Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:26
Static task
static1
Behavioral task
behavioral1
Sample
5d44bbb87475105c66172b76c1e36520bca0c7853a3dee3884b9c078d0672052.exe
Resource
win10v2004-20241007-en
General
-
Target
5d44bbb87475105c66172b76c1e36520bca0c7853a3dee3884b9c078d0672052.exe
-
Size
688KB
-
MD5
780d5c2e03a91df5b264bfe540fabd9d
-
SHA1
f7705a9f2404335464b00cda13d3b3a5faf9cfe1
-
SHA256
5d44bbb87475105c66172b76c1e36520bca0c7853a3dee3884b9c078d0672052
-
SHA512
28015a66346ca4f64b7338e96f497fded1021baaffd263ec022c6c0d0c2c80be276a71524248bc92d9e1843d414adacb811838a55c5ca9495cc40ff8a83af0df
-
SSDEEP
12288:XMrHy90F9DW5wRKJfVWbGSxj1mT79gF8+tTEaICR43x3YMUKbZ+FRsOsM8:wyG9jKtV+GujQf9AKax4hoMVd+FRvsM8
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/2124-18-0x0000000004710000-0x000000000472A000-memory.dmp healer behavioral1/memory/2124-20-0x0000000004AD0000-0x0000000004AE8000-memory.dmp healer behavioral1/memory/2124-21-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/2124-32-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/2124-48-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/2124-46-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/2124-44-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/2124-42-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/2124-40-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/2124-38-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/2124-36-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/2124-34-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/2124-30-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/2124-28-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/2124-26-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/2124-22-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/2124-24-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer -
Healer family
-
Processes:
pro6871.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro6871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro6871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro6871.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro6871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro6871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro6871.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/1312-60-0x0000000004B10000-0x0000000004B56000-memory.dmp family_redline behavioral1/memory/1312-61-0x0000000004C20000-0x0000000004C64000-memory.dmp family_redline behavioral1/memory/1312-93-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/1312-95-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/1312-91-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/1312-89-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/1312-87-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/1312-85-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/1312-83-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/1312-81-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/1312-79-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/1312-77-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/1312-73-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/1312-71-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/1312-69-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/1312-67-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/1312-65-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/1312-63-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/1312-75-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline behavioral1/memory/1312-62-0x0000000004C20000-0x0000000004C5F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
unio0913.exepro6871.exequ8405.exepid process 3112 unio0913.exe 2124 pro6871.exe 1312 qu8405.exe -
Processes:
pro6871.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro6871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro6871.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5d44bbb87475105c66172b76c1e36520bca0c7853a3dee3884b9c078d0672052.exeunio0913.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5d44bbb87475105c66172b76c1e36520bca0c7853a3dee3884b9c078d0672052.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio0913.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1464 2124 WerFault.exe pro6871.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
5d44bbb87475105c66172b76c1e36520bca0c7853a3dee3884b9c078d0672052.exeunio0913.exepro6871.exequ8405.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d44bbb87475105c66172b76c1e36520bca0c7853a3dee3884b9c078d0672052.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio0913.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro6871.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu8405.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro6871.exepid process 2124 pro6871.exe 2124 pro6871.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro6871.exequ8405.exedescription pid process Token: SeDebugPrivilege 2124 pro6871.exe Token: SeDebugPrivilege 1312 qu8405.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5d44bbb87475105c66172b76c1e36520bca0c7853a3dee3884b9c078d0672052.exeunio0913.exedescription pid process target process PID 4472 wrote to memory of 3112 4472 5d44bbb87475105c66172b76c1e36520bca0c7853a3dee3884b9c078d0672052.exe unio0913.exe PID 4472 wrote to memory of 3112 4472 5d44bbb87475105c66172b76c1e36520bca0c7853a3dee3884b9c078d0672052.exe unio0913.exe PID 4472 wrote to memory of 3112 4472 5d44bbb87475105c66172b76c1e36520bca0c7853a3dee3884b9c078d0672052.exe unio0913.exe PID 3112 wrote to memory of 2124 3112 unio0913.exe pro6871.exe PID 3112 wrote to memory of 2124 3112 unio0913.exe pro6871.exe PID 3112 wrote to memory of 2124 3112 unio0913.exe pro6871.exe PID 3112 wrote to memory of 1312 3112 unio0913.exe qu8405.exe PID 3112 wrote to memory of 1312 3112 unio0913.exe qu8405.exe PID 3112 wrote to memory of 1312 3112 unio0913.exe qu8405.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d44bbb87475105c66172b76c1e36520bca0c7853a3dee3884b9c078d0672052.exe"C:\Users\Admin\AppData\Local\Temp\5d44bbb87475105c66172b76c1e36520bca0c7853a3dee3884b9c078d0672052.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0913.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0913.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6871.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6871.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 10804⤵
- Program crash
PID:1464
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8405.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8405.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2124 -ip 21241⤵PID:1156
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
546KB
MD5a2416e07eac2d669ace7e50b62ea94f7
SHA1942295ed26ac77e685d86bd126d2eae6f3da36e2
SHA25656b116c123d041121848d65eeddb3ac2021090dfffe9ef28e01e595783cace73
SHA512a0c393b5c817e973afd70afad2e61b2d365f849e7b8fec4ddf5b1599e53dcebec62650dcc22fe76ed6b7c4cb8ed4c93244e206f9005b9337d39e4421c8d5050e
-
Filesize
329KB
MD58480a49ea14e95742a0d3126c44a8c07
SHA1410e90f0ae4d2ae074efe7342d36e41759608695
SHA256044331b8005e08b3b2d58b9f54fb07896ba9f76dd2494ed3925b4eacbf4c5349
SHA512a76d2bb936957d5eaf3100e8b71cc128343fe13561340c2eee4a563e53f0721a81311b5a4651f268ff00a8c5eb0202942ccf2d6d360f25c1843d9f63ed0249ea
-
Filesize
386KB
MD5275a8aaaec7a26e863133c3114224c8d
SHA1459f309348c4dbea7288ed2a2d56fc8dd6b9d7fe
SHA2568890d3ae21dde9bc9a8069b7e13e41b1de0e197b14c7082119c6d5d0ec12923f
SHA512e063bc4e2bdb6d906590ad6f76ea1a6fa873f6b12194904150f744a7f154bdad52c2405ca252acc60b82d07ff937b8da117e46c962e5359403953fe5747b22c8