Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:04
Static task
static1
Behavioral task
behavioral1
Sample
0486b0c530c418f484f5a7348c673bd94a5f1631017096c65fce1cdc28f78d52.exe
Resource
win10v2004-20241007-en
General
-
Target
0486b0c530c418f484f5a7348c673bd94a5f1631017096c65fce1cdc28f78d52.exe
-
Size
659KB
-
MD5
ccbd9080c4e0d8ffd64a6c12d3faae5d
-
SHA1
389ba71557a8c11cd7388b13df7317a034fc7cf8
-
SHA256
0486b0c530c418f484f5a7348c673bd94a5f1631017096c65fce1cdc28f78d52
-
SHA512
8e9692a7d426200a18c998103d60a53fdf06db57cbdacb934e2f3ac5ec87188957492661d17c73b5e4f98aece55e0d9e1e463f5fe96f9649c451f77573918f26
-
SSDEEP
12288:4MrGy90NVhOqmH8t4DbUsniWssNsXrAIw/lf0TsMrLiViKaWP0uT:uyKVhCtn/ssN4AIwtfOsM6ViK50a
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4972-19-0x0000000002450000-0x000000000246A000-memory.dmp healer behavioral1/memory/4972-21-0x00000000024F0000-0x0000000002508000-memory.dmp healer behavioral1/memory/4972-31-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4972-49-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4972-47-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4972-45-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4972-43-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4972-41-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4972-39-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4972-37-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4972-35-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4972-33-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4972-29-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4972-27-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4972-25-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4972-23-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4972-22-0x00000000024F0000-0x0000000002502000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0003.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0003.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro0003.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0003.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0003.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0003.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1040-61-0x0000000002470000-0x00000000024B6000-memory.dmp family_redline behavioral1/memory/1040-62-0x00000000027B0000-0x00000000027F4000-memory.dmp family_redline behavioral1/memory/1040-68-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/1040-76-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/1040-96-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/1040-94-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/1040-92-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/1040-90-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/1040-88-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/1040-86-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/1040-82-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/1040-80-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/1040-78-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/1040-74-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/1040-72-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/1040-70-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/1040-84-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/1040-66-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/1040-64-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/1040-63-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3504 un822150.exe 4972 pro0003.exe 1040 qu1336.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro0003.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0003.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0486b0c530c418f484f5a7348c673bd94a5f1631017096c65fce1cdc28f78d52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un822150.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2480 4972 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0486b0c530c418f484f5a7348c673bd94a5f1631017096c65fce1cdc28f78d52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un822150.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro0003.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu1336.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4972 pro0003.exe 4972 pro0003.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4972 pro0003.exe Token: SeDebugPrivilege 1040 qu1336.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2796 wrote to memory of 3504 2796 0486b0c530c418f484f5a7348c673bd94a5f1631017096c65fce1cdc28f78d52.exe 83 PID 2796 wrote to memory of 3504 2796 0486b0c530c418f484f5a7348c673bd94a5f1631017096c65fce1cdc28f78d52.exe 83 PID 2796 wrote to memory of 3504 2796 0486b0c530c418f484f5a7348c673bd94a5f1631017096c65fce1cdc28f78d52.exe 83 PID 3504 wrote to memory of 4972 3504 un822150.exe 84 PID 3504 wrote to memory of 4972 3504 un822150.exe 84 PID 3504 wrote to memory of 4972 3504 un822150.exe 84 PID 3504 wrote to memory of 1040 3504 un822150.exe 99 PID 3504 wrote to memory of 1040 3504 un822150.exe 99 PID 3504 wrote to memory of 1040 3504 un822150.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\0486b0c530c418f484f5a7348c673bd94a5f1631017096c65fce1cdc28f78d52.exe"C:\Users\Admin\AppData\Local\Temp\0486b0c530c418f484f5a7348c673bd94a5f1631017096c65fce1cdc28f78d52.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un822150.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un822150.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0003.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0003.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4972 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 10804⤵
- Program crash
PID:2480
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1336.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1336.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4972 -ip 49721⤵PID:1748
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517KB
MD5e8bd68714eefb1ccbd066975db7a552a
SHA1a9916007a6d5dc6cfc5d27480ed584023f81316d
SHA256e8af34428b3eee0b130fa1906e7c2e755e8beb631ddf9b9e1aa75f4f3943cb62
SHA512b14f345cf66cda26ce6e17d7091b79ef4dd65ec2ab8f4d8246d9b5c416e83f2208970121d40f670dcf4c90172953d167ee74fe02a2f7954fe9aaa9bfe2f52eb8
-
Filesize
236KB
MD5b217bd817cd0a9869f6f2a64bfe882fd
SHA16a2530c6389e9bfee6c07b29b297504f88f98263
SHA256bf0025b15d20b8314398309d662e43cbd5c12a6682c0292a0f9c8882975a2d19
SHA512e9eebfcdee49c6bb109b035120d381cf65e0a26afdc8d7091096aee2de7278af139905ef0206a584981fe489bda4212c5d97bca67f14c55b01e6b049fe4e61e5
-
Filesize
295KB
MD59b10daeb2e92f078cdfa026fce10ddc0
SHA1e64762651476447e4a343f304cd4d4ee00eb1b07
SHA256a1867b641dfce0e3119b9da8f96a88f61782a011e52fc799aee75e9e2d36ac87
SHA51260b022039b314970584fcb425854362aa049b3e2464672212ffc86dd4d6d181c758ae9483a8800657d33066e83fb0f005137a21111ad4311f2f391f2dba24f8f