Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:56
Static task
static1
Behavioral task
behavioral1
Sample
4c7b5413a29a64ac83ba954eb34c525291b03a6c4f9439971d86682b40abd8bb.exe
Resource
win10v2004-20241007-en
General
-
Target
4c7b5413a29a64ac83ba954eb34c525291b03a6c4f9439971d86682b40abd8bb.exe
-
Size
660KB
-
MD5
1d3010b2ead0c5d3b760bfeacd92f78a
-
SHA1
d8803b06ce5ed58b48f1e1cf1738f6f4d8005578
-
SHA256
4c7b5413a29a64ac83ba954eb34c525291b03a6c4f9439971d86682b40abd8bb
-
SHA512
d73e6066ee242221b75f5b82d4400964c48287a5495d91a7d13f2e205d130a8ff6f86c7fb26542344250b72748723d5d76d1c538cd494b360a59243f5630a826
-
SSDEEP
12288:UMrTy90Ex9QDC1mgLrixy+cWQG6LfvG2v5R8uP0MsxrLi5iUaWP5G5OjK:fyJ0YmgSERfbLXG2v5/PZsx65iU5wMe
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2712-19-0x0000000002310000-0x000000000232A000-memory.dmp healer behavioral1/memory/2712-21-0x0000000004A40000-0x0000000004A58000-memory.dmp healer behavioral1/memory/2712-27-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/2712-49-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/2712-47-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/2712-45-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/2712-43-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/2712-41-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/2712-39-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/2712-37-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/2712-35-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/2712-33-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/2712-31-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/2712-30-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/2712-25-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/2712-23-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/2712-22-0x0000000004A40000-0x0000000004A52000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0337.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro0337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0337.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4336-60-0x0000000002610000-0x0000000002656000-memory.dmp family_redline behavioral1/memory/4336-61-0x0000000004B10000-0x0000000004B54000-memory.dmp family_redline behavioral1/memory/4336-69-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/4336-77-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/4336-95-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/4336-93-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/4336-91-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/4336-89-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/4336-87-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/4336-83-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/4336-81-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/4336-79-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/4336-75-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/4336-73-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/4336-71-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/4336-67-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/4336-85-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/4336-65-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/4336-63-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/4336-62-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4572 un444467.exe 2712 pro0337.exe 4336 qu2786.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro0337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0337.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4c7b5413a29a64ac83ba954eb34c525291b03a6c4f9439971d86682b40abd8bb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un444467.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2016 2712 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4c7b5413a29a64ac83ba954eb34c525291b03a6c4f9439971d86682b40abd8bb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un444467.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro0337.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu2786.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2712 pro0337.exe 2712 pro0337.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2712 pro0337.exe Token: SeDebugPrivilege 4336 qu2786.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 544 wrote to memory of 4572 544 4c7b5413a29a64ac83ba954eb34c525291b03a6c4f9439971d86682b40abd8bb.exe 83 PID 544 wrote to memory of 4572 544 4c7b5413a29a64ac83ba954eb34c525291b03a6c4f9439971d86682b40abd8bb.exe 83 PID 544 wrote to memory of 4572 544 4c7b5413a29a64ac83ba954eb34c525291b03a6c4f9439971d86682b40abd8bb.exe 83 PID 4572 wrote to memory of 2712 4572 un444467.exe 84 PID 4572 wrote to memory of 2712 4572 un444467.exe 84 PID 4572 wrote to memory of 2712 4572 un444467.exe 84 PID 4572 wrote to memory of 4336 4572 un444467.exe 95 PID 4572 wrote to memory of 4336 4572 un444467.exe 95 PID 4572 wrote to memory of 4336 4572 un444467.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c7b5413a29a64ac83ba954eb34c525291b03a6c4f9439971d86682b40abd8bb.exe"C:\Users\Admin\AppData\Local\Temp\4c7b5413a29a64ac83ba954eb34c525291b03a6c4f9439971d86682b40abd8bb.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un444467.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un444467.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0337.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0337.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 10884⤵
- Program crash
PID:2016
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2786.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2786.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2712 -ip 27121⤵PID:3260
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
518KB
MD5a9dccb806d82a1fbe7f3e147e21d15dc
SHA116272c6a436f39afc95a39146337ee33c27a354f
SHA2561c42d8e4270428bff400254906bc44cb2b8bfd1086a017ecac1d0fd7a3b420ee
SHA512c6aab3eafd82fce8e58ae76de236f5af5979b2a89e89222a3e77b8c803efa60b356298abfdc13b4574a012fbc756c3bc1dbfdfcec04e033e093d748bedf68f58
-
Filesize
236KB
MD5d6dd8adaf533d598654687c1de1cc7a8
SHA127b2f9b9eada468e68224ce5504745d60646754c
SHA256695f504e2599a621205542fa25fec0f689f4333ca60c71b900e1e2982c111292
SHA5124745f52a8f8f4271d216d8baed230ca365d882c5e5a6f361681e20b3a2a901e68eb4bec45c7b0cdc453b3897ab9e452f95a1c9ed3280ebc64ece752e236d40c8
-
Filesize
295KB
MD5b7e95934023f18e2d9e2e7c6ab993f3e
SHA1dc0de043bf35d877b1f66990c5f185ee10ab36f4
SHA2568607fdab86d8dc48e11cc9eb9440fca0b7053d008a1a9ab3acd547ee8b593d85
SHA5124e435cd693c2499753f71b3403a0ef3043ac55b3dc59485c7c69bc840efbfde69343778440b36cd2da6b5a8b3e853035a8910bed8fb34a513500299df22bb5a2