Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:34
Static task
static1
Behavioral task
behavioral1
Sample
42fb7c372426740d446624dc0084f18f443f4b0ee9ec798288b53fd17a5ab622.exe
Resource
win10v2004-20241007-en
General
-
Target
42fb7c372426740d446624dc0084f18f443f4b0ee9ec798288b53fd17a5ab622.exe
-
Size
516KB
-
MD5
d4cc7d0dadcfb1fb0a21fa114592015c
-
SHA1
34280083301fac39fb10974b307a15380c5e2d96
-
SHA256
42fb7c372426740d446624dc0084f18f443f4b0ee9ec798288b53fd17a5ab622
-
SHA512
b072e47d42cd8d706c06e17ccf176215fa79565e4b37e47581e64ed70f9b8c6c8257aa68463e51f42e8c99f22249ae5db9eaa54559b77225ebfb8f1d03d5b50a
-
SSDEEP
12288:AMr9y90nHAWaL8i04nioHGukmy3W/Ptvi9cn:tyo3NcOmymntvi9I
Malware Config
Extracted
redline
rosto
hueref.eu:4162
-
auth_value
07d81eba8cad42bbd0ae60042d48eac6
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/3960-12-0x0000000002490000-0x00000000024AA000-memory.dmp healer behavioral1/memory/3960-14-0x0000000002690000-0x00000000026A8000-memory.dmp healer behavioral1/memory/3960-15-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3960-22-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3960-40-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3960-38-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3960-36-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3960-34-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3960-42-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3960-32-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3960-30-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3960-28-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3960-27-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3960-20-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3960-18-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3960-16-0x0000000002690000-0x00000000026A2000-memory.dmp healer behavioral1/memory/3960-24-0x0000000002690000-0x00000000026A2000-memory.dmp healer -
Healer family
-
Processes:
urxa95ov79.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection urxa95ov79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" urxa95ov79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" urxa95ov79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" urxa95ov79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" urxa95ov79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" urxa95ov79.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/4504-56-0x00000000022C0000-0x0000000002306000-memory.dmp family_redline behavioral1/memory/4504-58-0x0000000002450000-0x0000000002494000-memory.dmp family_redline behavioral1/memory/4504-64-0x0000000002450000-0x000000000248E000-memory.dmp family_redline behavioral1/memory/4504-72-0x0000000002450000-0x000000000248E000-memory.dmp family_redline behavioral1/memory/4504-92-0x0000000002450000-0x000000000248E000-memory.dmp family_redline behavioral1/memory/4504-90-0x0000000002450000-0x000000000248E000-memory.dmp family_redline behavioral1/memory/4504-88-0x0000000002450000-0x000000000248E000-memory.dmp family_redline behavioral1/memory/4504-86-0x0000000002450000-0x000000000248E000-memory.dmp family_redline behavioral1/memory/4504-84-0x0000000002450000-0x000000000248E000-memory.dmp family_redline behavioral1/memory/4504-82-0x0000000002450000-0x000000000248E000-memory.dmp family_redline behavioral1/memory/4504-78-0x0000000002450000-0x000000000248E000-memory.dmp family_redline behavioral1/memory/4504-76-0x0000000002450000-0x000000000248E000-memory.dmp family_redline behavioral1/memory/4504-74-0x0000000002450000-0x000000000248E000-memory.dmp family_redline behavioral1/memory/4504-70-0x0000000002450000-0x000000000248E000-memory.dmp family_redline behavioral1/memory/4504-68-0x0000000002450000-0x000000000248E000-memory.dmp family_redline behavioral1/memory/4504-66-0x0000000002450000-0x000000000248E000-memory.dmp family_redline behavioral1/memory/4504-80-0x0000000002450000-0x000000000248E000-memory.dmp family_redline behavioral1/memory/4504-62-0x0000000002450000-0x000000000248E000-memory.dmp family_redline behavioral1/memory/4504-60-0x0000000002450000-0x000000000248E000-memory.dmp family_redline behavioral1/memory/4504-59-0x0000000002450000-0x000000000248E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
urxa95ov79.exewrMR23Mw29.exepid process 3960 urxa95ov79.exe 4504 wrMR23Mw29.exe -
Processes:
urxa95ov79.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features urxa95ov79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" urxa95ov79.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
42fb7c372426740d446624dc0084f18f443f4b0ee9ec798288b53fd17a5ab622.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 42fb7c372426740d446624dc0084f18f443f4b0ee9ec798288b53fd17a5ab622.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 876 3960 WerFault.exe urxa95ov79.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
42fb7c372426740d446624dc0084f18f443f4b0ee9ec798288b53fd17a5ab622.exeurxa95ov79.exewrMR23Mw29.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42fb7c372426740d446624dc0084f18f443f4b0ee9ec798288b53fd17a5ab622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language urxa95ov79.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wrMR23Mw29.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
urxa95ov79.exepid process 3960 urxa95ov79.exe 3960 urxa95ov79.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
urxa95ov79.exewrMR23Mw29.exedescription pid process Token: SeDebugPrivilege 3960 urxa95ov79.exe Token: SeDebugPrivilege 4504 wrMR23Mw29.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
42fb7c372426740d446624dc0084f18f443f4b0ee9ec798288b53fd17a5ab622.exedescription pid process target process PID 2128 wrote to memory of 3960 2128 42fb7c372426740d446624dc0084f18f443f4b0ee9ec798288b53fd17a5ab622.exe urxa95ov79.exe PID 2128 wrote to memory of 3960 2128 42fb7c372426740d446624dc0084f18f443f4b0ee9ec798288b53fd17a5ab622.exe urxa95ov79.exe PID 2128 wrote to memory of 3960 2128 42fb7c372426740d446624dc0084f18f443f4b0ee9ec798288b53fd17a5ab622.exe urxa95ov79.exe PID 2128 wrote to memory of 4504 2128 42fb7c372426740d446624dc0084f18f443f4b0ee9ec798288b53fd17a5ab622.exe wrMR23Mw29.exe PID 2128 wrote to memory of 4504 2128 42fb7c372426740d446624dc0084f18f443f4b0ee9ec798288b53fd17a5ab622.exe wrMR23Mw29.exe PID 2128 wrote to memory of 4504 2128 42fb7c372426740d446624dc0084f18f443f4b0ee9ec798288b53fd17a5ab622.exe wrMR23Mw29.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42fb7c372426740d446624dc0084f18f443f4b0ee9ec798288b53fd17a5ab622.exe"C:\Users\Admin\AppData\Local\Temp\42fb7c372426740d446624dc0084f18f443f4b0ee9ec798288b53fd17a5ab622.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urxa95ov79.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urxa95ov79.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 10843⤵
- Program crash
PID:876 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wrMR23Mw29.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wrMR23Mw29.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3960 -ip 39601⤵PID:3840
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232KB
MD5fa0bf4034c0d1c31e46269512270b913
SHA1fe2cc134263ff123c8448a62bff83853a22a8298
SHA256115b1dd2d011b884f77b0d51c7093ef306649f3d3d78c4ee8b64822add6d944f
SHA512dd688e8d5b627a70b9d5b2a847a968f8189739c3a85ad5fe68d487a5cb59bc418a95d324ab53bfe08c1c7f7ad3845aa815ca59dd212071875e5e14099e2f6a53
-
Filesize
289KB
MD571a839f728f79ee4af543c5ec12771fb
SHA1f1503f9dc53c3e32ff7256d84d151f76cf601d5c
SHA256563fa95b6824faee24bef23daae68b191bbf5ec09941d90abad95f8999f195fb
SHA512b5a8fde95f70836adb284ed60fb56dcab939139f382c39a6aa4e54f859090330e99346ee27a663907f9e6b1a6bf9eb0e859da8aa92739f430f52e277fa13b6e9