Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 02:06
Static task
static1
Behavioral task
behavioral1
Sample
591479031d13a53792c96d864ef7e79ff2fe5f6273bc50fdcce17a705ac6df07.exe
Resource
win10v2004-20241007-en
General
-
Target
591479031d13a53792c96d864ef7e79ff2fe5f6273bc50fdcce17a705ac6df07.exe
-
Size
658KB
-
MD5
d00840173e62166070a2dade1a8da508
-
SHA1
03415e4629bb9aadcfded8cd34c8933bf9a060b6
-
SHA256
591479031d13a53792c96d864ef7e79ff2fe5f6273bc50fdcce17a705ac6df07
-
SHA512
128c54092ed5ee60a705d4c09ef15c1303e0a8b3a8af8139e57272f864ad499fc3c5611b4da58f4b9eaaad3ba328e5f63ad8b6518c8be8199ac3c4bbd5e65a66
-
SSDEEP
12288:+Mryy90gN6zscJ3az0ssIz73oFtw551T+4ISzl4rPnf:IyJNcJ3o0gz7YyZXrz4
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/4412-18-0x0000000004920000-0x000000000493A000-memory.dmp healer behavioral1/memory/4412-20-0x0000000004CB0000-0x0000000004CC8000-memory.dmp healer behavioral1/memory/4412-38-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4412-48-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4412-46-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4412-45-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4412-42-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4412-41-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4412-36-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4412-34-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4412-32-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4412-30-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4412-28-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4412-26-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4412-24-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4412-22-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer behavioral1/memory/4412-21-0x0000000004CB0000-0x0000000004CC2000-memory.dmp healer -
Healer family
-
Processes:
pro8189.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro8189.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8189.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8189.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8189.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8189.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8189.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/1512-60-0x0000000002E90000-0x0000000002ED6000-memory.dmp family_redline behavioral1/memory/1512-61-0x0000000004B50000-0x0000000004B94000-memory.dmp family_redline behavioral1/memory/1512-79-0x0000000004B50000-0x0000000004B8F000-memory.dmp family_redline behavioral1/memory/1512-62-0x0000000004B50000-0x0000000004B8F000-memory.dmp family_redline behavioral1/memory/1512-95-0x0000000004B50000-0x0000000004B8F000-memory.dmp family_redline behavioral1/memory/1512-93-0x0000000004B50000-0x0000000004B8F000-memory.dmp family_redline behavioral1/memory/1512-91-0x0000000004B50000-0x0000000004B8F000-memory.dmp family_redline behavioral1/memory/1512-89-0x0000000004B50000-0x0000000004B8F000-memory.dmp family_redline behavioral1/memory/1512-87-0x0000000004B50000-0x0000000004B8F000-memory.dmp family_redline behavioral1/memory/1512-85-0x0000000004B50000-0x0000000004B8F000-memory.dmp family_redline behavioral1/memory/1512-83-0x0000000004B50000-0x0000000004B8F000-memory.dmp family_redline behavioral1/memory/1512-81-0x0000000004B50000-0x0000000004B8F000-memory.dmp family_redline behavioral1/memory/1512-77-0x0000000004B50000-0x0000000004B8F000-memory.dmp family_redline behavioral1/memory/1512-75-0x0000000004B50000-0x0000000004B8F000-memory.dmp family_redline behavioral1/memory/1512-73-0x0000000004B50000-0x0000000004B8F000-memory.dmp family_redline behavioral1/memory/1512-71-0x0000000004B50000-0x0000000004B8F000-memory.dmp family_redline behavioral1/memory/1512-69-0x0000000004B50000-0x0000000004B8F000-memory.dmp family_redline behavioral1/memory/1512-67-0x0000000004B50000-0x0000000004B8F000-memory.dmp family_redline behavioral1/memory/1512-65-0x0000000004B50000-0x0000000004B8F000-memory.dmp family_redline behavioral1/memory/1512-63-0x0000000004B50000-0x0000000004B8F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un318822.exepro8189.exequ0724.exepid Process 2044 un318822.exe 4412 pro8189.exe 1512 qu0724.exe -
Processes:
pro8189.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8189.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8189.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
591479031d13a53792c96d864ef7e79ff2fe5f6273bc50fdcce17a705ac6df07.exeun318822.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 591479031d13a53792c96d864ef7e79ff2fe5f6273bc50fdcce17a705ac6df07.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un318822.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4372 4412 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
591479031d13a53792c96d864ef7e79ff2fe5f6273bc50fdcce17a705ac6df07.exeun318822.exepro8189.exequ0724.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 591479031d13a53792c96d864ef7e79ff2fe5f6273bc50fdcce17a705ac6df07.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un318822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro8189.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu0724.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro8189.exepid Process 4412 pro8189.exe 4412 pro8189.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro8189.exequ0724.exedescription pid Process Token: SeDebugPrivilege 4412 pro8189.exe Token: SeDebugPrivilege 1512 qu0724.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
591479031d13a53792c96d864ef7e79ff2fe5f6273bc50fdcce17a705ac6df07.exeun318822.exedescription pid Process procid_target PID 1620 wrote to memory of 2044 1620 591479031d13a53792c96d864ef7e79ff2fe5f6273bc50fdcce17a705ac6df07.exe 83 PID 1620 wrote to memory of 2044 1620 591479031d13a53792c96d864ef7e79ff2fe5f6273bc50fdcce17a705ac6df07.exe 83 PID 1620 wrote to memory of 2044 1620 591479031d13a53792c96d864ef7e79ff2fe5f6273bc50fdcce17a705ac6df07.exe 83 PID 2044 wrote to memory of 4412 2044 un318822.exe 84 PID 2044 wrote to memory of 4412 2044 un318822.exe 84 PID 2044 wrote to memory of 4412 2044 un318822.exe 84 PID 2044 wrote to memory of 1512 2044 un318822.exe 101 PID 2044 wrote to memory of 1512 2044 un318822.exe 101 PID 2044 wrote to memory of 1512 2044 un318822.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\591479031d13a53792c96d864ef7e79ff2fe5f6273bc50fdcce17a705ac6df07.exe"C:\Users\Admin\AppData\Local\Temp\591479031d13a53792c96d864ef7e79ff2fe5f6273bc50fdcce17a705ac6df07.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un318822.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un318822.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8189.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8189.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 10844⤵
- Program crash
PID:4372
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0724.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0724.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4412 -ip 44121⤵PID:4696
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
516KB
MD558e923d7802e6c16e5e9ea4b4747057e
SHA1b80a14b99707896090a2bdeb43e858f7c2f093c1
SHA25683f90268d9fc74be205e837abc737cc0058d226611ba5ceddfffef2084e60ec5
SHA512a41be6d1cd163d022e74ac4a949275e332ece84d46594c59aa2a890e7557996f7e592c6b53183157bf8b0826386f2657a008ba36d0314b8272a66878e0be26b4
-
Filesize
284KB
MD5d29346d844ac465b7e45445736ab86a2
SHA106a67c64c7ee08f4fa37759ea46049629f07b44a
SHA25686f1fd7e79e9a7197cdd9a386cb96615cacedd218d5ac36b391a846e7800b03a
SHA5121a665236e46e7dd0cc9881960337b3850329a2c3bddbe81a3fe309283aad5867b66cd7c86e2f18e768d910c8f23d53f273ad61e419db2417d05435457c1085cc
-
Filesize
342KB
MD5e99e41c04374cbcf8973e947fd089fb9
SHA1717516ce753e1fe178d0b382b218ec1b5e0fc8e0
SHA2568baae8e06590f196ac6aa72df63474b94586df6dcc216a8493dbc96209ceb7a5
SHA5128b746e10920d657b9dbf80adad103091d2421143095b24ca46c9386e68f0428f8be8d3545763f67684534d1a5e845d373e50910d0cbada14550582dc7dee1f91