Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:40
Static task
static1
Behavioral task
behavioral1
Sample
919aa89ea3b5d1722aedb72f87f841230fcda9f7f1855a68e7ce81ad16fb1135.exe
Resource
win10v2004-20241007-en
General
-
Target
919aa89ea3b5d1722aedb72f87f841230fcda9f7f1855a68e7ce81ad16fb1135.exe
-
Size
689KB
-
MD5
017cba7d9274776c9ea2e379d6e69887
-
SHA1
dc8109e9d8a80201804962de6013bbf28f4bd94e
-
SHA256
919aa89ea3b5d1722aedb72f87f841230fcda9f7f1855a68e7ce81ad16fb1135
-
SHA512
7da82f3535f562e9e4114a988094de7fc13b94d7f09ab5de3cd03e22486cbd889d0c94269b13307f06e1c9cabd464c1277c4db9864bc6ef3bdc7bcba0321aca2
-
SSDEEP
12288:mMr9y90BzulHQA0evIexDaTYPCajvvx7fheL4+a5DQw4WsCA4KUof8:jyKKP0evMT8fjvv5ks+aQ5VCAFUs8
Malware Config
Extracted
redline
stek
melevv.eu:4162
-
auth_value
4205381daf6946b2df5fe3bc7eacc918
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/3780-17-0x00000000070C0000-0x00000000070DA000-memory.dmp healer behavioral1/memory/3780-19-0x0000000007150000-0x0000000007168000-memory.dmp healer behavioral1/memory/3780-34-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3780-48-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3780-46-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3780-44-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3780-42-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3780-40-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3780-38-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3780-36-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3780-32-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3780-30-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3780-28-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3780-26-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3780-24-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3780-22-0x0000000007150000-0x0000000007162000-memory.dmp healer behavioral1/memory/3780-21-0x0000000007150000-0x0000000007162000-memory.dmp healer -
Healer family
-
Processes:
urOT23nE70.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" urOT23nE70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" urOT23nE70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" urOT23nE70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" urOT23nE70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" urOT23nE70.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection urOT23nE70.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/2792-60-0x0000000004CD0000-0x0000000004D16000-memory.dmp family_redline behavioral1/memory/2792-61-0x00000000077C0000-0x0000000007804000-memory.dmp family_redline behavioral1/memory/2792-81-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/2792-87-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/2792-93-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/2792-91-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/2792-89-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/2792-85-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/2792-83-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/2792-79-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/2792-77-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/2792-75-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/2792-73-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/2792-71-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/2792-69-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/2792-95-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/2792-67-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/2792-65-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/2792-63-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/2792-62-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
ycXP43xB90.exeurOT23nE70.exewrJL12Za45.exepid process 1896 ycXP43xB90.exe 3780 urOT23nE70.exe 2792 wrJL12Za45.exe -
Processes:
urOT23nE70.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features urOT23nE70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" urOT23nE70.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
919aa89ea3b5d1722aedb72f87f841230fcda9f7f1855a68e7ce81ad16fb1135.exeycXP43xB90.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 919aa89ea3b5d1722aedb72f87f841230fcda9f7f1855a68e7ce81ad16fb1135.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ycXP43xB90.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 212 3780 WerFault.exe urOT23nE70.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
919aa89ea3b5d1722aedb72f87f841230fcda9f7f1855a68e7ce81ad16fb1135.exeycXP43xB90.exeurOT23nE70.exewrJL12Za45.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 919aa89ea3b5d1722aedb72f87f841230fcda9f7f1855a68e7ce81ad16fb1135.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ycXP43xB90.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language urOT23nE70.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wrJL12Za45.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
urOT23nE70.exepid process 3780 urOT23nE70.exe 3780 urOT23nE70.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
urOT23nE70.exewrJL12Za45.exedescription pid process Token: SeDebugPrivilege 3780 urOT23nE70.exe Token: SeDebugPrivilege 2792 wrJL12Za45.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
919aa89ea3b5d1722aedb72f87f841230fcda9f7f1855a68e7ce81ad16fb1135.exeycXP43xB90.exedescription pid process target process PID 696 wrote to memory of 1896 696 919aa89ea3b5d1722aedb72f87f841230fcda9f7f1855a68e7ce81ad16fb1135.exe ycXP43xB90.exe PID 696 wrote to memory of 1896 696 919aa89ea3b5d1722aedb72f87f841230fcda9f7f1855a68e7ce81ad16fb1135.exe ycXP43xB90.exe PID 696 wrote to memory of 1896 696 919aa89ea3b5d1722aedb72f87f841230fcda9f7f1855a68e7ce81ad16fb1135.exe ycXP43xB90.exe PID 1896 wrote to memory of 3780 1896 ycXP43xB90.exe urOT23nE70.exe PID 1896 wrote to memory of 3780 1896 ycXP43xB90.exe urOT23nE70.exe PID 1896 wrote to memory of 3780 1896 ycXP43xB90.exe urOT23nE70.exe PID 1896 wrote to memory of 2792 1896 ycXP43xB90.exe wrJL12Za45.exe PID 1896 wrote to memory of 2792 1896 ycXP43xB90.exe wrJL12Za45.exe PID 1896 wrote to memory of 2792 1896 ycXP43xB90.exe wrJL12Za45.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\919aa89ea3b5d1722aedb72f87f841230fcda9f7f1855a68e7ce81ad16fb1135.exe"C:\Users\Admin\AppData\Local\Temp\919aa89ea3b5d1722aedb72f87f841230fcda9f7f1855a68e7ce81ad16fb1135.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycXP43xB90.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycXP43xB90.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urOT23nE70.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urOT23nE70.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3780 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 10844⤵
- Program crash
PID:212 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrJL12Za45.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrJL12Za45.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3780 -ip 37801⤵PID:404
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
545KB
MD5ad14b848e70005351448b3e410b29d4f
SHA1c5bea1f5b7d35da6d12777775ec645c24daf9138
SHA25691310af7d947cb943a40395b0d2cecdd489421eaa0c06bda4017a20638b3d31b
SHA512b4a1b76c031ea511d23ec565f2410e06e9964ca94192e75205adb343483c92ee15706cd22d89ab37faebe214d6f0cb4b8c50da516e5fd6093062470f38415d8a
-
Filesize
329KB
MD5374df8fbd9bd4bda5f30ec3ece0f1227
SHA15249ddbeb23dfe83e2bdf7712b1267fdac3168a1
SHA25699d529b6645fee0fb4d9c010b661bf64242ee5c366a78f8d2cbe8a914b0220ba
SHA512852bd7ad74934d6c3da799ce579989addf82f06fcbacc5118c31eb4c97a0b6e1c459b71e800885434aab3b548ae775012853e3f424672c7923021c68d5da5590
-
Filesize
387KB
MD5066b5456cc754c4c01232eb5f6528b57
SHA1a530c7bbf3cda6f6edf3d5b210a43630d3828f40
SHA256b428258fc52be23096aa6c4e68251e60514dedcd2ee8a4cdca2f60d3f55a1630
SHA51209ac6e0aa74919ee2321b79f267cf14baf3a8cb2bf3e589ae3b764af1e7ce495bea67c9ebcfcbb92ac4b4c3d8557052a1c979066138f0c4439a8c4d5e38878d5