Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:24
Static task
static1
Behavioral task
behavioral1
Sample
a55c2dd48e0d70381f8038e9901716e3c7e1196b478fc457289c2d784c356fa5.exe
Resource
win10v2004-20241007-en
General
-
Target
a55c2dd48e0d70381f8038e9901716e3c7e1196b478fc457289c2d784c356fa5.exe
-
Size
667KB
-
MD5
b2bfd61f2bfea803129bbb4092e24d98
-
SHA1
c9ef04e7b7ef865e75ed60d7e69815f95fe92ecf
-
SHA256
a55c2dd48e0d70381f8038e9901716e3c7e1196b478fc457289c2d784c356fa5
-
SHA512
703bb70aaf8b2764b5cd2185b1e41492df4d5420717d4772a9988eddfabde4568aa4034c3f07beff6920272a8a050a3320bc239afa8aed74e5202cc367fa414f
-
SSDEEP
12288:gMrHy90jG767SLi2ymw4my8+IMwwEZL6+z8U14pHNom3p71BiOxui7XF:XyGGht9IPwV+z8FNNP91BiOFF
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4040-19-0x00000000028A0000-0x00000000028BA000-memory.dmp healer behavioral1/memory/4040-21-0x0000000002A80000-0x0000000002A98000-memory.dmp healer behavioral1/memory/4040-49-0x0000000002A80000-0x0000000002A92000-memory.dmp healer behavioral1/memory/4040-47-0x0000000002A80000-0x0000000002A92000-memory.dmp healer behavioral1/memory/4040-45-0x0000000002A80000-0x0000000002A92000-memory.dmp healer behavioral1/memory/4040-43-0x0000000002A80000-0x0000000002A92000-memory.dmp healer behavioral1/memory/4040-41-0x0000000002A80000-0x0000000002A92000-memory.dmp healer behavioral1/memory/4040-39-0x0000000002A80000-0x0000000002A92000-memory.dmp healer behavioral1/memory/4040-37-0x0000000002A80000-0x0000000002A92000-memory.dmp healer behavioral1/memory/4040-35-0x0000000002A80000-0x0000000002A92000-memory.dmp healer behavioral1/memory/4040-34-0x0000000002A80000-0x0000000002A92000-memory.dmp healer behavioral1/memory/4040-31-0x0000000002A80000-0x0000000002A92000-memory.dmp healer behavioral1/memory/4040-29-0x0000000002A80000-0x0000000002A92000-memory.dmp healer behavioral1/memory/4040-27-0x0000000002A80000-0x0000000002A92000-memory.dmp healer behavioral1/memory/4040-25-0x0000000002A80000-0x0000000002A92000-memory.dmp healer behavioral1/memory/4040-23-0x0000000002A80000-0x0000000002A92000-memory.dmp healer behavioral1/memory/4040-22-0x0000000002A80000-0x0000000002A92000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9946.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro9946.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9946.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9946.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9946.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9946.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2972-61-0x0000000004DB0000-0x0000000004DF6000-memory.dmp family_redline behavioral1/memory/2972-62-0x0000000005420000-0x0000000005464000-memory.dmp family_redline behavioral1/memory/2972-72-0x0000000005420000-0x000000000545F000-memory.dmp family_redline behavioral1/memory/2972-76-0x0000000005420000-0x000000000545F000-memory.dmp family_redline behavioral1/memory/2972-96-0x0000000005420000-0x000000000545F000-memory.dmp family_redline behavioral1/memory/2972-94-0x0000000005420000-0x000000000545F000-memory.dmp family_redline behavioral1/memory/2972-92-0x0000000005420000-0x000000000545F000-memory.dmp family_redline behavioral1/memory/2972-90-0x0000000005420000-0x000000000545F000-memory.dmp family_redline behavioral1/memory/2972-88-0x0000000005420000-0x000000000545F000-memory.dmp family_redline behavioral1/memory/2972-86-0x0000000005420000-0x000000000545F000-memory.dmp family_redline behavioral1/memory/2972-84-0x0000000005420000-0x000000000545F000-memory.dmp family_redline behavioral1/memory/2972-82-0x0000000005420000-0x000000000545F000-memory.dmp family_redline behavioral1/memory/2972-80-0x0000000005420000-0x000000000545F000-memory.dmp family_redline behavioral1/memory/2972-78-0x0000000005420000-0x000000000545F000-memory.dmp family_redline behavioral1/memory/2972-74-0x0000000005420000-0x000000000545F000-memory.dmp family_redline behavioral1/memory/2972-70-0x0000000005420000-0x000000000545F000-memory.dmp family_redline behavioral1/memory/2972-68-0x0000000005420000-0x000000000545F000-memory.dmp family_redline behavioral1/memory/2972-66-0x0000000005420000-0x000000000545F000-memory.dmp family_redline behavioral1/memory/2972-64-0x0000000005420000-0x000000000545F000-memory.dmp family_redline behavioral1/memory/2972-63-0x0000000005420000-0x000000000545F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1292 un890440.exe 4040 pro9946.exe 2972 qu8122.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9946.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9946.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a55c2dd48e0d70381f8038e9901716e3c7e1196b478fc457289c2d784c356fa5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un890440.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5216 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1996 4040 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro9946.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu8122.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a55c2dd48e0d70381f8038e9901716e3c7e1196b478fc457289c2d784c356fa5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un890440.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4040 pro9946.exe 4040 pro9946.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4040 pro9946.exe Token: SeDebugPrivilege 2972 qu8122.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1940 wrote to memory of 1292 1940 a55c2dd48e0d70381f8038e9901716e3c7e1196b478fc457289c2d784c356fa5.exe 83 PID 1940 wrote to memory of 1292 1940 a55c2dd48e0d70381f8038e9901716e3c7e1196b478fc457289c2d784c356fa5.exe 83 PID 1940 wrote to memory of 1292 1940 a55c2dd48e0d70381f8038e9901716e3c7e1196b478fc457289c2d784c356fa5.exe 83 PID 1292 wrote to memory of 4040 1292 un890440.exe 84 PID 1292 wrote to memory of 4040 1292 un890440.exe 84 PID 1292 wrote to memory of 4040 1292 un890440.exe 84 PID 1292 wrote to memory of 2972 1292 un890440.exe 99 PID 1292 wrote to memory of 2972 1292 un890440.exe 99 PID 1292 wrote to memory of 2972 1292 un890440.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\a55c2dd48e0d70381f8038e9901716e3c7e1196b478fc457289c2d784c356fa5.exe"C:\Users\Admin\AppData\Local\Temp\a55c2dd48e0d70381f8038e9901716e3c7e1196b478fc457289c2d784c356fa5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890440.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890440.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9946.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9946.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 10804⤵
- Program crash
PID:1996
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8122.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8122.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4040 -ip 40401⤵PID:624
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:5216
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
525KB
MD5026f11b7607c4af714f76b5a106121e7
SHA1fd77a060e7b649f2ecfec90ccd912b51281ce66f
SHA2567eee560b1e8f5a33d1792668a22fcfbe19f5455409559479c7a51269814563fc
SHA5120ac37b2c0d57f2b1e2da7bb753f7f98a5cf4ddbe6094bae48aa331bba12d13569759a8e839cc41613cb447a9cfa662e08c55dc969c3825fc2a5e24ff80846bc3
-
Filesize
295KB
MD58d6d2325cc6a7180f167057159a71015
SHA121f47f176a6782be5380fb0bbdb29e042009cb82
SHA2569cd5102ac689e851b3c476e020e7697fa7e785296c5e96cf21a44960751359dc
SHA5126ade1156cca926d7dd660908305cad5685060bd3efbbe55b0ff4b638b8d7f7ab8a061efb51cab4858defb49671518779b36ac625314e346c8eaaba7186bdd374
-
Filesize
353KB
MD5dbf07c09621bbd74cfe2937f40ae61ae
SHA1403577eaaed717c3424fd09b0693d063dc3d726d
SHA256c2ca82d81814a65d0b156e9b52a3594417b1ad31e3944001e57924993bccd72f
SHA5124c16ee89120cede770e92169d78a186e8de3dedf1d80ef7f3735d5f82530658be2872c816faec0bc76137911e32f7e2fb8ca2d2334b1d056c2fc514efee242ec