Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:37
Static task
static1
Behavioral task
behavioral1
Sample
d5eefa5fbd45d84aaa5f194f31e6665c78a255184fed241e5378e967229f9e3a.exe
Resource
win10v2004-20241007-en
General
-
Target
d5eefa5fbd45d84aaa5f194f31e6665c78a255184fed241e5378e967229f9e3a.exe
-
Size
689KB
-
MD5
e0fb85365f782607c7adbe6d0a79d674
-
SHA1
126ad93b9186c2e6d024ac79916ac83bd51cc694
-
SHA256
d5eefa5fbd45d84aaa5f194f31e6665c78a255184fed241e5378e967229f9e3a
-
SHA512
076ebbf3c50569fd6eb6289bdf2e7e7097cedeed2262c63ed68602908bc8fab5d2c733dd82519f23e0baf3de2cc1ac18d055397ee36455102c4625c1e05ac0f3
-
SSDEEP
12288:fMrCy90I+ZLljLb6v4x9a3yI65hLulDbsEidvGyvBhKXnQmmJ1veFdafigcMO/L1:Byk1ljf6v4xICnfahbmJhApmJ1adaagq
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/404-19-0x0000000004C20000-0x0000000004C3A000-memory.dmp healer behavioral1/memory/404-21-0x0000000005260000-0x0000000005278000-memory.dmp healer behavioral1/memory/404-49-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/404-47-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/404-46-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/404-43-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/404-41-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/404-39-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/404-37-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/404-35-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/404-33-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/404-31-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/404-29-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/404-27-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/404-25-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/404-23-0x0000000005260000-0x0000000005272000-memory.dmp healer behavioral1/memory/404-22-0x0000000005260000-0x0000000005272000-memory.dmp healer -
Healer family
-
Processes:
pro9933.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9933.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9933.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro9933.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9933.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9933.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9933.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/4916-61-0x0000000005F90000-0x0000000005FD6000-memory.dmp family_redline behavioral1/memory/4916-62-0x0000000006010000-0x0000000006054000-memory.dmp family_redline behavioral1/memory/4916-72-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4916-74-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4916-96-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4916-92-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4916-90-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4916-88-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4916-86-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4916-84-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4916-82-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4916-80-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4916-78-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4916-76-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4916-70-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4916-68-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4916-94-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4916-66-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4916-64-0x0000000006010000-0x000000000604F000-memory.dmp family_redline behavioral1/memory/4916-63-0x0000000006010000-0x000000000604F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un175248.exepro9933.exequ3196.exepid Process 3592 un175248.exe 404 pro9933.exe 4916 qu3196.exe -
Processes:
pro9933.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9933.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9933.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d5eefa5fbd45d84aaa5f194f31e6665c78a255184fed241e5378e967229f9e3a.exeun175248.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d5eefa5fbd45d84aaa5f194f31e6665c78a255184fed241e5378e967229f9e3a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un175248.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2748 404 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d5eefa5fbd45d84aaa5f194f31e6665c78a255184fed241e5378e967229f9e3a.exeun175248.exepro9933.exequ3196.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d5eefa5fbd45d84aaa5f194f31e6665c78a255184fed241e5378e967229f9e3a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un175248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro9933.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu3196.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro9933.exepid Process 404 pro9933.exe 404 pro9933.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro9933.exequ3196.exedescription pid Process Token: SeDebugPrivilege 404 pro9933.exe Token: SeDebugPrivilege 4916 qu3196.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d5eefa5fbd45d84aaa5f194f31e6665c78a255184fed241e5378e967229f9e3a.exeun175248.exedescription pid Process procid_target PID 2736 wrote to memory of 3592 2736 d5eefa5fbd45d84aaa5f194f31e6665c78a255184fed241e5378e967229f9e3a.exe 84 PID 2736 wrote to memory of 3592 2736 d5eefa5fbd45d84aaa5f194f31e6665c78a255184fed241e5378e967229f9e3a.exe 84 PID 2736 wrote to memory of 3592 2736 d5eefa5fbd45d84aaa5f194f31e6665c78a255184fed241e5378e967229f9e3a.exe 84 PID 3592 wrote to memory of 404 3592 un175248.exe 85 PID 3592 wrote to memory of 404 3592 un175248.exe 85 PID 3592 wrote to memory of 404 3592 un175248.exe 85 PID 3592 wrote to memory of 4916 3592 un175248.exe 98 PID 3592 wrote to memory of 4916 3592 un175248.exe 98 PID 3592 wrote to memory of 4916 3592 un175248.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5eefa5fbd45d84aaa5f194f31e6665c78a255184fed241e5378e967229f9e3a.exe"C:\Users\Admin\AppData\Local\Temp\d5eefa5fbd45d84aaa5f194f31e6665c78a255184fed241e5378e967229f9e3a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un175248.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un175248.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9933.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9933.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 10044⤵
- Program crash
PID:2748
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3196.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3196.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 404 -ip 4041⤵PID:3660
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD51729955f4374cd22929fd0c0ade23a4e
SHA1d53efd511c0e059be95fb50fd32e00d92f2f38c1
SHA256e159d38903baffd77a60bbc0238da09d75c8cdc3416af4b5edca2aec3a7fbcfb
SHA51257bb058b4ca56d10688863141d91e8d19ea00446ad38ff62b5ee678942496cfbdd884f6fdaae645e4c005c9f1d558b750effde58405ecaba143223d246991fc0
-
Filesize
291KB
MD542ef4c4c788cc9bc19b4d149fee8a663
SHA14f452dda928a9446fc3babe1b802f365a236ae78
SHA256bf56242df3626e3804288fe23316fe1a0c1407404a5859eca5f41084995cee56
SHA512c1d3d8bfedcab0f3b9ea2cf9e33f49f925a0ab9f826dde65f6abf24a846a45936a3a1934e9ae118dbaccb39e17d260132d64acbf2518b31cd934f1178b8ab757
-
Filesize
345KB
MD5db5f565bfe58f5f55e0337a9538b7fc9
SHA1edb4ef5e99a2be3cc62b2340dfd1112e7492cff0
SHA256c52ba136097b0a1234c7cd57f147b2238383d326882c30d3e6ec06cbf55e26ca
SHA512f36e309d51ed4d79adb7bbec0292130e54f08506509ba1a3b960f803327a69566ffa882682c3336ea0d76e34309936d8e77902fa44b9a61d28b57d466b677163