Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:42
Static task
static1
Behavioral task
behavioral1
Sample
7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef.exe
Resource
win10v2004-20241007-en
General
-
Target
7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef.exe
-
Size
687KB
-
MD5
653836263f4cce6313704634ac9c11f4
-
SHA1
c76aba8d170b46ecf0a4382104c175dfd3b65e20
-
SHA256
7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef
-
SHA512
95f48aee87d62d85c6c93ee00ec74b55d8dc370d301aa20670b83f6c1818f546bf9e57d45ceb5fdb0fbcf761cac1012a99e079ffc0e3ee5de015f9456cef8e01
-
SSDEEP
12288:YMrOy90Ee4sKvlmFH/5SvDOkAtbMieBavwUyg9jtDpCs5LTVsgifKHL:Gyne4sKvAFfeOkAh21UnjVplv22L
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2824-18-0x0000000004A20000-0x0000000004A3A000-memory.dmp healer behavioral1/memory/2824-20-0x0000000004D20000-0x0000000004D38000-memory.dmp healer behavioral1/memory/2824-22-0x0000000004D20000-0x0000000004D32000-memory.dmp healer behavioral1/memory/2824-48-0x0000000004D20000-0x0000000004D32000-memory.dmp healer behavioral1/memory/2824-46-0x0000000004D20000-0x0000000004D32000-memory.dmp healer behavioral1/memory/2824-44-0x0000000004D20000-0x0000000004D32000-memory.dmp healer behavioral1/memory/2824-43-0x0000000004D20000-0x0000000004D32000-memory.dmp healer behavioral1/memory/2824-40-0x0000000004D20000-0x0000000004D32000-memory.dmp healer behavioral1/memory/2824-38-0x0000000004D20000-0x0000000004D32000-memory.dmp healer behavioral1/memory/2824-36-0x0000000004D20000-0x0000000004D32000-memory.dmp healer behavioral1/memory/2824-34-0x0000000004D20000-0x0000000004D32000-memory.dmp healer behavioral1/memory/2824-32-0x0000000004D20000-0x0000000004D32000-memory.dmp healer behavioral1/memory/2824-30-0x0000000004D20000-0x0000000004D32000-memory.dmp healer behavioral1/memory/2824-28-0x0000000004D20000-0x0000000004D32000-memory.dmp healer behavioral1/memory/2824-26-0x0000000004D20000-0x0000000004D32000-memory.dmp healer behavioral1/memory/2824-24-0x0000000004D20000-0x0000000004D32000-memory.dmp healer behavioral1/memory/2824-21-0x0000000004D20000-0x0000000004D32000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro5193.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro5193.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro5193.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro5193.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro5193.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro5193.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2808-60-0x0000000004750000-0x0000000004796000-memory.dmp family_redline behavioral1/memory/2808-61-0x0000000007180000-0x00000000071C4000-memory.dmp family_redline behavioral1/memory/2808-91-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2808-95-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2808-93-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2808-89-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2808-87-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2808-85-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2808-83-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2808-81-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2808-79-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2808-75-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2808-73-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2808-71-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2808-69-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2808-77-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2808-67-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2808-65-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2808-63-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/2808-62-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3128 un260456.exe 2824 pro5193.exe 2808 qu3215.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro5193.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro5193.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un260456.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2152 2824 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un260456.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro5193.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu3215.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2824 pro5193.exe 2824 pro5193.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2824 pro5193.exe Token: SeDebugPrivilege 2808 qu3215.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 736 wrote to memory of 3128 736 7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef.exe 83 PID 736 wrote to memory of 3128 736 7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef.exe 83 PID 736 wrote to memory of 3128 736 7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef.exe 83 PID 3128 wrote to memory of 2824 3128 un260456.exe 84 PID 3128 wrote to memory of 2824 3128 un260456.exe 84 PID 3128 wrote to memory of 2824 3128 un260456.exe 84 PID 3128 wrote to memory of 2808 3128 un260456.exe 99 PID 3128 wrote to memory of 2808 3128 un260456.exe 99 PID 3128 wrote to memory of 2808 3128 un260456.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef.exe"C:\Users\Admin\AppData\Local\Temp\7f9c2c2287d73c7e302c574868f8772418c5956d9a65c97169eb7b9cfc6609ef.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260456.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260456.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5193.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5193.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 10044⤵
- Program crash
PID:2152
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3215.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3215.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2824 -ip 28241⤵PID:3984
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
545KB
MD560e2c6fcd9a26385825a2f39dd61db92
SHA1669d7628d072fe7dd77c265d442a422481d16def
SHA2564711bf4d5daedb4767765b4b0f45f594b9fbb0e2396f801cfb3b560e1f55cf0b
SHA512bad2c5f53d41190301e03dca9e8a42bf956e256ce89a35dde85b88a9fcabac49111d4e64bc08dd49999c657e943c45b512fc66a1d99c59fba07e12d0d6f3038c
-
Filesize
325KB
MD5192410de901925337cc3f0dc6bcbff8d
SHA1f8ffddce960c1b0ce5206b80166c3f4d8e9b8d4e
SHA256d118a398cef1f28d550f3f2ffae4134fdcfb367ab281b14c49adb41e4b59d110
SHA51266cbfadf4e49ad6aa9095367bcc2e81d25e06b54d7a59ffde9332f692d5d9a84511455d93a0c2cfd39d887232badadca399c858e42771ade0472c4101df79cd9
-
Filesize
383KB
MD56f4c1eccf4bbdb8578aac8a9323a2789
SHA136406e6fc08664836ec42ba0369fb775fa93f851
SHA2565ba12c484f077f35d10f8c51c5a07b7f49d00388bf05f996cb6cd58ce3493d0c
SHA512557824341c0aeda978a02c0414bd8be87d941da8092676b6d06e5ba0e5dc9448922aa66e556684ba3c5f1103e42c84783a2e8e1a10c997191069336cb89184b2