Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:25
Static task
static1
Behavioral task
behavioral1
Sample
03a5e00fc6fbc0100cfaa9a447cd1dbf9c8e43005ddfd7cd9f7a6673326356df.exe
Resource
win10v2004-20241007-en
General
-
Target
03a5e00fc6fbc0100cfaa9a447cd1dbf9c8e43005ddfd7cd9f7a6673326356df.exe
-
Size
659KB
-
MD5
a857d514bf6c5efe18edc55462ae26fe
-
SHA1
9d5524430b7e3ab7bf324e4f3ea2ac19fd983f53
-
SHA256
03a5e00fc6fbc0100cfaa9a447cd1dbf9c8e43005ddfd7cd9f7a6673326356df
-
SHA512
7ec55fe2f05cbb3188061a6d1529af210b32fa84c82902595268e5d33b71135d924a9582c7af34bcc9c7f7596aea27654840129840619de1cf2f1087ff6aef45
-
SSDEEP
12288:QMr6y90rpMRfSxnhEvd8MYXJ5VkZWFslRNleaOKsZwl6Dk:6yYMIxhaSMkKWF45OKsSl6Dk
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2240-19-0x00000000025A0000-0x00000000025BA000-memory.dmp healer behavioral1/memory/2240-21-0x00000000027A0000-0x00000000027B8000-memory.dmp healer behavioral1/memory/2240-22-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/2240-29-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/2240-49-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/2240-47-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/2240-45-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/2240-43-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/2240-41-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/2240-39-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/2240-37-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/2240-35-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/2240-33-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/2240-31-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/2240-27-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/2240-25-0x00000000027A0000-0x00000000027B2000-memory.dmp healer behavioral1/memory/2240-23-0x00000000027A0000-0x00000000027B2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro1926.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro1926.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro1926.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro1926.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro1926.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro1926.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4824-60-0x00000000025C0000-0x0000000002606000-memory.dmp family_redline behavioral1/memory/4824-61-0x0000000004DF0000-0x0000000004E34000-memory.dmp family_redline behavioral1/memory/4824-65-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4824-73-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4824-95-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4824-93-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4824-89-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4824-87-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4824-85-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4824-83-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4824-81-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4824-79-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4824-77-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4824-75-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4824-71-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4824-69-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4824-67-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4824-91-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4824-63-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/4824-62-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2396 un158855.exe 2240 pro1926.exe 4824 qu9347.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro1926.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro1926.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 03a5e00fc6fbc0100cfaa9a447cd1dbf9c8e43005ddfd7cd9f7a6673326356df.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un158855.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4500 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4268 2240 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un158855.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro1926.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu9347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 03a5e00fc6fbc0100cfaa9a447cd1dbf9c8e43005ddfd7cd9f7a6673326356df.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2240 pro1926.exe 2240 pro1926.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2240 pro1926.exe Token: SeDebugPrivilege 4824 qu9347.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2396 2520 03a5e00fc6fbc0100cfaa9a447cd1dbf9c8e43005ddfd7cd9f7a6673326356df.exe 84 PID 2520 wrote to memory of 2396 2520 03a5e00fc6fbc0100cfaa9a447cd1dbf9c8e43005ddfd7cd9f7a6673326356df.exe 84 PID 2520 wrote to memory of 2396 2520 03a5e00fc6fbc0100cfaa9a447cd1dbf9c8e43005ddfd7cd9f7a6673326356df.exe 84 PID 2396 wrote to memory of 2240 2396 un158855.exe 86 PID 2396 wrote to memory of 2240 2396 un158855.exe 86 PID 2396 wrote to memory of 2240 2396 un158855.exe 86 PID 2396 wrote to memory of 4824 2396 un158855.exe 98 PID 2396 wrote to memory of 4824 2396 un158855.exe 98 PID 2396 wrote to memory of 4824 2396 un158855.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\03a5e00fc6fbc0100cfaa9a447cd1dbf9c8e43005ddfd7cd9f7a6673326356df.exe"C:\Users\Admin\AppData\Local\Temp\03a5e00fc6fbc0100cfaa9a447cd1dbf9c8e43005ddfd7cd9f7a6673326356df.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un158855.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un158855.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1926.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1926.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 10084⤵
- Program crash
PID:4268
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9347.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9347.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2240 -ip 22401⤵PID:3292
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4500
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517KB
MD5644e0a00e26966700d4aa9c49ea566f6
SHA16e8d7cb2412a3e5de9cb433f2fec099bc15c9765
SHA2561bb4159785d4f15280437dc2f85bd7083abdf21e4072415e0ed794e8b17b8f55
SHA51206943c6fc633da649abe8d41a2da034fa87c1b320182f3b302e5c7be69eabba080567851056edfd96f8188ad8900e8ea5cd6758ea27a1446af3bb3b6943af77e
-
Filesize
295KB
MD573a7bc45299443266313034556fa3415
SHA1448f61d070fa63ddb1019f215e082da450e8e8ac
SHA2561295bb9dd523ea7b0eccabafde2434065c81dc2e2414bd7be1fbbb34f7747955
SHA51299761b8dc12449229301b52fedd1aa7cf518699063dcba979bda890dde3899ad815f80eea6a26b700f7528071b4a69363183799f9409cf777e54080f719076d5
-
Filesize
353KB
MD50c329a4fb9a6eb905acca236fb7c7d61
SHA1fe1be8b74d49839a99d88af9de2d448a7b01b457
SHA256e0818aaf3bbd46d1296f0f82035e0c75c55828ad1307cbb4dc008d635695218f
SHA512662645269c6c43f47b9e929c14269bc8887f868e3d9b3832bf0d36f40264e12a4c72ec7a5dd23dd19a14e6d307c447340c31a557f9f5cb34edae60c0f165874b