Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 02:05
Static task
static1
Behavioral task
behavioral1
Sample
261f19bb7d5499b63b3755fa3fbbe9b08f356a10e518450096ec89df7ca91e75.exe
Resource
win10v2004-20241007-en
General
-
Target
261f19bb7d5499b63b3755fa3fbbe9b08f356a10e518450096ec89df7ca91e75.exe
-
Size
1.1MB
-
MD5
cbf0f7e1abb1774e3ddacfa3ab782fba
-
SHA1
6bb3a16d80c7999080779ab18e61e7024929c429
-
SHA256
261f19bb7d5499b63b3755fa3fbbe9b08f356a10e518450096ec89df7ca91e75
-
SHA512
08d7a631802522d6db6f00b1f74dc1b0e9b234645254d09e819d7d6bd54dae8ef89d5bcf2ca26b86a1ff7a186fcd4a973cb60986e170b02c4f059595b93ea208
-
SSDEEP
24576:qyuHHMfAgQX2h6d8Fx/EU3pkKxwfl0GXgbbyXb:xunMhhQ4twfqby
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b9b-27.dat healer behavioral1/memory/3424-28-0x00000000008F0000-0x00000000008FA000-memory.dmp healer behavioral1/memory/2304-34-0x0000000002620000-0x000000000263A000-memory.dmp healer behavioral1/memory/2304-36-0x00000000026B0000-0x00000000026C8000-memory.dmp healer behavioral1/memory/2304-64-0x00000000026B0000-0x00000000026C2000-memory.dmp healer behavioral1/memory/2304-62-0x00000000026B0000-0x00000000026C2000-memory.dmp healer behavioral1/memory/2304-60-0x00000000026B0000-0x00000000026C2000-memory.dmp healer behavioral1/memory/2304-58-0x00000000026B0000-0x00000000026C2000-memory.dmp healer behavioral1/memory/2304-52-0x00000000026B0000-0x00000000026C2000-memory.dmp healer behavioral1/memory/2304-50-0x00000000026B0000-0x00000000026C2000-memory.dmp healer behavioral1/memory/2304-48-0x00000000026B0000-0x00000000026C2000-memory.dmp healer behavioral1/memory/2304-46-0x00000000026B0000-0x00000000026C2000-memory.dmp healer behavioral1/memory/2304-44-0x00000000026B0000-0x00000000026C2000-memory.dmp healer behavioral1/memory/2304-56-0x00000000026B0000-0x00000000026C2000-memory.dmp healer behavioral1/memory/2304-42-0x00000000026B0000-0x00000000026C2000-memory.dmp healer behavioral1/memory/2304-54-0x00000000026B0000-0x00000000026C2000-memory.dmp healer behavioral1/memory/2304-40-0x00000000026B0000-0x00000000026C2000-memory.dmp healer behavioral1/memory/2304-38-0x00000000026B0000-0x00000000026C2000-memory.dmp healer behavioral1/memory/2304-37-0x00000000026B0000-0x00000000026C2000-memory.dmp healer -
Healer family
-
Processes:
tz7184.exev2301sO.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" tz7184.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" tz7184.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" tz7184.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" v2301sO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" v2301sO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection tz7184.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" tz7184.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" tz7184.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection v2301sO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" v2301sO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" v2301sO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" v2301sO.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/4504-72-0x0000000002870000-0x00000000028B6000-memory.dmp family_redline behavioral1/memory/4504-73-0x0000000005320000-0x0000000005364000-memory.dmp family_redline behavioral1/memory/4504-81-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/4504-85-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/4504-107-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/4504-105-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/4504-103-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/4504-101-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/4504-97-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/4504-95-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/4504-93-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/4504-92-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/4504-87-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/4504-83-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/4504-99-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/4504-89-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/4504-79-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/4504-77-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/4504-75-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/4504-74-0x0000000005320000-0x000000000535E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
Processes:
zap4004.exezap4937.exezap3337.exetz7184.exev2301sO.exew19Tj47.exepid Process 840 zap4004.exe 4260 zap4937.exe 2180 zap3337.exe 3424 tz7184.exe 2304 v2301sO.exe 4504 w19Tj47.exe -
Processes:
tz7184.exev2301sO.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" tz7184.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features v2301sO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" v2301sO.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
261f19bb7d5499b63b3755fa3fbbe9b08f356a10e518450096ec89df7ca91e75.exezap4004.exezap4937.exezap3337.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 261f19bb7d5499b63b3755fa3fbbe9b08f356a10e518450096ec89df7ca91e75.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zap4004.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" zap4937.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" zap3337.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4564 2304 WerFault.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
w19Tj47.exe261f19bb7d5499b63b3755fa3fbbe9b08f356a10e518450096ec89df7ca91e75.exezap4004.exezap4937.exezap3337.exev2301sO.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w19Tj47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 261f19bb7d5499b63b3755fa3fbbe9b08f356a10e518450096ec89df7ca91e75.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zap4004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zap4937.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zap3337.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v2301sO.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
tz7184.exev2301sO.exepid Process 3424 tz7184.exe 3424 tz7184.exe 2304 v2301sO.exe 2304 v2301sO.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
tz7184.exev2301sO.exew19Tj47.exedescription pid Process Token: SeDebugPrivilege 3424 tz7184.exe Token: SeDebugPrivilege 2304 v2301sO.exe Token: SeDebugPrivilege 4504 w19Tj47.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
261f19bb7d5499b63b3755fa3fbbe9b08f356a10e518450096ec89df7ca91e75.exezap4004.exezap4937.exezap3337.exedescription pid Process procid_target PID 4528 wrote to memory of 840 4528 261f19bb7d5499b63b3755fa3fbbe9b08f356a10e518450096ec89df7ca91e75.exe 83 PID 4528 wrote to memory of 840 4528 261f19bb7d5499b63b3755fa3fbbe9b08f356a10e518450096ec89df7ca91e75.exe 83 PID 4528 wrote to memory of 840 4528 261f19bb7d5499b63b3755fa3fbbe9b08f356a10e518450096ec89df7ca91e75.exe 83 PID 840 wrote to memory of 4260 840 zap4004.exe 84 PID 840 wrote to memory of 4260 840 zap4004.exe 84 PID 840 wrote to memory of 4260 840 zap4004.exe 84 PID 4260 wrote to memory of 2180 4260 zap4937.exe 86 PID 4260 wrote to memory of 2180 4260 zap4937.exe 86 PID 4260 wrote to memory of 2180 4260 zap4937.exe 86 PID 2180 wrote to memory of 3424 2180 zap3337.exe 87 PID 2180 wrote to memory of 3424 2180 zap3337.exe 87 PID 2180 wrote to memory of 2304 2180 zap3337.exe 96 PID 2180 wrote to memory of 2304 2180 zap3337.exe 96 PID 2180 wrote to memory of 2304 2180 zap3337.exe 96 PID 4260 wrote to memory of 4504 4260 zap4937.exe 103 PID 4260 wrote to memory of 4504 4260 zap4937.exe 103 PID 4260 wrote to memory of 4504 4260 zap4937.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\261f19bb7d5499b63b3755fa3fbbe9b08f356a10e518450096ec89df7ca91e75.exe"C:\Users\Admin\AppData\Local\Temp\261f19bb7d5499b63b3755fa3fbbe9b08f356a10e518450096ec89df7ca91e75.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4004.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4004.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4937.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4937.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3337.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3337.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7184.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7184.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2301sO.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2301sO.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 10806⤵
- Program crash
PID:4564
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w19Tj47.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w19Tj47.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2304 -ip 23041⤵PID:5088
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
908KB
MD5ffd7cee41a6309e73dba698955c1ed17
SHA17d408c21d36215223d43b97a27b17d91910d18d6
SHA2563efc225a98067ee55e6ed2286bb9dddfac6752ac0dbdac0902846ae3fce3befd
SHA512d54de113c76f2b9e747fb654e485c78749d4e12410c6388b331026a116927781286f5739454f1f3825b966a49aac2ee0f3cc36b1f469487b337d93360d91b7f9
-
Filesize
766KB
MD571bfe7d214083bede5f53e6a36aa13c5
SHA103e4c41099453437f565d46086233b3fb73ed29e
SHA256f3739acd84b348e89f8b3cc5d11c16fea0b53e87c49fac2841174e1f686c4b36
SHA512b83708db4f8f9f1ccb946853d0ee18f24129ec25caf7a10d0975b600c277dbaee4c5c8ce0152983a36bec865112a3c5342d6df1471214c81d1bb753268ca788f
-
Filesize
457KB
MD5a2ea8a08256b12301cb937965eaadf34
SHA17fe7344b6aa6a2ed93d18bc267a33fcae3d0731d
SHA256294284e06c10db9b4d41f75077af34a6f8a4711067f0980a37323ed1cd6fc955
SHA5125a02a94e5585b98eec0dc1e90396bd765d849cf3d2a03b7a81761c48cc4914c994d6ba58e995d677dfb920399cefa9b2bda411729d9956fd083c9bd2128d7137
-
Filesize
380KB
MD5b398bcefee78abbccb946f8a0658b2bd
SHA1bdb2907d4d6d135194820bd8f1ab88b88099b364
SHA256d9e83096e65b3d420d55401b439370d2ed74dd19c9b26c16376a3ef9d106a5f3
SHA51255a1c5d0118c3bdb1fbbaa1233edd6146bcc0f6c668a4ffdf9216d36b0c444e3378bdd3524a2dd3d2c06c67fb9239d3f56f6e389fad1eceac0f3a8e3f35872de
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
399KB
MD54f148b986d01e1ab15833a5e6514ca47
SHA1b4f2e9a556352f611510c68d635711127980710d
SHA25695c09b55f10d2595466d65220cbacbae2dda733423003065831cb87904a9aa86
SHA512b893a206717673dc41467b7f7034e25bb7a6dd7dee6cf49a1582b715f9a69b142299dee1ff880494359103256694a086779c4cb95218843316605c7e24ec0cac