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD5c88970bedcb54132e04aa6b263bc5f07
SHA1ee086bafb4da08aaa0a1a9ecd20f788ae1294770
SHA256f71c57cfbcc023873591ec8810ad788e2e77d52c39877fc7f8fba66a4b69cc31
SHA5123b1225064c7bbdf5ce0c51cc88344930f3bb0456013835dba4ee7afb650396098951a1e41d7c9b70aa4d5077ae31a553c82ae30989cb4d81e30db024b09890da
-
Filesize
329KB
MD55050774ed048776ea4b01878f52a87b3
SHA1064eb7236d29814c00d33c991d41020dda121a4f
SHA256bb61722f37cef52af74a7bbdeb3d3e3bff4d3e72bfc11d3fb7a384b978272c31
SHA51206c0a540afdbb350ec63e0219c976821b4c5607c23b3b667c3eb842e3aff5087eff011714149696e3d1c5a2d403cd0dc7367d8fd72b2dd251ce9171aa85d2656
-
Filesize
386KB
MD5b85b921104bbbc288cb8cbef7ac2a176
SHA15063ba0e00f8ba6f9ded961ca0fcc6d90e018688
SHA2561c5156f4ebbf29ddc321aa290995d33aeba1df9360a684bf0cc469d6b1a41b42
SHA512939222141da4fd0ca8b9491c4e612fbd8ce9315df775d55ab55736f715c91ff98217ef355c72486289b94f55a873cbb7eaa598b1f7f91b138240f73666f7bdc8