Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:27
Static task
static1
Behavioral task
behavioral1
Sample
6b4ad7650c184eb17dad6aa362b726cc1a6b8ce1fe1da05e6ae67915587b20a9.exe
Resource
win10v2004-20241007-en
General
-
Target
6b4ad7650c184eb17dad6aa362b726cc1a6b8ce1fe1da05e6ae67915587b20a9.exe
-
Size
689KB
-
MD5
715225559a26e9b3cc23c12f9aa6ec27
-
SHA1
62b5d66c76c56ed2fbcc883b3f1d948fec6f3b46
-
SHA256
6b4ad7650c184eb17dad6aa362b726cc1a6b8ce1fe1da05e6ae67915587b20a9
-
SHA512
5b832ae76d6bf41c1ca4da7d911dbcf360e88397facba91505a2f53c9caf0960b9751c9ce9a258d97c25bd2eb761e440ff0b4e94de8c3471a69e23240c25457b
-
SSDEEP
12288:AMr0y90JdUcA1KYXQyx65hLuOHw2odbPc3skBvGFuffigQwgJlM7SW2rFFfB:EyudpA1LhcfajbGjBCufagK+7bgFNB
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/4728-19-0x00000000028E0000-0x00000000028FA000-memory.dmp healer behavioral1/memory/4728-21-0x0000000004DE0000-0x0000000004DF8000-memory.dmp healer behavioral1/memory/4728-22-0x0000000004DE0000-0x0000000004DF2000-memory.dmp healer behavioral1/memory/4728-49-0x0000000004DE0000-0x0000000004DF2000-memory.dmp healer behavioral1/memory/4728-47-0x0000000004DE0000-0x0000000004DF2000-memory.dmp healer behavioral1/memory/4728-45-0x0000000004DE0000-0x0000000004DF2000-memory.dmp healer behavioral1/memory/4728-43-0x0000000004DE0000-0x0000000004DF2000-memory.dmp healer behavioral1/memory/4728-41-0x0000000004DE0000-0x0000000004DF2000-memory.dmp healer behavioral1/memory/4728-39-0x0000000004DE0000-0x0000000004DF2000-memory.dmp healer behavioral1/memory/4728-37-0x0000000004DE0000-0x0000000004DF2000-memory.dmp healer behavioral1/memory/4728-35-0x0000000004DE0000-0x0000000004DF2000-memory.dmp healer behavioral1/memory/4728-33-0x0000000004DE0000-0x0000000004DF2000-memory.dmp healer behavioral1/memory/4728-31-0x0000000004DE0000-0x0000000004DF2000-memory.dmp healer behavioral1/memory/4728-29-0x0000000004DE0000-0x0000000004DF2000-memory.dmp healer behavioral1/memory/4728-27-0x0000000004DE0000-0x0000000004DF2000-memory.dmp healer behavioral1/memory/4728-25-0x0000000004DE0000-0x0000000004DF2000-memory.dmp healer behavioral1/memory/4728-23-0x0000000004DE0000-0x0000000004DF2000-memory.dmp healer -
Healer family
-
Processes:
pro9070.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9070.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9070.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9070.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro9070.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9070.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9070.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/1616-60-0x0000000003A90000-0x0000000003AD6000-memory.dmp family_redline behavioral1/memory/1616-61-0x0000000006600000-0x0000000006644000-memory.dmp family_redline behavioral1/memory/1616-72-0x0000000006600000-0x000000000663F000-memory.dmp family_redline behavioral1/memory/1616-67-0x0000000006600000-0x000000000663F000-memory.dmp family_redline behavioral1/memory/1616-65-0x0000000006600000-0x000000000663F000-memory.dmp family_redline behavioral1/memory/1616-73-0x0000000006600000-0x000000000663F000-memory.dmp family_redline behavioral1/memory/1616-95-0x0000000006600000-0x000000000663F000-memory.dmp family_redline behavioral1/memory/1616-93-0x0000000006600000-0x000000000663F000-memory.dmp family_redline behavioral1/memory/1616-89-0x0000000006600000-0x000000000663F000-memory.dmp family_redline behavioral1/memory/1616-87-0x0000000006600000-0x000000000663F000-memory.dmp family_redline behavioral1/memory/1616-85-0x0000000006600000-0x000000000663F000-memory.dmp family_redline behavioral1/memory/1616-83-0x0000000006600000-0x000000000663F000-memory.dmp family_redline behavioral1/memory/1616-81-0x0000000006600000-0x000000000663F000-memory.dmp family_redline behavioral1/memory/1616-79-0x0000000006600000-0x000000000663F000-memory.dmp family_redline behavioral1/memory/1616-75-0x0000000006600000-0x000000000663F000-memory.dmp family_redline behavioral1/memory/1616-69-0x0000000006600000-0x000000000663F000-memory.dmp family_redline behavioral1/memory/1616-91-0x0000000006600000-0x000000000663F000-memory.dmp family_redline behavioral1/memory/1616-77-0x0000000006600000-0x000000000663F000-memory.dmp family_redline behavioral1/memory/1616-63-0x0000000006600000-0x000000000663F000-memory.dmp family_redline behavioral1/memory/1616-62-0x0000000006600000-0x000000000663F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un688065.exepro9070.exequ5215.exepid process 4532 un688065.exe 4728 pro9070.exe 1616 qu5215.exe -
Processes:
pro9070.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9070.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9070.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
6b4ad7650c184eb17dad6aa362b726cc1a6b8ce1fe1da05e6ae67915587b20a9.exeun688065.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6b4ad7650c184eb17dad6aa362b726cc1a6b8ce1fe1da05e6ae67915587b20a9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un688065.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 116 sc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3628 4728 WerFault.exe pro9070.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
pro9070.exequ5215.exe6b4ad7650c184eb17dad6aa362b726cc1a6b8ce1fe1da05e6ae67915587b20a9.exeun688065.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro9070.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu5215.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6b4ad7650c184eb17dad6aa362b726cc1a6b8ce1fe1da05e6ae67915587b20a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un688065.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro9070.exepid process 4728 pro9070.exe 4728 pro9070.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro9070.exequ5215.exedescription pid process Token: SeDebugPrivilege 4728 pro9070.exe Token: SeDebugPrivilege 1616 qu5215.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
6b4ad7650c184eb17dad6aa362b726cc1a6b8ce1fe1da05e6ae67915587b20a9.exeun688065.exedescription pid process target process PID 764 wrote to memory of 4532 764 6b4ad7650c184eb17dad6aa362b726cc1a6b8ce1fe1da05e6ae67915587b20a9.exe un688065.exe PID 764 wrote to memory of 4532 764 6b4ad7650c184eb17dad6aa362b726cc1a6b8ce1fe1da05e6ae67915587b20a9.exe un688065.exe PID 764 wrote to memory of 4532 764 6b4ad7650c184eb17dad6aa362b726cc1a6b8ce1fe1da05e6ae67915587b20a9.exe un688065.exe PID 4532 wrote to memory of 4728 4532 un688065.exe pro9070.exe PID 4532 wrote to memory of 4728 4532 un688065.exe pro9070.exe PID 4532 wrote to memory of 4728 4532 un688065.exe pro9070.exe PID 4532 wrote to memory of 1616 4532 un688065.exe qu5215.exe PID 4532 wrote to memory of 1616 4532 un688065.exe qu5215.exe PID 4532 wrote to memory of 1616 4532 un688065.exe qu5215.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b4ad7650c184eb17dad6aa362b726cc1a6b8ce1fe1da05e6ae67915587b20a9.exe"C:\Users\Admin\AppData\Local\Temp\6b4ad7650c184eb17dad6aa362b726cc1a6b8ce1fe1da05e6ae67915587b20a9.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un688065.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un688065.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9070.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9070.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 10804⤵
- Program crash
PID:3628
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5215.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5215.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4728 -ip 47281⤵PID:4804
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:116
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD5ebf74a212a17c366304c703ef4e1d54f
SHA1b2baf0ed52f23ae00c8924e0644c73e1ef0fa20f
SHA2569eccfeadb48f524c4ebe931e764205a246224b124eb9ec4dfb79d9e36d9b20e7
SHA512f4f08dd44d9b11751581437ca546262f13ccce1328b7f969c3eabd844bc8352db6d15475291d0e98de20bcf3f94fb003ed3214764c77af8f2a24bc0e79b56405
-
Filesize
291KB
MD55f81d124bf8ae24983912ab3b9b32fd8
SHA1dbb7ae856cc24dafc74b457801c45c7227d895e4
SHA256a1c50911f0d8729a9128c0794ba801090fe915c5f09cedbab5675cca35e8e9fa
SHA512bf030e4c39c0dd5f6cb959b7114a370ab2eb2a2803593490d397ecaab317354a9cec318ed55a056c398fe2a2c8e6a55cadf06792f67f6cd4f5849ee44dfa4e6c
-
Filesize
345KB
MD569839ff71a3156a1494c1e93315035cc
SHA1cc70f99c0631b74f5fd8a28bd7c4e42eec2fc841
SHA256476f47dcc0135c5209e5a648a03a6d4a1d5107b51b55e87dc498b5c69d55e608
SHA512c3e6dd6ad02674f5e8b5ab053910d1653af40c1dbc7d7acfc229d82afe23f8dc65e6312c87914b913b8d8a035bce31914178b7c4a8a9361a13e24e0f00a577f7