Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 02:06
Static task
static1
Behavioral task
behavioral1
Sample
4a78e64b94f87d106e2c34afba9f558fecc80355615a2f1606fabf446767710a.exe
Resource
win10v2004-20241007-en
General
-
Target
4a78e64b94f87d106e2c34afba9f558fecc80355615a2f1606fabf446767710a.exe
-
Size
658KB
-
MD5
0806ab87ef8fe72c76e0f7ea4921eb7a
-
SHA1
af61a3b45950741abaf9b1402c7b6213454c1c86
-
SHA256
4a78e64b94f87d106e2c34afba9f558fecc80355615a2f1606fabf446767710a
-
SHA512
40595c79549e3e2bb73d5d99c97daf8e80a2e900287701f6b68ba8f18d9461da1d3c26e7741baf27353eaa162017b9b5cd088eb3ed961264f670f945f9d8e5b2
-
SSDEEP
12288:tMrky90ktYpGAetXBGF+8vFwo5d0sFlBCUfUGYUF0TU+EXZxhnwfR5:ZyxCGvtXK3YUFeU+EXzc3
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/3516-18-0x0000000004AE0000-0x0000000004AFA000-memory.dmp healer behavioral1/memory/3516-20-0x0000000004BB0000-0x0000000004BC8000-memory.dmp healer behavioral1/memory/3516-21-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/3516-48-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/3516-46-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/3516-45-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/3516-43-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/3516-40-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/3516-39-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/3516-36-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/3516-34-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/3516-32-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/3516-30-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/3516-28-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/3516-26-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/3516-24-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/3516-22-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer -
Healer family
-
Processes:
pro7565.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7565.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7565.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7565.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro7565.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7565.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7565.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/1868-60-0x0000000004A90000-0x0000000004AD6000-memory.dmp family_redline behavioral1/memory/1868-61-0x0000000007170000-0x00000000071B4000-memory.dmp family_redline behavioral1/memory/1868-89-0x0000000007170000-0x00000000071AF000-memory.dmp family_redline behavioral1/memory/1868-71-0x0000000007170000-0x00000000071AF000-memory.dmp family_redline behavioral1/memory/1868-95-0x0000000007170000-0x00000000071AF000-memory.dmp family_redline behavioral1/memory/1868-93-0x0000000007170000-0x00000000071AF000-memory.dmp family_redline behavioral1/memory/1868-91-0x0000000007170000-0x00000000071AF000-memory.dmp family_redline behavioral1/memory/1868-87-0x0000000007170000-0x00000000071AF000-memory.dmp family_redline behavioral1/memory/1868-85-0x0000000007170000-0x00000000071AF000-memory.dmp family_redline behavioral1/memory/1868-83-0x0000000007170000-0x00000000071AF000-memory.dmp family_redline behavioral1/memory/1868-81-0x0000000007170000-0x00000000071AF000-memory.dmp family_redline behavioral1/memory/1868-79-0x0000000007170000-0x00000000071AF000-memory.dmp family_redline behavioral1/memory/1868-77-0x0000000007170000-0x00000000071AF000-memory.dmp family_redline behavioral1/memory/1868-75-0x0000000007170000-0x00000000071AF000-memory.dmp family_redline behavioral1/memory/1868-73-0x0000000007170000-0x00000000071AF000-memory.dmp family_redline behavioral1/memory/1868-69-0x0000000007170000-0x00000000071AF000-memory.dmp family_redline behavioral1/memory/1868-67-0x0000000007170000-0x00000000071AF000-memory.dmp family_redline behavioral1/memory/1868-65-0x0000000007170000-0x00000000071AF000-memory.dmp family_redline behavioral1/memory/1868-63-0x0000000007170000-0x00000000071AF000-memory.dmp family_redline behavioral1/memory/1868-62-0x0000000007170000-0x00000000071AF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un062475.exepro7565.exequ7963.exepid Process 2104 un062475.exe 3516 pro7565.exe 1868 qu7963.exe -
Processes:
pro7565.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro7565.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7565.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4a78e64b94f87d106e2c34afba9f558fecc80355615a2f1606fabf446767710a.exeun062475.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4a78e64b94f87d106e2c34afba9f558fecc80355615a2f1606fabf446767710a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un062475.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 5044 3516 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
4a78e64b94f87d106e2c34afba9f558fecc80355615a2f1606fabf446767710a.exeun062475.exepro7565.exequ7963.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a78e64b94f87d106e2c34afba9f558fecc80355615a2f1606fabf446767710a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un062475.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro7565.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu7963.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro7565.exepid Process 3516 pro7565.exe 3516 pro7565.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro7565.exequ7963.exedescription pid Process Token: SeDebugPrivilege 3516 pro7565.exe Token: SeDebugPrivilege 1868 qu7963.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4a78e64b94f87d106e2c34afba9f558fecc80355615a2f1606fabf446767710a.exeun062475.exedescription pid Process procid_target PID 2432 wrote to memory of 2104 2432 4a78e64b94f87d106e2c34afba9f558fecc80355615a2f1606fabf446767710a.exe 83 PID 2432 wrote to memory of 2104 2432 4a78e64b94f87d106e2c34afba9f558fecc80355615a2f1606fabf446767710a.exe 83 PID 2432 wrote to memory of 2104 2432 4a78e64b94f87d106e2c34afba9f558fecc80355615a2f1606fabf446767710a.exe 83 PID 2104 wrote to memory of 3516 2104 un062475.exe 84 PID 2104 wrote to memory of 3516 2104 un062475.exe 84 PID 2104 wrote to memory of 3516 2104 un062475.exe 84 PID 2104 wrote to memory of 1868 2104 un062475.exe 100 PID 2104 wrote to memory of 1868 2104 un062475.exe 100 PID 2104 wrote to memory of 1868 2104 un062475.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a78e64b94f87d106e2c34afba9f558fecc80355615a2f1606fabf446767710a.exe"C:\Users\Admin\AppData\Local\Temp\4a78e64b94f87d106e2c34afba9f558fecc80355615a2f1606fabf446767710a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un062475.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un062475.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7565.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7565.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 10844⤵
- Program crash
PID:5044
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7963.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7963.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3516 -ip 35161⤵PID:2100
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
516KB
MD5590117d8b7364b746a3a6e49efed66de
SHA14239dcb558501c3ee6a81f577fa7d99c4cda5839
SHA256a58d88963bb7bb65f84ff6ddad1abbaa2ca3c61ed56e7533e1114d25eab383a3
SHA512587102b8e415326266ecb495b40ca0074afe0f6969669e45d2dba7a0d2748c209d94dd82518095ef8f0d4756ff384e3ba9187bb10cc97b9ef05217eb06bc73e4
-
Filesize
295KB
MD56ef941ca80ec435aa66afcb115e43c5e
SHA1ad96c8eb0eb195638253f7dd23457564182a6370
SHA256847e84785acefffaae1aad4ca35153364bf2ed992972a29f638b361e16d5db2e
SHA51256133e43fa8b91b579aa1b35ba933a81bc20ab68e0dbaced748a36dda6dc4121c4d5f985d100913c92a6c149d94b7a8871a09fef41f640ba990052fb9f10ee5a
-
Filesize
354KB
MD59c762536a9d07b637832eebf0ed17515
SHA10cdc1cb05cea993f5dd168917481210cf63781a5
SHA25654d1def2f0caea7087fa27850eb7be4ecab776d3f3b0cfa7999eb68b315a429a
SHA512a231b4104920beee9d08f2d95d29d7ff61341ef5ed75928eb38d2d7f42508172afb1bceb26e478f147d9892bf14c3aa44fe5b362469d9f79cc1b0c9319ec573a