Analysis
-
max time kernel
112s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:04
Static task
static1
Behavioral task
behavioral1
Sample
bf2a16ebe8a359b192f673f46dd35c9cf5de74ab1bd85de77143e44cce230a2dN.exe
Resource
win10v2004-20241007-en
General
-
Target
bf2a16ebe8a359b192f673f46dd35c9cf5de74ab1bd85de77143e44cce230a2dN.exe
-
Size
837KB
-
MD5
25934bac5ade7828f0c412d785526320
-
SHA1
b0478b4428212dafa9e2cd8915481033123c2aca
-
SHA256
bf2a16ebe8a359b192f673f46dd35c9cf5de74ab1bd85de77143e44cce230a2d
-
SHA512
9b135c42df4a8813f20f69e0212347509fab96c1d8dea6a5c05f05a7cab3772db05942b8311a41eba2000869185314c526a72d3cad3147bc3fb203ae68be9fcd
-
SSDEEP
24576:8yxgpAiIxEgNJuOfMRh/FSJoFj0Bc4Qm1:rxgo/LuD//F+uQBc
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x000b000000023b7f-19.dat healer behavioral1/memory/1968-22-0x0000000000DD0000-0x0000000000DDA000-memory.dmp healer behavioral1/memory/3352-29-0x0000000004930000-0x000000000494A000-memory.dmp healer behavioral1/memory/3352-31-0x0000000004D90000-0x0000000004DA8000-memory.dmp healer behavioral1/memory/3352-32-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/3352-43-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/3352-57-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/3352-55-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/3352-53-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/3352-51-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/3352-49-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/3352-47-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/3352-45-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/3352-41-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/3352-39-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/3352-37-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/3352-35-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/3352-33-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer behavioral1/memory/3352-59-0x0000000004D90000-0x0000000004DA2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro3193.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro3193.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro3193.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" qu6108.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" qu6108.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" qu6108.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection pro3193.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro3193.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro3193.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection qu6108.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" qu6108.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" qu6108.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2388-67-0x00000000070A0000-0x00000000070E6000-memory.dmp family_redline behavioral1/memory/2388-68-0x0000000007120000-0x0000000007164000-memory.dmp family_redline behavioral1/memory/2388-102-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/2388-100-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/2388-98-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/2388-96-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/2388-94-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/2388-92-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/2388-90-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/2388-88-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/2388-84-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/2388-82-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/2388-80-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/2388-78-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/2388-76-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/2388-74-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/2388-72-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/2388-86-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/2388-70-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/2388-69-0x0000000007120000-0x000000000715E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 4812 unio8463.exe 5092 unio3683.exe 1968 pro3193.exe 3352 qu6108.exe 2388 rKJ48s80.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" pro3193.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features qu6108.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" qu6108.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio8463.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" unio3683.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bf2a16ebe8a359b192f673f46dd35c9cf5de74ab1bd85de77143e44cce230a2dN.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1244 3352 WerFault.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bf2a16ebe8a359b192f673f46dd35c9cf5de74ab1bd85de77143e44cce230a2dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio8463.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio3683.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu6108.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rKJ48s80.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1968 pro3193.exe 1968 pro3193.exe 3352 qu6108.exe 3352 qu6108.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1968 pro3193.exe Token: SeDebugPrivilege 3352 qu6108.exe Token: SeDebugPrivilege 2388 rKJ48s80.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4540 wrote to memory of 4812 4540 bf2a16ebe8a359b192f673f46dd35c9cf5de74ab1bd85de77143e44cce230a2dN.exe 83 PID 4540 wrote to memory of 4812 4540 bf2a16ebe8a359b192f673f46dd35c9cf5de74ab1bd85de77143e44cce230a2dN.exe 83 PID 4540 wrote to memory of 4812 4540 bf2a16ebe8a359b192f673f46dd35c9cf5de74ab1bd85de77143e44cce230a2dN.exe 83 PID 4812 wrote to memory of 5092 4812 unio8463.exe 84 PID 4812 wrote to memory of 5092 4812 unio8463.exe 84 PID 4812 wrote to memory of 5092 4812 unio8463.exe 84 PID 5092 wrote to memory of 1968 5092 unio3683.exe 85 PID 5092 wrote to memory of 1968 5092 unio3683.exe 85 PID 5092 wrote to memory of 3352 5092 unio3683.exe 99 PID 5092 wrote to memory of 3352 5092 unio3683.exe 99 PID 5092 wrote to memory of 3352 5092 unio3683.exe 99 PID 4812 wrote to memory of 2388 4812 unio8463.exe 110 PID 4812 wrote to memory of 2388 4812 unio8463.exe 110 PID 4812 wrote to memory of 2388 4812 unio8463.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf2a16ebe8a359b192f673f46dd35c9cf5de74ab1bd85de77143e44cce230a2dN.exe"C:\Users\Admin\AppData\Local\Temp\bf2a16ebe8a359b192f673f46dd35c9cf5de74ab1bd85de77143e44cce230a2dN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio8463.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio8463.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio3683.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio3683.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3193.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro3193.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu6108.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu6108.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 10845⤵
- Program crash
PID:1244
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rKJ48s80.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rKJ48s80.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3352 -ip 33521⤵PID:4888
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
694KB
MD5a66d5bb09d97ae403d1c212561b25e17
SHA183f610ee0efc85602c56c8261547487de9f963d4
SHA25634e0d28073e895fc9d16f0d315ac7841e7f97ee7f1afded5af2d4e3004a15ef4
SHA5125d02bb09a595ae1abef738d74d13cb657f7319b6939c4036c1d2b0640a46d6a87ff35178963f6dcd8a72f813a373d31929e9f35a7f3a44cb567f65f2c1981534
-
Filesize
391KB
MD5932189f5b19f8309742261265f1412bc
SHA1fa11461f68a05aec1a635e9fac42097c70ceb832
SHA256871bcc6d7ead5b13f98823e95c4e5f7335b69ec85cf156e76236d000674566ba
SHA512c57c627ae76c4423529a35557f3ac395c5196637a46a2e0e6390754b695e59f5e91a4677b21d56b4119021f14e5eaa06d2b033405116028ff3221d661805c396
-
Filesize
344KB
MD54a71ab65cee3dbe9d874616cb9fb999c
SHA1665416e0a210c3a19a21d5038e0f5ea0a1ed91e6
SHA256298249c18cd13ccce909be1fa599797f529e2a67d7daa8c54993b6539237fbda
SHA512d68d32061e2b7d82cc8a217cfb4d5bb4446f02ef937c1f5c3f410cbd361fccee563fd1724c72389b28cb140689acb5bea04e56b8a407abf52c00e5c0eac1933f
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
334KB
MD5c5f9c4a2a0b5be7f495c55d2fcec5e15
SHA1c6adc4c262973e8a3dbade26a198c06689743367
SHA256e2b44deb9c60b41e5ac45f5585db39e28e64181e53e1efc9fd88c6f493b758f0
SHA512ce02b6af0be4717b4c1423bf33c44405de6d67bf52a3cfa6277f73f2007ac20caa3917dcd92005a398b646790a6c9a90e0f64c88008ea0189a4acf77ba451fb6