Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
062776ef7a20d08c9e92343d49872bf7e002ca33beddc186062264c16e43f39a.exe
Resource
win10v2004-20241007-en
General
-
Target
062776ef7a20d08c9e92343d49872bf7e002ca33beddc186062264c16e43f39a.exe
-
Size
688KB
-
MD5
c8905450b65f99ae405bf621a149acc5
-
SHA1
ad70b0701d6d50537476ebb5147fba617ebe0102
-
SHA256
062776ef7a20d08c9e92343d49872bf7e002ca33beddc186062264c16e43f39a
-
SHA512
93544d2527f2143d8bb03943d646df52e642647f8311c180e532503601b2bf223c7a0aef2c2e48e62f076712d0a5ad2c21c67eff63ca75b41f53304bc1dfc7a5
-
SSDEEP
12288:jMrEy90J8Slz8Do/o5uUH4hlpnKXI5VVmYxSeYy+zB43xXYMhKbvxGdDWXu2:XyM8Slyo/le2l9PmYxSjR4hIMA7xGVw7
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/4968-18-0x0000000004B50000-0x0000000004B6A000-memory.dmp healer behavioral1/memory/4968-20-0x0000000007130000-0x0000000007148000-memory.dmp healer behavioral1/memory/4968-21-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4968-44-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4968-48-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4968-46-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4968-42-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4968-41-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4968-38-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4968-36-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4968-35-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4968-32-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4968-30-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4968-28-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4968-26-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4968-24-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/4968-22-0x0000000007130000-0x0000000007142000-memory.dmp healer -
Healer family
-
Processes:
pro6282.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro6282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro6282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro6282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro6282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro6282.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro6282.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/1772-60-0x0000000004B80000-0x0000000004BC6000-memory.dmp family_redline behavioral1/memory/1772-61-0x0000000004DC0000-0x0000000004E04000-memory.dmp family_redline behavioral1/memory/1772-95-0x0000000004DC0000-0x0000000004DFF000-memory.dmp family_redline behavioral1/memory/1772-93-0x0000000004DC0000-0x0000000004DFF000-memory.dmp family_redline behavioral1/memory/1772-91-0x0000000004DC0000-0x0000000004DFF000-memory.dmp family_redline behavioral1/memory/1772-89-0x0000000004DC0000-0x0000000004DFF000-memory.dmp family_redline behavioral1/memory/1772-87-0x0000000004DC0000-0x0000000004DFF000-memory.dmp family_redline behavioral1/memory/1772-85-0x0000000004DC0000-0x0000000004DFF000-memory.dmp family_redline behavioral1/memory/1772-83-0x0000000004DC0000-0x0000000004DFF000-memory.dmp family_redline behavioral1/memory/1772-81-0x0000000004DC0000-0x0000000004DFF000-memory.dmp family_redline behavioral1/memory/1772-79-0x0000000004DC0000-0x0000000004DFF000-memory.dmp family_redline behavioral1/memory/1772-77-0x0000000004DC0000-0x0000000004DFF000-memory.dmp family_redline behavioral1/memory/1772-75-0x0000000004DC0000-0x0000000004DFF000-memory.dmp family_redline behavioral1/memory/1772-73-0x0000000004DC0000-0x0000000004DFF000-memory.dmp family_redline behavioral1/memory/1772-71-0x0000000004DC0000-0x0000000004DFF000-memory.dmp family_redline behavioral1/memory/1772-69-0x0000000004DC0000-0x0000000004DFF000-memory.dmp family_redline behavioral1/memory/1772-67-0x0000000004DC0000-0x0000000004DFF000-memory.dmp family_redline behavioral1/memory/1772-65-0x0000000004DC0000-0x0000000004DFF000-memory.dmp family_redline behavioral1/memory/1772-63-0x0000000004DC0000-0x0000000004DFF000-memory.dmp family_redline behavioral1/memory/1772-62-0x0000000004DC0000-0x0000000004DFF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
unio4666.exepro6282.exequ7454.exepid process 588 unio4666.exe 4968 pro6282.exe 1772 qu7454.exe -
Processes:
pro6282.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro6282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro6282.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
062776ef7a20d08c9e92343d49872bf7e002ca33beddc186062264c16e43f39a.exeunio4666.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 062776ef7a20d08c9e92343d49872bf7e002ca33beddc186062264c16e43f39a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio4666.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4468 4968 WerFault.exe pro6282.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
pro6282.exequ7454.exe062776ef7a20d08c9e92343d49872bf7e002ca33beddc186062264c16e43f39a.exeunio4666.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro6282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu7454.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 062776ef7a20d08c9e92343d49872bf7e002ca33beddc186062264c16e43f39a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio4666.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro6282.exepid process 4968 pro6282.exe 4968 pro6282.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro6282.exequ7454.exedescription pid process Token: SeDebugPrivilege 4968 pro6282.exe Token: SeDebugPrivilege 1772 qu7454.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
062776ef7a20d08c9e92343d49872bf7e002ca33beddc186062264c16e43f39a.exeunio4666.exedescription pid process target process PID 4912 wrote to memory of 588 4912 062776ef7a20d08c9e92343d49872bf7e002ca33beddc186062264c16e43f39a.exe unio4666.exe PID 4912 wrote to memory of 588 4912 062776ef7a20d08c9e92343d49872bf7e002ca33beddc186062264c16e43f39a.exe unio4666.exe PID 4912 wrote to memory of 588 4912 062776ef7a20d08c9e92343d49872bf7e002ca33beddc186062264c16e43f39a.exe unio4666.exe PID 588 wrote to memory of 4968 588 unio4666.exe pro6282.exe PID 588 wrote to memory of 4968 588 unio4666.exe pro6282.exe PID 588 wrote to memory of 4968 588 unio4666.exe pro6282.exe PID 588 wrote to memory of 1772 588 unio4666.exe qu7454.exe PID 588 wrote to memory of 1772 588 unio4666.exe qu7454.exe PID 588 wrote to memory of 1772 588 unio4666.exe qu7454.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\062776ef7a20d08c9e92343d49872bf7e002ca33beddc186062264c16e43f39a.exe"C:\Users\Admin\AppData\Local\Temp\062776ef7a20d08c9e92343d49872bf7e002ca33beddc186062264c16e43f39a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio4666.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio4666.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6282.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6282.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 10844⤵
- Program crash
PID:4468
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7454.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7454.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4968 -ip 49681⤵PID:4688
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
546KB
MD50b7b6d6cd58ba2ac0c32ac5d10515250
SHA110d204a902bd865c415279ffc5ebf627146e75d7
SHA2566a42b854ea79bbebb5a7734fd18374a3ebf3c9b463c7b33b8207803cb37ee060
SHA5120fab8321068c5eb6ebbdfdbe4e05b5494111ba50486c87962fe1888d6c4f4407cdf7905fb919e68d90dfe3da025b9a95edfbbea64fde6640055e1265cef263d4
-
Filesize
329KB
MD5feccfab0368b2931d10e445764382573
SHA1a8aca5eb3cd31cc940b1a085a57adf64285dea0c
SHA25638a612feef0258d911c8f2fd7c982010c5c8f9f0a1921f7a81c63f37e7ad877a
SHA5127e327f832faf0ae1b1a210a92cfa29d4dd84e36c59133736770b645cab735f52515b918df1b34e20a5748d4a46155401617f7b5d3fc86dddbbc3c0d9b901751c
-
Filesize
386KB
MD50a45dd35e2f654842ee8f1fca73833c9
SHA1a3b438ee4e4c6ed2e2c95c39341c4f17984327f0
SHA256e8c20418cfcce9076454ada3e1859b94bc81b0f3355ce6e3d329b882086cf987
SHA51201e7e1c10059f548991cb78cdab09385f8ac0eb92decfaa63a4a05052b5267d99d3300b1afc64663649be48f4d1d6d9c1edfe53e7ffef9d48f7b5ca2057710b4