Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:35
Static task
static1
Behavioral task
behavioral1
Sample
57fced681c0accdb47c63bd6546c8da9c31422089d2f3c01576343fdc664e15e.exe
Resource
win10v2004-20241007-en
General
-
Target
57fced681c0accdb47c63bd6546c8da9c31422089d2f3c01576343fdc664e15e.exe
-
Size
670KB
-
MD5
e01c954f0ab07eac9661e338a2a43264
-
SHA1
35a05dc6b3c17a6eb97b4c2ae1255298a96eb954
-
SHA256
57fced681c0accdb47c63bd6546c8da9c31422089d2f3c01576343fdc664e15e
-
SHA512
e3ecac72875626a13d46bfc0f72ace63cce3c2b10b192c879ac7318b8d9abf02af307828a78988f767a2f534efe1820c8812b31b98b76e2e40119b05578e2f74
-
SSDEEP
12288:hMruy907cscP/qXAIxy7wJ3hhQ3fKEcHmRp5LeuvGS0gwgqkhnd:byqlcKXAsJ3tHmRrKiGPkhnd
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/1544-19-0x00000000025E0000-0x00000000025FA000-memory.dmp healer behavioral1/memory/1544-21-0x0000000002740000-0x0000000002758000-memory.dmp healer behavioral1/memory/1544-25-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/1544-49-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/1544-48-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/1544-46-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/1544-43-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/1544-41-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/1544-39-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/1544-37-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/1544-35-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/1544-33-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/1544-31-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/1544-29-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/1544-27-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/1544-24-0x0000000002740000-0x0000000002752000-memory.dmp healer behavioral1/memory/1544-22-0x0000000002740000-0x0000000002752000-memory.dmp healer -
Healer family
-
Processes:
pro5250.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro5250.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro5250.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro5250.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro5250.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro5250.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro5250.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/1440-61-0x0000000002680000-0x00000000026C6000-memory.dmp family_redline behavioral1/memory/1440-62-0x0000000004D40000-0x0000000004D84000-memory.dmp family_redline behavioral1/memory/1440-92-0x0000000004D40000-0x0000000004D7E000-memory.dmp family_redline behavioral1/memory/1440-96-0x0000000004D40000-0x0000000004D7E000-memory.dmp family_redline behavioral1/memory/1440-94-0x0000000004D40000-0x0000000004D7E000-memory.dmp family_redline behavioral1/memory/1440-90-0x0000000004D40000-0x0000000004D7E000-memory.dmp family_redline behavioral1/memory/1440-88-0x0000000004D40000-0x0000000004D7E000-memory.dmp family_redline behavioral1/memory/1440-86-0x0000000004D40000-0x0000000004D7E000-memory.dmp family_redline behavioral1/memory/1440-84-0x0000000004D40000-0x0000000004D7E000-memory.dmp family_redline behavioral1/memory/1440-82-0x0000000004D40000-0x0000000004D7E000-memory.dmp family_redline behavioral1/memory/1440-80-0x0000000004D40000-0x0000000004D7E000-memory.dmp family_redline behavioral1/memory/1440-78-0x0000000004D40000-0x0000000004D7E000-memory.dmp family_redline behavioral1/memory/1440-76-0x0000000004D40000-0x0000000004D7E000-memory.dmp family_redline behavioral1/memory/1440-74-0x0000000004D40000-0x0000000004D7E000-memory.dmp family_redline behavioral1/memory/1440-72-0x0000000004D40000-0x0000000004D7E000-memory.dmp family_redline behavioral1/memory/1440-70-0x0000000004D40000-0x0000000004D7E000-memory.dmp family_redline behavioral1/memory/1440-66-0x0000000004D40000-0x0000000004D7E000-memory.dmp family_redline behavioral1/memory/1440-64-0x0000000004D40000-0x0000000004D7E000-memory.dmp family_redline behavioral1/memory/1440-68-0x0000000004D40000-0x0000000004D7E000-memory.dmp family_redline behavioral1/memory/1440-63-0x0000000004D40000-0x0000000004D7E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un359865.exepro5250.exequ9267.exepid process 2644 un359865.exe 1544 pro5250.exe 1440 qu9267.exe -
Processes:
pro5250.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro5250.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro5250.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
57fced681c0accdb47c63bd6546c8da9c31422089d2f3c01576343fdc664e15e.exeun359865.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 57fced681c0accdb47c63bd6546c8da9c31422089d2f3c01576343fdc664e15e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un359865.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3240 1544 WerFault.exe pro5250.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
pro5250.exequ9267.exe57fced681c0accdb47c63bd6546c8da9c31422089d2f3c01576343fdc664e15e.exeun359865.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro5250.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu9267.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57fced681c0accdb47c63bd6546c8da9c31422089d2f3c01576343fdc664e15e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un359865.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro5250.exepid process 1544 pro5250.exe 1544 pro5250.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro5250.exequ9267.exedescription pid process Token: SeDebugPrivilege 1544 pro5250.exe Token: SeDebugPrivilege 1440 qu9267.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
57fced681c0accdb47c63bd6546c8da9c31422089d2f3c01576343fdc664e15e.exeun359865.exedescription pid process target process PID 1652 wrote to memory of 2644 1652 57fced681c0accdb47c63bd6546c8da9c31422089d2f3c01576343fdc664e15e.exe un359865.exe PID 1652 wrote to memory of 2644 1652 57fced681c0accdb47c63bd6546c8da9c31422089d2f3c01576343fdc664e15e.exe un359865.exe PID 1652 wrote to memory of 2644 1652 57fced681c0accdb47c63bd6546c8da9c31422089d2f3c01576343fdc664e15e.exe un359865.exe PID 2644 wrote to memory of 1544 2644 un359865.exe pro5250.exe PID 2644 wrote to memory of 1544 2644 un359865.exe pro5250.exe PID 2644 wrote to memory of 1544 2644 un359865.exe pro5250.exe PID 2644 wrote to memory of 1440 2644 un359865.exe qu9267.exe PID 2644 wrote to memory of 1440 2644 un359865.exe qu9267.exe PID 2644 wrote to memory of 1440 2644 un359865.exe qu9267.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57fced681c0accdb47c63bd6546c8da9c31422089d2f3c01576343fdc664e15e.exe"C:\Users\Admin\AppData\Local\Temp\57fced681c0accdb47c63bd6546c8da9c31422089d2f3c01576343fdc664e15e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un359865.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un359865.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5250.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5250.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 11044⤵
- Program crash
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9267.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9267.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1544 -ip 15441⤵PID:3144
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
527KB
MD5becc13bde689b7e35bbc5c47f6f712b9
SHA15553876680ca424074eff5f8126f2cc7c8f0c030
SHA256cdc5f7f2429194112c5700b89d93a1b7aa39ff3e90e346810871671aa31b24f3
SHA512c7e178bc8782115a2da64bd79453066182bfcd47a38f5f70415c470202cb21c3be15a718b37168b3d90db82688fc8ee27b65c671a9b4a3af7696c24747d906e8
-
Filesize
270KB
MD5be97f84fb096f4a24797b2c1372c67c3
SHA1f1e40067a9b17cceb8c67beeb89c1a0eda250087
SHA256aae21f26f7b7a98a1c8455a673f183aafe559e686457a2ec38993570dffa6cad
SHA512c0b7bb7e3852ac5bb7e0a93f2f2193429ddea1d244e89cc585d386d2bd34ceb97a51e8e0f4ffec226a8845a966b40e68b33e9157691d5eb9c8f428d63c43418b
-
Filesize
327KB
MD5793d125241931cbf17a61a0ff1243509
SHA1e162caf67925e75ddcb0450de26a9a52c599d4c1
SHA2564273dc405fbd9eca19b251b300809ab60cd3c49e2369a93784ec9567cf289f28
SHA5126003425438a2f381433a243763e8c380d9889030e7088a2e4c90daee4db785264de71124e2105a6fa775ab7bdca5087af5203633ef153fd8ca4c66617af25d10