Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:26
Static task
static1
Behavioral task
behavioral1
Sample
4316d12cf49f32710a270ac60896cd270520b649e535c4285aa50b44bccd2daf.exe
Resource
win10v2004-20241007-en
General
-
Target
4316d12cf49f32710a270ac60896cd270520b649e535c4285aa50b44bccd2daf.exe
-
Size
672KB
-
MD5
1d4762e8a51b8c0794e928280b5c614b
-
SHA1
a1462a9a21b1c14451a467185f696269e1c66a97
-
SHA256
4316d12cf49f32710a270ac60896cd270520b649e535c4285aa50b44bccd2daf
-
SHA512
997b7588d3b7e72abe8e911b20aafdca50ccac76cea628e3e93b6503d1a7e081412c9125fd50a7c5a52c93d70838fcdcc4c77e45fae9f10b4656d12e27ce17d1
-
SSDEEP
12288:TMrIy904AMT4lfbMz0fmCKI5mWcE278KYvomiV+YI+36prAhMc:jyGM0JCyfcE278Fvo4rxxAhZ
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/4272-19-0x00000000023B0000-0x00000000023CA000-memory.dmp healer behavioral1/memory/4272-21-0x00000000024E0000-0x00000000024F8000-memory.dmp healer behavioral1/memory/4272-22-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4272-31-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4272-49-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4272-47-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4272-45-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4272-43-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4272-41-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4272-39-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4272-38-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4272-35-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4272-33-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4272-29-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4272-27-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4272-25-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4272-23-0x00000000024E0000-0x00000000024F2000-memory.dmp healer -
Healer family
-
Processes:
pro3989.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro3989.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro3989.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro3989.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro3989.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro3989.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro3989.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/4388-61-0x0000000002500000-0x0000000002546000-memory.dmp family_redline behavioral1/memory/4388-62-0x0000000004AE0000-0x0000000004B24000-memory.dmp family_redline behavioral1/memory/4388-70-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/4388-85-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/4388-96-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/4388-94-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/4388-90-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/4388-88-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/4388-86-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/4388-82-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/4388-80-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/4388-78-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/4388-76-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/4388-74-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/4388-72-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/4388-92-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/4388-68-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/4388-66-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/4388-64-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline behavioral1/memory/4388-63-0x0000000004AE0000-0x0000000004B1F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un960884.exepro3989.exequ3193.exepid process 2172 un960884.exe 4272 pro3989.exe 4388 qu3193.exe -
Processes:
pro3989.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro3989.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro3989.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4316d12cf49f32710a270ac60896cd270520b649e535c4285aa50b44bccd2daf.exeun960884.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4316d12cf49f32710a270ac60896cd270520b649e535c4285aa50b44bccd2daf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un960884.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 5712 sc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3660 4272 WerFault.exe pro3989.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
4316d12cf49f32710a270ac60896cd270520b649e535c4285aa50b44bccd2daf.exeun960884.exepro3989.exequ3193.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4316d12cf49f32710a270ac60896cd270520b649e535c4285aa50b44bccd2daf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un960884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro3989.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu3193.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro3989.exepid process 4272 pro3989.exe 4272 pro3989.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro3989.exequ3193.exedescription pid process Token: SeDebugPrivilege 4272 pro3989.exe Token: SeDebugPrivilege 4388 qu3193.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4316d12cf49f32710a270ac60896cd270520b649e535c4285aa50b44bccd2daf.exeun960884.exedescription pid process target process PID 3048 wrote to memory of 2172 3048 4316d12cf49f32710a270ac60896cd270520b649e535c4285aa50b44bccd2daf.exe un960884.exe PID 3048 wrote to memory of 2172 3048 4316d12cf49f32710a270ac60896cd270520b649e535c4285aa50b44bccd2daf.exe un960884.exe PID 3048 wrote to memory of 2172 3048 4316d12cf49f32710a270ac60896cd270520b649e535c4285aa50b44bccd2daf.exe un960884.exe PID 2172 wrote to memory of 4272 2172 un960884.exe pro3989.exe PID 2172 wrote to memory of 4272 2172 un960884.exe pro3989.exe PID 2172 wrote to memory of 4272 2172 un960884.exe pro3989.exe PID 2172 wrote to memory of 4388 2172 un960884.exe qu3193.exe PID 2172 wrote to memory of 4388 2172 un960884.exe qu3193.exe PID 2172 wrote to memory of 4388 2172 un960884.exe qu3193.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4316d12cf49f32710a270ac60896cd270520b649e535c4285aa50b44bccd2daf.exe"C:\Users\Admin\AppData\Local\Temp\4316d12cf49f32710a270ac60896cd270520b649e535c4285aa50b44bccd2daf.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un960884.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un960884.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3989.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3989.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 10404⤵
- Program crash
PID:3660
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3193.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3193.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4272 -ip 42721⤵PID:4716
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:5712
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
531KB
MD590746338cfbb7cb5728ec535a9e09e53
SHA11663418adf0dc2770a1ae01ffe028a205317f344
SHA2564fb9704699117de6e631dd601ff6b18e39d76b45098a0f9f7f31a799540c487e
SHA51252f76c561653326ffc547e6fcb0426db26694ea6db36cb701d637d368f254e65dd517d4a7af3d7d59cf402806be86e2183bef5e06d075d1ec97ec85883c9a362
-
Filesize
259KB
MD579edab4765cbc6693d724a4606998c06
SHA16723ab33bdc6ccf9cff13fe0bb00db1398a201ff
SHA256b556ef992356c881edb11d8f830d4e833f14b7a97b9871cb7f8432cc902df426
SHA5125fad906ada6331395008c0234218d97661a87832cc59e066f2fbcd2194784fbe242bb9288c758ee1ad058565336e7ef5103515b6bc07b22edf2b9bb2bc50bf0f
-
Filesize
318KB
MD5f341ed7a114a4a239508ead69142414f
SHA14b21355a62481197f2541c35c6b9ff6a79a2400a
SHA2568ac9cffa78e8ba9bf2a9759569588f83aaee51b366606c592f7a9a146642e3c1
SHA512a82827d09edc4d5a13b63657dd4d1e0a20169be7a0003cf71dd7ac4067dfcdf958a0a963c8d3f4ce6117fbd5f7e6eafff9712ac0367ba4310c4ef8f0487d11f0