Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 02:07
Static task
static1
Behavioral task
behavioral1
Sample
06219e8183bfcaa25bbeb6de8544763285c605dc502ff28c4b41009d24095803.exe
Resource
win10v2004-20241007-en
General
-
Target
06219e8183bfcaa25bbeb6de8544763285c605dc502ff28c4b41009d24095803.exe
-
Size
659KB
-
MD5
3be01d58c1838c5ff35b38742e317588
-
SHA1
1feabc87e2f7e59f62430abf1af43ab0b48d0f7d
-
SHA256
06219e8183bfcaa25bbeb6de8544763285c605dc502ff28c4b41009d24095803
-
SHA512
566939c3ef6711d38993bf9fffa34cee8cdac1e84c18a74d37af937913e7793b9cea0fc65c697831e0eae8b5f6dbfd892b47537ee22d467e23d3deac69579cce
-
SSDEEP
12288:cMr0y90bkADc9NjiX2JUAx/kZSqpdIrB65y/PI5A6Gb:QyY2I2JlFqpSw5xA6+
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/324-27-0x00000000021B0000-0x00000000021CA000-memory.dmp healer behavioral1/memory/324-29-0x0000000002660000-0x0000000002678000-memory.dmp healer behavioral1/memory/324-42-0x0000000002660000-0x0000000002672000-memory.dmp healer behavioral1/memory/324-58-0x0000000002660000-0x0000000002672000-memory.dmp healer behavioral1/memory/324-56-0x0000000002660000-0x0000000002672000-memory.dmp healer behavioral1/memory/324-54-0x0000000002660000-0x0000000002672000-memory.dmp healer behavioral1/memory/324-52-0x0000000002660000-0x0000000002672000-memory.dmp healer behavioral1/memory/324-50-0x0000000002660000-0x0000000002672000-memory.dmp healer behavioral1/memory/324-48-0x0000000002660000-0x0000000002672000-memory.dmp healer behavioral1/memory/324-46-0x0000000002660000-0x0000000002672000-memory.dmp healer behavioral1/memory/324-44-0x0000000002660000-0x0000000002672000-memory.dmp healer behavioral1/memory/324-40-0x0000000002660000-0x0000000002672000-memory.dmp healer behavioral1/memory/324-38-0x0000000002660000-0x0000000002672000-memory.dmp healer behavioral1/memory/324-36-0x0000000002660000-0x0000000002672000-memory.dmp healer behavioral1/memory/324-34-0x0000000002660000-0x0000000002672000-memory.dmp healer behavioral1/memory/324-32-0x0000000002660000-0x0000000002672000-memory.dmp healer behavioral1/memory/324-31-0x0000000002660000-0x0000000002672000-memory.dmp healer -
Healer family
-
Processes:
pro6101.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro6101.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro6101.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro6101.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro6101.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro6101.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro6101.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
Processes:
resource yara_rule behavioral1/memory/4324-30-0x0000000002500000-0x0000000002546000-memory.dmp family_redline behavioral1/memory/4324-59-0x0000000005050000-0x0000000005094000-memory.dmp family_redline behavioral1/memory/4324-60-0x0000000005050000-0x000000000508F000-memory.dmp family_redline behavioral1/memory/4324-75-0x0000000005050000-0x000000000508F000-memory.dmp family_redline behavioral1/memory/4324-71-0x0000000005050000-0x000000000508F000-memory.dmp family_redline behavioral1/memory/4324-69-0x0000000005050000-0x000000000508F000-memory.dmp family_redline behavioral1/memory/4324-67-0x0000000005050000-0x000000000508F000-memory.dmp family_redline behavioral1/memory/4324-65-0x0000000005050000-0x000000000508F000-memory.dmp family_redline behavioral1/memory/4324-63-0x0000000005050000-0x000000000508F000-memory.dmp family_redline behavioral1/memory/4324-61-0x0000000005050000-0x000000000508F000-memory.dmp family_redline behavioral1/memory/4324-73-0x0000000005050000-0x000000000508F000-memory.dmp family_redline behavioral1/memory/4324-89-0x0000000005050000-0x000000000508F000-memory.dmp family_redline behavioral1/memory/4324-87-0x0000000005050000-0x000000000508F000-memory.dmp family_redline behavioral1/memory/4324-85-0x0000000005050000-0x000000000508F000-memory.dmp family_redline behavioral1/memory/4324-83-0x0000000005050000-0x000000000508F000-memory.dmp family_redline behavioral1/memory/4324-81-0x0000000005050000-0x000000000508F000-memory.dmp family_redline behavioral1/memory/4324-79-0x0000000005050000-0x000000000508F000-memory.dmp family_redline behavioral1/memory/4324-77-0x0000000005050000-0x000000000508F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
Processes:
un412707.exepro6101.exepro6101.exequ6798.exepid Process 1424 un412707.exe 2244 pro6101.exe 324 pro6101.exe 4324 qu6798.exe -
Processes:
pro6101.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro6101.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro6101.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
06219e8183bfcaa25bbeb6de8544763285c605dc502ff28c4b41009d24095803.exeun412707.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 06219e8183bfcaa25bbeb6de8544763285c605dc502ff28c4b41009d24095803.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un412707.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pro6101.exedescription pid Process procid_target PID 2244 set thread context of 324 2244 pro6101.exe 88 -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 3392 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
pro6101.exepro6101.exequ6798.exe06219e8183bfcaa25bbeb6de8544763285c605dc502ff28c4b41009d24095803.exeun412707.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro6101.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro6101.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu6798.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06219e8183bfcaa25bbeb6de8544763285c605dc502ff28c4b41009d24095803.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un412707.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro6101.exepid Process 324 pro6101.exe 324 pro6101.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro6101.exequ6798.exedescription pid Process Token: SeDebugPrivilege 324 pro6101.exe Token: SeDebugPrivilege 4324 qu6798.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
06219e8183bfcaa25bbeb6de8544763285c605dc502ff28c4b41009d24095803.exeun412707.exepro6101.exedescription pid Process procid_target PID 4816 wrote to memory of 1424 4816 06219e8183bfcaa25bbeb6de8544763285c605dc502ff28c4b41009d24095803.exe 83 PID 4816 wrote to memory of 1424 4816 06219e8183bfcaa25bbeb6de8544763285c605dc502ff28c4b41009d24095803.exe 83 PID 4816 wrote to memory of 1424 4816 06219e8183bfcaa25bbeb6de8544763285c605dc502ff28c4b41009d24095803.exe 83 PID 1424 wrote to memory of 2244 1424 un412707.exe 84 PID 1424 wrote to memory of 2244 1424 un412707.exe 84 PID 1424 wrote to memory of 2244 1424 un412707.exe 84 PID 2244 wrote to memory of 324 2244 pro6101.exe 88 PID 2244 wrote to memory of 324 2244 pro6101.exe 88 PID 2244 wrote to memory of 324 2244 pro6101.exe 88 PID 2244 wrote to memory of 324 2244 pro6101.exe 88 PID 2244 wrote to memory of 324 2244 pro6101.exe 88 PID 2244 wrote to memory of 324 2244 pro6101.exe 88 PID 2244 wrote to memory of 324 2244 pro6101.exe 88 PID 2244 wrote to memory of 324 2244 pro6101.exe 88 PID 2244 wrote to memory of 324 2244 pro6101.exe 88 PID 1424 wrote to memory of 4324 1424 un412707.exe 89 PID 1424 wrote to memory of 4324 1424 un412707.exe 89 PID 1424 wrote to memory of 4324 1424 un412707.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\06219e8183bfcaa25bbeb6de8544763285c605dc502ff28c4b41009d24095803.exe"C:\Users\Admin\AppData\Local\Temp\06219e8183bfcaa25bbeb6de8544763285c605dc502ff28c4b41009d24095803.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412707.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un412707.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6101.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6101.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6101.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6101.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6798.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6798.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3392
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517KB
MD5c58968c9a5254081840fac2d7ffffea6
SHA1aa1ab68c1c7df667c0b8f8e693846022c375c326
SHA25636b292c744bc361d11f91362312e4d7903a4c7b4c6c1ed0bbfabea1aaa215ad6
SHA512e9bf452e2a4705234d38f26acae52747a43884d685bae8cf342fd1ea7ae881232f90912a2311b4a953dcac38de08dc50adf76fdd805afb04ae3781fdc6feb322
-
Filesize
237KB
MD55333929790fdb6f6e2a00c1d66572c07
SHA12a7fc57e4edc4e75fbcdf3757ef73ec82365468f
SHA256f22f30336db88137094b2548451621251db50d7cd3346aeb1453a6bdcbb865ff
SHA512c810d1c5243de71cfdd0e28fae4738e22728de632dc005144546a390ae048f771ea331866fca7c3d8b51e4aa6671670b3e5a88eb9e4a2f05093c4ce748c9064b
-
Filesize
294KB
MD56024a3c732d162297e80b4bdce9100ef
SHA131b3d9b4ff770a4b1e333af7e83f738f70bb311d
SHA256ec5ed2e9656b02f3ac1f15087a0c65623f6f7cdc626a6efc4e65c0bc0fee9255
SHA512713de9acd4a98a0020d22aaa618b32d6427ed1009562cf944993730aad40764276af4a3b70d34b9e09990bcbd634f7f8b03361b308575484dad786d6551ed284