Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
c184dbb9f3891a327e64de36b10eefacc9695222fd7532e0d96093266eb932a4.exe
Resource
win10v2004-20241007-en
General
-
Target
c184dbb9f3891a327e64de36b10eefacc9695222fd7532e0d96093266eb932a4.exe
-
Size
672KB
-
MD5
f24c7605313ae7acbb341af402cdd73c
-
SHA1
411c1a894ad258cd121f5e87a7958406aef59118
-
SHA256
c184dbb9f3891a327e64de36b10eefacc9695222fd7532e0d96093266eb932a4
-
SHA512
a82baeb888a5f200a5ab034f357e01dcfd149afbf387407714f078812feadca41210cacecd6d11604b388ffd9fa647abc07f47a3e2def73aff8d97954a857ffc
-
SSDEEP
12288:KMrUy90pVpXC/bmKvBvbrqR7i0j3m3NvjIomIQ+Y0O/dpCkYY6Z5:iycX1KxbOFDTm9v8ohlCskm7
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/3956-19-0x0000000002290000-0x00000000022AA000-memory.dmp healer behavioral1/memory/3956-21-0x00000000022F0000-0x0000000002308000-memory.dmp healer behavioral1/memory/3956-47-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/3956-49-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/3956-45-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/3956-43-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/3956-41-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/3956-39-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/3956-37-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/3956-35-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/3956-33-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/3956-31-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/3956-30-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/3956-27-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/3956-25-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/3956-23-0x00000000022F0000-0x0000000002302000-memory.dmp healer behavioral1/memory/3956-22-0x00000000022F0000-0x0000000002302000-memory.dmp healer -
Healer family
-
Processes:
pro6351.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro6351.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro6351.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro6351.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro6351.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro6351.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro6351.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/4068-60-0x0000000002510000-0x0000000002556000-memory.dmp family_redline behavioral1/memory/4068-61-0x0000000004A90000-0x0000000004AD4000-memory.dmp family_redline behavioral1/memory/4068-67-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4068-75-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4068-95-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4068-93-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4068-91-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4068-89-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4068-87-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4068-85-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4068-83-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4068-81-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4068-79-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4068-73-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4068-71-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4068-69-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4068-77-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4068-65-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4068-63-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4068-62-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un320396.exepro6351.exequ0264.exepid process 3832 un320396.exe 3956 pro6351.exe 4068 qu0264.exe -
Processes:
pro6351.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro6351.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro6351.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c184dbb9f3891a327e64de36b10eefacc9695222fd7532e0d96093266eb932a4.exeun320396.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c184dbb9f3891a327e64de36b10eefacc9695222fd7532e0d96093266eb932a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un320396.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 5188 sc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4992 3956 WerFault.exe pro6351.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c184dbb9f3891a327e64de36b10eefacc9695222fd7532e0d96093266eb932a4.exeun320396.exepro6351.exequ0264.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c184dbb9f3891a327e64de36b10eefacc9695222fd7532e0d96093266eb932a4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un320396.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro6351.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu0264.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro6351.exepid process 3956 pro6351.exe 3956 pro6351.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro6351.exequ0264.exedescription pid process Token: SeDebugPrivilege 3956 pro6351.exe Token: SeDebugPrivilege 4068 qu0264.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c184dbb9f3891a327e64de36b10eefacc9695222fd7532e0d96093266eb932a4.exeun320396.exedescription pid process target process PID 2068 wrote to memory of 3832 2068 c184dbb9f3891a327e64de36b10eefacc9695222fd7532e0d96093266eb932a4.exe un320396.exe PID 2068 wrote to memory of 3832 2068 c184dbb9f3891a327e64de36b10eefacc9695222fd7532e0d96093266eb932a4.exe un320396.exe PID 2068 wrote to memory of 3832 2068 c184dbb9f3891a327e64de36b10eefacc9695222fd7532e0d96093266eb932a4.exe un320396.exe PID 3832 wrote to memory of 3956 3832 un320396.exe pro6351.exe PID 3832 wrote to memory of 3956 3832 un320396.exe pro6351.exe PID 3832 wrote to memory of 3956 3832 un320396.exe pro6351.exe PID 3832 wrote to memory of 4068 3832 un320396.exe qu0264.exe PID 3832 wrote to memory of 4068 3832 un320396.exe qu0264.exe PID 3832 wrote to memory of 4068 3832 un320396.exe qu0264.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c184dbb9f3891a327e64de36b10eefacc9695222fd7532e0d96093266eb932a4.exe"C:\Users\Admin\AppData\Local\Temp\c184dbb9f3891a327e64de36b10eefacc9695222fd7532e0d96093266eb932a4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un320396.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un320396.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6351.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6351.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 10804⤵
- Program crash
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0264.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0264.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3956 -ip 39561⤵PID:2840
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:5188
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
530KB
MD5852eeaa450caf96d43b42f26af0620a2
SHA16445861ee7daa261a82340dc34146e03a529b9ad
SHA256478a8eb9c2964ea2c9065a2d273b294c9cf302eff774057c4abb31d5a892ccf5
SHA51268c761f8d35e82d445c75a0a12f95e6afd0dfdc7db596b218df517946b95e10044b6a553fc6a95dab10d0c8465e01c7fc7407e700584619cdea9286308cc67ff
-
Filesize
259KB
MD559037a5e63f45c484ab5a3b43d03485b
SHA1a73851b81de83c916c664472d75e5e61a0f762cd
SHA25659e1d8ed2581dceb507cf50d0bc2a08a2b10ee57b81f55f58e01189a6076ad99
SHA512e25db725830ba1458ebcff1602f2d3161991fcd7eaba730cfa7010b3546e15ddf5ccdf4d2f01d3fa5f3e62ad2b86e060da86caf4d0b910e2fb7b66f9e38516c3
-
Filesize
318KB
MD5dde4703ee3e3c33863fa3daba1d7dca2
SHA1e65ee73b22140de68fe8bfd1fd36b9f23995a450
SHA256ba150080b2ee0d52f2e92b9291d8c79cf16466ae1d4a0f8d75d94065d4b9cf7a
SHA5123e83ceff6e9c25eebd1267ffb28ca48249b88bf9089a0c5fdace3a9b26a4e21cb2f2dba38296b0c5efe89eab6e39d6cf3d29536d882e1c6c699b270e493a8a67