Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:56
Static task
static1
Behavioral task
behavioral1
Sample
e5904b9f9a74908442cf428e4a8c4f66359a984d44c7ad6ebdb4fb22a27ccc0c.exe
Resource
win10v2004-20241007-en
General
-
Target
e5904b9f9a74908442cf428e4a8c4f66359a984d44c7ad6ebdb4fb22a27ccc0c.exe
-
Size
689KB
-
MD5
ca4fafa48f64ff208b0f8d82861dd3f9
-
SHA1
fe7fe63037b4a59f925f4b8041436c75abfd82a0
-
SHA256
e5904b9f9a74908442cf428e4a8c4f66359a984d44c7ad6ebdb4fb22a27ccc0c
-
SHA512
db58644fe0a15da1221d97404c4a5b63bab52203a6895d0892bad099744ed0e0c44f1f598cfca0d1781a279e60a40e93b2dca45829f97587f90b827b9fb562c3
-
SSDEEP
12288:tMray9056S/AiGoAPRIk1Vmhw9jfB43xBYMJKb51a59+nGI81:XyNgwP/mhw9V4hiM4LvZu
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1828-18-0x00000000049E0000-0x00000000049FA000-memory.dmp healer behavioral1/memory/1828-20-0x0000000004AE0000-0x0000000004AF8000-memory.dmp healer behavioral1/memory/1828-34-0x0000000004AE0000-0x0000000004AF2000-memory.dmp healer behavioral1/memory/1828-48-0x0000000004AE0000-0x0000000004AF2000-memory.dmp healer behavioral1/memory/1828-47-0x0000000004AE0000-0x0000000004AF2000-memory.dmp healer behavioral1/memory/1828-44-0x0000000004AE0000-0x0000000004AF2000-memory.dmp healer behavioral1/memory/1828-42-0x0000000004AE0000-0x0000000004AF2000-memory.dmp healer behavioral1/memory/1828-40-0x0000000004AE0000-0x0000000004AF2000-memory.dmp healer behavioral1/memory/1828-38-0x0000000004AE0000-0x0000000004AF2000-memory.dmp healer behavioral1/memory/1828-36-0x0000000004AE0000-0x0000000004AF2000-memory.dmp healer behavioral1/memory/1828-30-0x0000000004AE0000-0x0000000004AF2000-memory.dmp healer behavioral1/memory/1828-28-0x0000000004AE0000-0x0000000004AF2000-memory.dmp healer behavioral1/memory/1828-26-0x0000000004AE0000-0x0000000004AF2000-memory.dmp healer behavioral1/memory/1828-24-0x0000000004AE0000-0x0000000004AF2000-memory.dmp healer behavioral1/memory/1828-22-0x0000000004AE0000-0x0000000004AF2000-memory.dmp healer behavioral1/memory/1828-21-0x0000000004AE0000-0x0000000004AF2000-memory.dmp healer behavioral1/memory/1828-32-0x0000000004AE0000-0x0000000004AF2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro7684.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7684.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7684.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7684.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7684.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7684.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4048-60-0x0000000004B00000-0x0000000004B46000-memory.dmp family_redline behavioral1/memory/4048-61-0x0000000004D00000-0x0000000004D44000-memory.dmp family_redline behavioral1/memory/4048-95-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/4048-89-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/4048-62-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/4048-93-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/4048-91-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/4048-87-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/4048-85-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/4048-83-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/4048-81-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/4048-79-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/4048-77-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/4048-75-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/4048-73-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/4048-71-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/4048-69-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/4048-67-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/4048-65-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/4048-63-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2024 unio3011.exe 1828 pro7684.exe 4048 qu2711.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro7684.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7684.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e5904b9f9a74908442cf428e4a8c4f66359a984d44c7ad6ebdb4fb22a27ccc0c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio3011.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2424 1828 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu2711.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5904b9f9a74908442cf428e4a8c4f66359a984d44c7ad6ebdb4fb22a27ccc0c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio3011.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro7684.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1828 pro7684.exe 1828 pro7684.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1828 pro7684.exe Token: SeDebugPrivilege 4048 qu2711.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4728 wrote to memory of 2024 4728 e5904b9f9a74908442cf428e4a8c4f66359a984d44c7ad6ebdb4fb22a27ccc0c.exe 83 PID 4728 wrote to memory of 2024 4728 e5904b9f9a74908442cf428e4a8c4f66359a984d44c7ad6ebdb4fb22a27ccc0c.exe 83 PID 4728 wrote to memory of 2024 4728 e5904b9f9a74908442cf428e4a8c4f66359a984d44c7ad6ebdb4fb22a27ccc0c.exe 83 PID 2024 wrote to memory of 1828 2024 unio3011.exe 84 PID 2024 wrote to memory of 1828 2024 unio3011.exe 84 PID 2024 wrote to memory of 1828 2024 unio3011.exe 84 PID 2024 wrote to memory of 4048 2024 unio3011.exe 95 PID 2024 wrote to memory of 4048 2024 unio3011.exe 95 PID 2024 wrote to memory of 4048 2024 unio3011.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5904b9f9a74908442cf428e4a8c4f66359a984d44c7ad6ebdb4fb22a27ccc0c.exe"C:\Users\Admin\AppData\Local\Temp\e5904b9f9a74908442cf428e4a8c4f66359a984d44c7ad6ebdb4fb22a27ccc0c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio3011.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio3011.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7684.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7684.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 10804⤵
- Program crash
PID:2424
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2711.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2711.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4048
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1828 -ip 18281⤵PID:856
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD581d3aca19cf873f1c5f4e6d42d30e0fc
SHA1c272b994817a7c04d0f3d4a68b89d5803ad57492
SHA256b801b2c5b5ec3320b10aaf892a6ac80fb3080db095b1254afda156c4d5c463a5
SHA512da20dc26075195e5f76440681759632c4b4ed2c04fdb206c0ae37575acf6932200dd32adc2ed157a4f9d9922b6701979d541e7d8d52010ab0d23d9d80e72ba4f
-
Filesize
329KB
MD5ef5746e07b3b0b20fbb5675e0cf99a63
SHA19460fe180039c787d43718896af6a8a97c5cd8d8
SHA2560f787a8c2446dc085ee252af0076b9b289c372406222dbb2c68aab1a7b6b802e
SHA512c1a07f429ee5ed16ad399ce847d049eed0cc632150dbae5747bbe4c5c9cbbba8c3071b9947fb0036329ebd644fc73993432de112c8a2076c2dd4854161d2cf0a
-
Filesize
386KB
MD59488cf6d0ebacaed3940bc22898be251
SHA11669e5adb0bb34501b10d26dedb5c34cf1a7ca3e
SHA256743f312f736ddb24ba61750f7b9fb17ef2e707fd2e4f8b8c038735d79ed68c0d
SHA5123027eae88eb3a31fba5937d542243694f2414c5e078b9867d00d2315d0704611ec2ce16f78970b4b3f76fc4279f93182578cfd646510624f42b4a12d6f6ef98e