Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:03
Static task
static1
Behavioral task
behavioral1
Sample
5b8882b059a219966ce7e40735556bb2ce8d056150855b028c8bab4859822753.exe
Resource
win10v2004-20241007-en
General
-
Target
5b8882b059a219966ce7e40735556bb2ce8d056150855b028c8bab4859822753.exe
-
Size
671KB
-
MD5
133e54e7b8df73a88d8dd2350663a1ee
-
SHA1
56721ed7737e5d54a275192caa0fcb69353c348a
-
SHA256
5b8882b059a219966ce7e40735556bb2ce8d056150855b028c8bab4859822753
-
SHA512
386941511959afdd62f3ef363e561b695b1f5b3c3fdc526f3cb0a639da223a7bddc993e0001cc13d90e0454529aec6cc874b49a8014d648160cc0b11c59aee88
-
SSDEEP
12288:vMrjy90uMkSUpxqZh/uAmAZ74u6TKshb94Cu6vw/zsJ0FCdfTF:Ey6gpCh/ndZ7Ejb94CuVoJkOTF
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/900-19-0x0000000002320000-0x000000000233A000-memory.dmp healer behavioral1/memory/900-21-0x00000000025F0000-0x0000000002608000-memory.dmp healer behavioral1/memory/900-41-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/900-23-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/900-49-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/900-47-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/900-45-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/900-43-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/900-39-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/900-37-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/900-35-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/900-33-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/900-31-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/900-29-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/900-27-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/900-25-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/900-22-0x00000000025F0000-0x0000000002602000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7101.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7101.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7101.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7101.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7101.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro7101.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4804-61-0x00000000024B0000-0x00000000024F6000-memory.dmp family_redline behavioral1/memory/4804-62-0x0000000002650000-0x0000000002694000-memory.dmp family_redline behavioral1/memory/4804-72-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/4804-70-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/4804-94-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/4804-92-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/4804-96-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/4804-88-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/4804-84-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/4804-82-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/4804-81-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/4804-78-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/4804-74-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/4804-68-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/4804-90-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/4804-86-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/4804-76-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/4804-66-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/4804-64-0x0000000002650000-0x000000000268F000-memory.dmp family_redline behavioral1/memory/4804-63-0x0000000002650000-0x000000000268F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3664 un206655.exe 900 pro7101.exe 4804 qu9560.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro7101.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7101.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5b8882b059a219966ce7e40735556bb2ce8d056150855b028c8bab4859822753.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un206655.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4756 900 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro7101.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu9560.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5b8882b059a219966ce7e40735556bb2ce8d056150855b028c8bab4859822753.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un206655.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 900 pro7101.exe 900 pro7101.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 900 pro7101.exe Token: SeDebugPrivilege 4804 qu9560.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3164 wrote to memory of 3664 3164 5b8882b059a219966ce7e40735556bb2ce8d056150855b028c8bab4859822753.exe 83 PID 3164 wrote to memory of 3664 3164 5b8882b059a219966ce7e40735556bb2ce8d056150855b028c8bab4859822753.exe 83 PID 3164 wrote to memory of 3664 3164 5b8882b059a219966ce7e40735556bb2ce8d056150855b028c8bab4859822753.exe 83 PID 3664 wrote to memory of 900 3664 un206655.exe 84 PID 3664 wrote to memory of 900 3664 un206655.exe 84 PID 3664 wrote to memory of 900 3664 un206655.exe 84 PID 3664 wrote to memory of 4804 3664 un206655.exe 95 PID 3664 wrote to memory of 4804 3664 un206655.exe 95 PID 3664 wrote to memory of 4804 3664 un206655.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b8882b059a219966ce7e40735556bb2ce8d056150855b028c8bab4859822753.exe"C:\Users\Admin\AppData\Local\Temp\5b8882b059a219966ce7e40735556bb2ce8d056150855b028c8bab4859822753.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un206655.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un206655.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7101.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7101.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 10884⤵
- Program crash
PID:4756
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9560.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9560.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4804
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 900 -ip 9001⤵PID:2068
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517KB
MD58b2afa077a9c1bacfa5b49f21a107fc4
SHA16b13e1edc67773324b961224f8e90531874c16bb
SHA256d15a10a9775d94b391f79af1874c8abb31737458295fc6ed930543b1a19efd91
SHA5128b998b9faee3fdd7de6af8c1f23ad1810f8491bd02b60a927b61dd42794d201b4b35fc596ce448c281b48195f0f58cd64d53ee64079408c049575ca46338b58e
-
Filesize
237KB
MD5173240f4d0667d14ecd4a7370eec7b7a
SHA119f037f1b0dee7cad0bb0ecf8ea7b78a7a8a7df6
SHA25650d9a9dbccc4dccdd697fc153d99e76724bad8cd8ac77df5d0d71125f1d70f47
SHA5124148f85bf2a4f20587e8a6b155bdafa64dd0f4f1aee87f32245a434afec7cce487349857061c94ea9e477f27caa643f35c01efa77d1c8de99d2967beb6a333a4
-
Filesize
295KB
MD5e84ff9d056dfdfef57cc71bb2c804357
SHA1e258243b0bcdb9292be4727c0ec817758c45931f
SHA2563787d69e473529975703963a55565210ae1755b1fd2153a8539ace5e80742271
SHA512b76685878b2a21e54bf519c083d22b841103d8d86e364deb7df841541491a752b3c41d4c4257ebab73f4a4191fa078133ed5a168de8511f3b0b3d73a618a1281