Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:39
Static task
static1
Behavioral task
behavioral1
Sample
d3a5776318cacce3f237a584c78a9d2ed33b0be1685b811756e6e3fdd76c80a8.exe
Resource
win10v2004-20241007-en
General
-
Target
d3a5776318cacce3f237a584c78a9d2ed33b0be1685b811756e6e3fdd76c80a8.exe
-
Size
694KB
-
MD5
49af0323a341fda4bf438cb7cbe952a5
-
SHA1
8d99d60aa4272fe965c0c78fb5f7acb05cdc93b3
-
SHA256
d3a5776318cacce3f237a584c78a9d2ed33b0be1685b811756e6e3fdd76c80a8
-
SHA512
da94375bfd68a19560263d55bad884153efe4bb7d2538dcd532df4a466586a4233b9a2484dabf66c03dc6d41082ab0d38b9a444a6da670fb5dfefdb4a94f5189
-
SSDEEP
12288:VMryy90zPKCZKfKo8MFFW3eQM7ePCaDzKG2FB768uVoOQZmIf2E6x5r7v:Lywgft8MT4eTePCOWG2f+BHQo4uX
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/2884-15-0x0000000004720000-0x000000000473A000-memory.dmp healer behavioral1/memory/2884-17-0x00000000047C0000-0x00000000047D8000-memory.dmp healer behavioral1/memory/2884-26-0x00000000047C0000-0x00000000047D2000-memory.dmp healer behavioral1/memory/2884-46-0x00000000047C0000-0x00000000047D2000-memory.dmp healer behavioral1/memory/2884-44-0x00000000047C0000-0x00000000047D2000-memory.dmp healer behavioral1/memory/2884-42-0x00000000047C0000-0x00000000047D2000-memory.dmp healer behavioral1/memory/2884-40-0x00000000047C0000-0x00000000047D2000-memory.dmp healer behavioral1/memory/2884-38-0x00000000047C0000-0x00000000047D2000-memory.dmp healer behavioral1/memory/2884-36-0x00000000047C0000-0x00000000047D2000-memory.dmp healer behavioral1/memory/2884-34-0x00000000047C0000-0x00000000047D2000-memory.dmp healer behavioral1/memory/2884-32-0x00000000047C0000-0x00000000047D2000-memory.dmp healer behavioral1/memory/2884-30-0x00000000047C0000-0x00000000047D2000-memory.dmp healer behavioral1/memory/2884-28-0x00000000047C0000-0x00000000047D2000-memory.dmp healer behavioral1/memory/2884-24-0x00000000047C0000-0x00000000047D2000-memory.dmp healer behavioral1/memory/2884-22-0x00000000047C0000-0x00000000047D2000-memory.dmp healer behavioral1/memory/2884-20-0x00000000047C0000-0x00000000047D2000-memory.dmp healer behavioral1/memory/2884-19-0x00000000047C0000-0x00000000047D2000-memory.dmp healer -
Healer family
-
Processes:
pro8242.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8242.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8242.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro8242.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8242.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8242.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8242.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/2624-56-0x0000000004830000-0x0000000004876000-memory.dmp family_redline behavioral1/memory/2624-57-0x0000000004D30000-0x0000000004D74000-memory.dmp family_redline behavioral1/memory/2624-85-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/2624-91-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/2624-89-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/2624-87-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/2624-83-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/2624-81-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/2624-79-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/2624-77-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/2624-75-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/2624-73-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/2624-71-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/2624-69-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/2624-67-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/2624-65-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/2624-63-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/2624-61-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/2624-59-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/2624-58-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un650907.exepro8242.exequ0058.exepid process 2728 un650907.exe 2884 pro8242.exe 2624 qu0058.exe -
Processes:
pro8242.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8242.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8242.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d3a5776318cacce3f237a584c78a9d2ed33b0be1685b811756e6e3fdd76c80a8.exeun650907.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d3a5776318cacce3f237a584c78a9d2ed33b0be1685b811756e6e3fdd76c80a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un650907.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4800 2884 WerFault.exe pro8242.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
un650907.exepro8242.exequ0058.exed3a5776318cacce3f237a584c78a9d2ed33b0be1685b811756e6e3fdd76c80a8.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un650907.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro8242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu0058.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d3a5776318cacce3f237a584c78a9d2ed33b0be1685b811756e6e3fdd76c80a8.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro8242.exepid process 2884 pro8242.exe 2884 pro8242.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro8242.exequ0058.exedescription pid process Token: SeDebugPrivilege 2884 pro8242.exe Token: SeDebugPrivilege 2624 qu0058.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d3a5776318cacce3f237a584c78a9d2ed33b0be1685b811756e6e3fdd76c80a8.exeun650907.exedescription pid process target process PID 3224 wrote to memory of 2728 3224 d3a5776318cacce3f237a584c78a9d2ed33b0be1685b811756e6e3fdd76c80a8.exe un650907.exe PID 3224 wrote to memory of 2728 3224 d3a5776318cacce3f237a584c78a9d2ed33b0be1685b811756e6e3fdd76c80a8.exe un650907.exe PID 3224 wrote to memory of 2728 3224 d3a5776318cacce3f237a584c78a9d2ed33b0be1685b811756e6e3fdd76c80a8.exe un650907.exe PID 2728 wrote to memory of 2884 2728 un650907.exe pro8242.exe PID 2728 wrote to memory of 2884 2728 un650907.exe pro8242.exe PID 2728 wrote to memory of 2884 2728 un650907.exe pro8242.exe PID 2728 wrote to memory of 2624 2728 un650907.exe qu0058.exe PID 2728 wrote to memory of 2624 2728 un650907.exe qu0058.exe PID 2728 wrote to memory of 2624 2728 un650907.exe qu0058.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3a5776318cacce3f237a584c78a9d2ed33b0be1685b811756e6e3fdd76c80a8.exe"C:\Users\Admin\AppData\Local\Temp\d3a5776318cacce3f237a584c78a9d2ed33b0be1685b811756e6e3fdd76c80a8.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650907.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650907.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8242.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8242.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 10844⤵
- Program crash
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0058.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0058.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2884 -ip 28841⤵PID:3996
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
553KB
MD54b85352b566461a19adb842242046a83
SHA1c341c61219dab28de21ded6cc2ef1d2834643b74
SHA256bf10a41943bd542726e6993180fe4cbe709563b5e1128f1571fc4c61cc32252e
SHA512b19e67e18635ff6c052eef2bc1200b303f0133badd389bea75c38ba844be5a0390724dc9eb4b0c53d29525aee9f13552297b60e1b8013d42618e1b135f028e02
-
Filesize
347KB
MD5196313764dffb67558dbde2ce17579cb
SHA19036880fb487ecdf8087578b0c16591dd9f67bf4
SHA2568115e3d583de3dc8221e4807fc16140c12ab77fb076bbb48e874a4e4a14fc287
SHA512a874a7558bfd547df6e44f3aef2ce5643f632f93d9ecefdfa131bff2fae46eb3bd5620ddb1710583b25d933a96a6f1879a637d405df48adef0d6f3180cc4a426
-
Filesize
405KB
MD5d8c616005f707a17680af72d8b90e689
SHA1d0417fde83d91a1cbb20aa8f4444bcce871189a3
SHA256bf69ea1bb67d82014bd394b8e9330e3d55676ccf687d035a48734d9aa7c14b73
SHA512559a69f80d007ad39e2984d1902bf35e5068edfa719644e316616023cbaae65ab96ac6b650161b453ed1e95c52f83b088219a2be018e3cb807ea2984e51758ac