Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:41
Static task
static1
Behavioral task
behavioral1
Sample
0fb43d40eb568c31ae212c8aab4d7eed757b02a80aa601251d198d723a57c3ec.exe
Resource
win10v2004-20241007-en
General
-
Target
0fb43d40eb568c31ae212c8aab4d7eed757b02a80aa601251d198d723a57c3ec.exe
-
Size
658KB
-
MD5
d7d98d56cb30bdad71b648ed7f3f9831
-
SHA1
af3ff1a2d2e63c46684b35e63229f0b976b5b323
-
SHA256
0fb43d40eb568c31ae212c8aab4d7eed757b02a80aa601251d198d723a57c3ec
-
SHA512
c0a3490738115a65cc2a1fb9bffef69aacd2702126d96a4f722c6bb7016ac12a22afa4b27a3f835f73002bc9c713df0b50a7f2d8fb7c100ca82aba9003c8a2cb
-
SSDEEP
12288:vMrWy90xX6wzJNjGl5I+jxDO3sT4lDdfiJ2ZKGucCZ5o+EpZxx/WnseP:dy0qwFJu2sTudMh6oo+Epzxm
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4972-18-0x0000000004780000-0x000000000479A000-memory.dmp healer behavioral1/memory/4972-20-0x0000000004BA0000-0x0000000004BB8000-memory.dmp healer behavioral1/memory/4972-22-0x0000000004BA0000-0x0000000004BB2000-memory.dmp healer behavioral1/memory/4972-41-0x0000000004BA0000-0x0000000004BB2000-memory.dmp healer behavioral1/memory/4972-46-0x0000000004BA0000-0x0000000004BB2000-memory.dmp healer behavioral1/memory/4972-44-0x0000000004BA0000-0x0000000004BB2000-memory.dmp healer behavioral1/memory/4972-42-0x0000000004BA0000-0x0000000004BB2000-memory.dmp healer behavioral1/memory/4972-38-0x0000000004BA0000-0x0000000004BB2000-memory.dmp healer behavioral1/memory/4972-36-0x0000000004BA0000-0x0000000004BB2000-memory.dmp healer behavioral1/memory/4972-34-0x0000000004BA0000-0x0000000004BB2000-memory.dmp healer behavioral1/memory/4972-48-0x0000000004BA0000-0x0000000004BB2000-memory.dmp healer behavioral1/memory/4972-32-0x0000000004BA0000-0x0000000004BB2000-memory.dmp healer behavioral1/memory/4972-30-0x0000000004BA0000-0x0000000004BB2000-memory.dmp healer behavioral1/memory/4972-28-0x0000000004BA0000-0x0000000004BB2000-memory.dmp healer behavioral1/memory/4972-26-0x0000000004BA0000-0x0000000004BB2000-memory.dmp healer behavioral1/memory/4972-24-0x0000000004BA0000-0x0000000004BB2000-memory.dmp healer behavioral1/memory/4972-21-0x0000000004BA0000-0x0000000004BB2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro6026.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro6026.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro6026.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro6026.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro6026.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro6026.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2576-60-0x0000000004C40000-0x0000000004C86000-memory.dmp family_redline behavioral1/memory/2576-61-0x0000000007180000-0x00000000071C4000-memory.dmp family_redline behavioral1/memory/2576-89-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2576-95-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2576-93-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2576-91-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2576-87-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2576-85-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2576-83-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2576-81-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2576-80-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2576-77-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2576-75-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2576-73-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2576-71-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2576-69-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2576-67-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2576-65-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2576-63-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2576-62-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4004 un404819.exe 4972 pro6026.exe 2576 qu9864.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro6026.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro6026.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0fb43d40eb568c31ae212c8aab4d7eed757b02a80aa601251d198d723a57c3ec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un404819.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2376 4972 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0fb43d40eb568c31ae212c8aab4d7eed757b02a80aa601251d198d723a57c3ec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un404819.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro6026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu9864.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4972 pro6026.exe 4972 pro6026.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4972 pro6026.exe Token: SeDebugPrivilege 2576 qu9864.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2788 wrote to memory of 4004 2788 0fb43d40eb568c31ae212c8aab4d7eed757b02a80aa601251d198d723a57c3ec.exe 88 PID 2788 wrote to memory of 4004 2788 0fb43d40eb568c31ae212c8aab4d7eed757b02a80aa601251d198d723a57c3ec.exe 88 PID 2788 wrote to memory of 4004 2788 0fb43d40eb568c31ae212c8aab4d7eed757b02a80aa601251d198d723a57c3ec.exe 88 PID 4004 wrote to memory of 4972 4004 un404819.exe 89 PID 4004 wrote to memory of 4972 4004 un404819.exe 89 PID 4004 wrote to memory of 4972 4004 un404819.exe 89 PID 4004 wrote to memory of 2576 4004 un404819.exe 101 PID 4004 wrote to memory of 2576 4004 un404819.exe 101 PID 4004 wrote to memory of 2576 4004 un404819.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fb43d40eb568c31ae212c8aab4d7eed757b02a80aa601251d198d723a57c3ec.exe"C:\Users\Admin\AppData\Local\Temp\0fb43d40eb568c31ae212c8aab4d7eed757b02a80aa601251d198d723a57c3ec.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un404819.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un404819.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6026.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6026.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4972 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 10164⤵
- Program crash
PID:2376
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9864.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9864.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4972 -ip 49721⤵PID:4640
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
516KB
MD5c02e90cec8f1c73b9442a946969ace97
SHA13e4f94da295f9d2b7af3c45e6037b9e1fee5a2dd
SHA256ec1762ad906553dcc858f333f4c4b9c710d75f82291e51b6fee6b17d8f63cccc
SHA51259a234e8c201f4ab0cf070476a8e453c8436c70d47a789195b463466d7bf9a6ebd25cb7b66f0dcf82aacbfe692b941dc3bc481e7e6e650a4a06d7a776abd0d4c
-
Filesize
295KB
MD5db32ab9ef110c53124f69c344417c047
SHA1fbda8e929ab683ec7ffccb631ff58f013b0f273b
SHA256a0c3fc183d491798c59a5398c1f6eeeb11651e478238866b3cd2714a629068fe
SHA5125ceba55333a444a3bfdd4d67af81ab2c15e067dde7d8baf28f59a2e7742594076e6f3811c433616b12828aab2ba07f9fbf2a415cb451bc4d0a9aeef58ac2bb8c
-
Filesize
354KB
MD55063909815a652215011afff8e1a5eed
SHA192998bacd2b37bd295e3b06c3d3de68c687a3098
SHA2567f376c442bf666a9f0609ad3aa5928cb87f3b1e89b00517ff5f6dbc42fdf8581
SHA51232041dadb0c071808fd61fbcc212d5dd33d4fa5963f0ddcd0c4a32b460556468cc5202db800d34da71a88db011427d25ab65aab2e1aed1c8499cd72fe127a95d