Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:38
Static task
static1
Behavioral task
behavioral1
Sample
452a75ece68b35d141e9bc0cb4a85ca41c28fc2a19a0b0c96911565828ca2557.exe
Resource
win10v2004-20241007-en
General
-
Target
452a75ece68b35d141e9bc0cb4a85ca41c28fc2a19a0b0c96911565828ca2557.exe
-
Size
688KB
-
MD5
06e55ab5661262dfc62270c5d7d07510
-
SHA1
9b8da6ba1ec2744e6f4c973fa88db694a8c63a9d
-
SHA256
452a75ece68b35d141e9bc0cb4a85ca41c28fc2a19a0b0c96911565828ca2557
-
SHA512
485d277922ec371ad3fffa94a1f0683f0556b851674820bd296ce8bf05c46a8c954e107ed371d68d890d5771881802040a89f85b97eb3c4e3880d86f01354998
-
SSDEEP
12288:YMrSy90h1jNi/ppXrQLzKjIVVVmxuoXLDMw343xiYM6KbVjV9cKQ2uoL:6ySi/LXkiEmxlMo4hhM3pOoL
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/2552-17-0x0000000004800000-0x000000000481A000-memory.dmp healer behavioral1/memory/2552-19-0x0000000004870000-0x0000000004888000-memory.dmp healer behavioral1/memory/2552-42-0x0000000004870000-0x0000000004882000-memory.dmp healer behavioral1/memory/2552-48-0x0000000004870000-0x0000000004882000-memory.dmp healer behavioral1/memory/2552-46-0x0000000004870000-0x0000000004882000-memory.dmp healer behavioral1/memory/2552-44-0x0000000004870000-0x0000000004882000-memory.dmp healer behavioral1/memory/2552-40-0x0000000004870000-0x0000000004882000-memory.dmp healer behavioral1/memory/2552-38-0x0000000004870000-0x0000000004882000-memory.dmp healer behavioral1/memory/2552-36-0x0000000004870000-0x0000000004882000-memory.dmp healer behavioral1/memory/2552-35-0x0000000004870000-0x0000000004882000-memory.dmp healer behavioral1/memory/2552-32-0x0000000004870000-0x0000000004882000-memory.dmp healer behavioral1/memory/2552-30-0x0000000004870000-0x0000000004882000-memory.dmp healer behavioral1/memory/2552-28-0x0000000004870000-0x0000000004882000-memory.dmp healer behavioral1/memory/2552-26-0x0000000004870000-0x0000000004882000-memory.dmp healer behavioral1/memory/2552-24-0x0000000004870000-0x0000000004882000-memory.dmp healer behavioral1/memory/2552-22-0x0000000004870000-0x0000000004882000-memory.dmp healer behavioral1/memory/2552-21-0x0000000004870000-0x0000000004882000-memory.dmp healer -
Healer family
-
Processes:
pro4136.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro4136.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro4136.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro4136.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro4136.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro4136.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro4136.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/1008-60-0x0000000004B60000-0x0000000004BA6000-memory.dmp family_redline behavioral1/memory/1008-61-0x0000000007180000-0x00000000071C4000-memory.dmp family_redline behavioral1/memory/1008-95-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/1008-93-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/1008-91-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/1008-89-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/1008-88-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/1008-83-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/1008-81-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/1008-79-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/1008-78-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/1008-75-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/1008-73-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/1008-71-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/1008-69-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/1008-67-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/1008-85-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/1008-65-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/1008-63-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/1008-62-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
unio6392.exepro4136.exequ4728.exepid process 3728 unio6392.exe 2552 pro4136.exe 1008 qu4728.exe -
Processes:
pro4136.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro4136.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro4136.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
452a75ece68b35d141e9bc0cb4a85ca41c28fc2a19a0b0c96911565828ca2557.exeunio6392.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 452a75ece68b35d141e9bc0cb4a85ca41c28fc2a19a0b0c96911565828ca2557.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio6392.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1284 2552 WerFault.exe pro4136.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
452a75ece68b35d141e9bc0cb4a85ca41c28fc2a19a0b0c96911565828ca2557.exeunio6392.exepro4136.exequ4728.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 452a75ece68b35d141e9bc0cb4a85ca41c28fc2a19a0b0c96911565828ca2557.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio6392.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro4136.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu4728.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro4136.exepid process 2552 pro4136.exe 2552 pro4136.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro4136.exequ4728.exedescription pid process Token: SeDebugPrivilege 2552 pro4136.exe Token: SeDebugPrivilege 1008 qu4728.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
452a75ece68b35d141e9bc0cb4a85ca41c28fc2a19a0b0c96911565828ca2557.exeunio6392.exedescription pid process target process PID 1836 wrote to memory of 3728 1836 452a75ece68b35d141e9bc0cb4a85ca41c28fc2a19a0b0c96911565828ca2557.exe unio6392.exe PID 1836 wrote to memory of 3728 1836 452a75ece68b35d141e9bc0cb4a85ca41c28fc2a19a0b0c96911565828ca2557.exe unio6392.exe PID 1836 wrote to memory of 3728 1836 452a75ece68b35d141e9bc0cb4a85ca41c28fc2a19a0b0c96911565828ca2557.exe unio6392.exe PID 3728 wrote to memory of 2552 3728 unio6392.exe pro4136.exe PID 3728 wrote to memory of 2552 3728 unio6392.exe pro4136.exe PID 3728 wrote to memory of 2552 3728 unio6392.exe pro4136.exe PID 3728 wrote to memory of 1008 3728 unio6392.exe qu4728.exe PID 3728 wrote to memory of 1008 3728 unio6392.exe qu4728.exe PID 3728 wrote to memory of 1008 3728 unio6392.exe qu4728.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\452a75ece68b35d141e9bc0cb4a85ca41c28fc2a19a0b0c96911565828ca2557.exe"C:\Users\Admin\AppData\Local\Temp\452a75ece68b35d141e9bc0cb4a85ca41c28fc2a19a0b0c96911565828ca2557.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6392.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6392.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4136.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4136.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 10804⤵
- Program crash
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4728.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4728.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2552 -ip 25521⤵PID:760
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
546KB
MD54715db85c21edb925d135de33ad6a9f0
SHA11f798449cd9376bbddb6bb5f832e0a4af88d6ea2
SHA2563ea684c5388f3ae9d21531e066e6ec3594ac45fc1c506238bdb905a54a2d45b5
SHA512441726dffd6541830791b0e1be2bc585a95ff948388500a3b5237dccd8a75cbe2d5c313fee049a0fada404610060f0528ca5ff9a229672ef5cce26b4ce31323c
-
Filesize
329KB
MD5296c5d33bddd1abd4300b17a7dc14e12
SHA19a9a8bd4062186c2a3a1278f45e85495d6504ff5
SHA25691f03221bc41a30bf7c9ebe59065953a3504445457684319514beccd373588bf
SHA5121d914a1dcd92174dcdc7cd7e3ffecac42a54f01cbe2c122cf56f94bc27509fd979f23a2716b8a1de3231ce7150c736c0c8596fcef201bfebdd03e4c3e6a94cb4
-
Filesize
386KB
MD5a7ffab4be58973b7d069034208cb5d2d
SHA1282f7ed4b8797555f6703fc9946e13f20537216e
SHA256528684a664c0c927e8132d6482ac6abc8a8d76c7368c50cca0bcb14fc5c56548
SHA5128d1a553b11461f0eeee0ec230c6f410dcf03f8d9f59c7f5f3d7a11d473637dbb57ead47bfa64c75bf1020350163d6a3dd983fb3d4e90229529cf82a96dbbf3f4