Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 02:07
Static task
static1
Behavioral task
behavioral1
Sample
3f10f5019689997f580898df1797f3518339dbf926e3c55a4863993af639b17f.exe
Resource
win10v2004-20241007-en
General
-
Target
3f10f5019689997f580898df1797f3518339dbf926e3c55a4863993af639b17f.exe
-
Size
663KB
-
MD5
c512fa37548a3e8f41cc71e1f33c07e9
-
SHA1
3ac6b6a27db70200decb2ae90c4d72be9fa2dffb
-
SHA256
3f10f5019689997f580898df1797f3518339dbf926e3c55a4863993af639b17f
-
SHA512
8b0c4053b896a394b181d8548e76c81f2c2ce13fc25599ee37f4050495784556a1ab69eae9080a2b3f2ebd030db5bbd9d97fa49083f744214ead3dd2383126c5
-
SSDEEP
12288:yMr3y90mOkiF6febnCldjdLHAVLh8N45eiO44XzWKzB5HMQ:hyROkiF6febCHjdrAVV1Min4SKdRMQ
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/1176-19-0x0000000002280000-0x000000000229A000-memory.dmp healer behavioral1/memory/1176-21-0x0000000002510000-0x0000000002528000-memory.dmp healer behavioral1/memory/1176-49-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1176-48-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1176-45-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1176-43-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1176-41-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1176-39-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1176-37-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1176-35-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1176-33-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1176-31-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1176-30-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1176-27-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1176-26-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1176-23-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1176-22-0x0000000002510000-0x0000000002522000-memory.dmp healer -
Healer family
-
Processes:
pro3917.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro3917.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro3917.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro3917.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro3917.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro3917.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro3917.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/2236-61-0x00000000022D0000-0x0000000002316000-memory.dmp family_redline behavioral1/memory/2236-62-0x00000000025D0000-0x0000000002614000-memory.dmp family_redline behavioral1/memory/2236-74-0x00000000025D0000-0x000000000260F000-memory.dmp family_redline behavioral1/memory/2236-88-0x00000000025D0000-0x000000000260F000-memory.dmp family_redline behavioral1/memory/2236-96-0x00000000025D0000-0x000000000260F000-memory.dmp family_redline behavioral1/memory/2236-94-0x00000000025D0000-0x000000000260F000-memory.dmp family_redline behavioral1/memory/2236-92-0x00000000025D0000-0x000000000260F000-memory.dmp family_redline behavioral1/memory/2236-86-0x00000000025D0000-0x000000000260F000-memory.dmp family_redline behavioral1/memory/2236-84-0x00000000025D0000-0x000000000260F000-memory.dmp family_redline behavioral1/memory/2236-82-0x00000000025D0000-0x000000000260F000-memory.dmp family_redline behavioral1/memory/2236-80-0x00000000025D0000-0x000000000260F000-memory.dmp family_redline behavioral1/memory/2236-78-0x00000000025D0000-0x000000000260F000-memory.dmp family_redline behavioral1/memory/2236-76-0x00000000025D0000-0x000000000260F000-memory.dmp family_redline behavioral1/memory/2236-72-0x00000000025D0000-0x000000000260F000-memory.dmp family_redline behavioral1/memory/2236-70-0x00000000025D0000-0x000000000260F000-memory.dmp family_redline behavioral1/memory/2236-69-0x00000000025D0000-0x000000000260F000-memory.dmp family_redline behavioral1/memory/2236-90-0x00000000025D0000-0x000000000260F000-memory.dmp family_redline behavioral1/memory/2236-66-0x00000000025D0000-0x000000000260F000-memory.dmp family_redline behavioral1/memory/2236-64-0x00000000025D0000-0x000000000260F000-memory.dmp family_redline behavioral1/memory/2236-63-0x00000000025D0000-0x000000000260F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un165662.exepro3917.exequ6112.exepid Process 2060 un165662.exe 1176 pro3917.exe 2236 qu6112.exe -
Processes:
pro3917.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro3917.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro3917.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
un165662.exe3f10f5019689997f580898df1797f3518339dbf926e3c55a4863993af639b17f.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un165662.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3f10f5019689997f580898df1797f3518339dbf926e3c55a4863993af639b17f.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3396 1176 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3f10f5019689997f580898df1797f3518339dbf926e3c55a4863993af639b17f.exeun165662.exepro3917.exequ6112.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f10f5019689997f580898df1797f3518339dbf926e3c55a4863993af639b17f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un165662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro3917.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu6112.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro3917.exepid Process 1176 pro3917.exe 1176 pro3917.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro3917.exequ6112.exedescription pid Process Token: SeDebugPrivilege 1176 pro3917.exe Token: SeDebugPrivilege 2236 qu6112.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
3f10f5019689997f580898df1797f3518339dbf926e3c55a4863993af639b17f.exeun165662.exedescription pid Process procid_target PID 3352 wrote to memory of 2060 3352 3f10f5019689997f580898df1797f3518339dbf926e3c55a4863993af639b17f.exe 85 PID 3352 wrote to memory of 2060 3352 3f10f5019689997f580898df1797f3518339dbf926e3c55a4863993af639b17f.exe 85 PID 3352 wrote to memory of 2060 3352 3f10f5019689997f580898df1797f3518339dbf926e3c55a4863993af639b17f.exe 85 PID 2060 wrote to memory of 1176 2060 un165662.exe 86 PID 2060 wrote to memory of 1176 2060 un165662.exe 86 PID 2060 wrote to memory of 1176 2060 un165662.exe 86 PID 2060 wrote to memory of 2236 2060 un165662.exe 100 PID 2060 wrote to memory of 2236 2060 un165662.exe 100 PID 2060 wrote to memory of 2236 2060 un165662.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f10f5019689997f580898df1797f3518339dbf926e3c55a4863993af639b17f.exe"C:\Users\Admin\AppData\Local\Temp\3f10f5019689997f580898df1797f3518339dbf926e3c55a4863993af639b17f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un165662.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un165662.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3917.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3917.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 10804⤵
- Program crash
PID:3396
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6112.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6112.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1176 -ip 11761⤵PID:1164
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
521KB
MD5c0596d742e89f69c7141b5d79ffc2aff
SHA1da5a0cf0c94477e6142c60ade6f0649eab5926bd
SHA256933db3c3428cd2cd7ff057b0de61af84aaf67c69aed03bab939657d1a843437d
SHA512ca564a1482ad281f77cce8a52dda413b1458f7ce892ab03e295ea630e4871465e94ede5d3383f7465674305ff702390757a954ddc341bd9e07bc9997474e8385
-
Filesize
236KB
MD59bbe81c5340368ffb884828a32c65a5f
SHA11826bfa728d8e8ef482430a7f331fa63a6f73701
SHA256011df03e50fcd5f5b83f128db18bd86b6cd28407b3249d345bb85693209cff8d
SHA512b60ff33038edad508ba33b2b2fc4e618a17738225c69eeaf85558d404c668cf06a3bc9947db2fa39523b6e896ec9503c8b50add4ddc076e494017fab0db3912a
-
Filesize
294KB
MD5aea5b4e4999a590494c5e0a21468a5a0
SHA15577692ff70b7e8703f9011bd6f0f8baed4c0f63
SHA25684a82b69319c84d5c948660fe10d5d4298f7888700654fdbb5abe2f69ea1f0b1
SHA51246a72cd7ff178212a9fb96d4b7f8c78fbe177b161b3e1510f199eec132982b9ef2c7b029728c684bb4c73ccdf51b3e4209d3b26680a20864956fdf744f70e68a