Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:00
Static task
static1
Behavioral task
behavioral1
Sample
83b468de9174597980dc06b727e9b9dd3bc30c419700e7fb8d6d75802d21cc28.exe
Resource
win10v2004-20241007-en
General
-
Target
83b468de9174597980dc06b727e9b9dd3bc30c419700e7fb8d6d75802d21cc28.exe
-
Size
688KB
-
MD5
a0b2cd62e42ee367321dd6c7f9ed70a3
-
SHA1
f8a458882ccf150f5df8a458c2573d32aa6e1a36
-
SHA256
83b468de9174597980dc06b727e9b9dd3bc30c419700e7fb8d6d75802d21cc28
-
SHA512
c0f5c1e092dd50feed309aaf5c47d2305bceda421c10d8bb7801934882a86124f4425ad33acee59804499c42f2bb740451fa77970ce41b3f944cf67ae1cf9506
-
SSDEEP
12288:EMrgy90+GJv04UQzewmtslK12McU50Q3g5pRJJWz23ko26JSKpVnuf3cfX:8y9GJvfUDVClKgM35t3g5pYzxo2ISoVh
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1364-18-0x00000000049A0000-0x00000000049BA000-memory.dmp healer behavioral1/memory/1364-20-0x0000000007810000-0x0000000007828000-memory.dmp healer behavioral1/memory/1364-48-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1364-46-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1364-44-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1364-42-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1364-40-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1364-38-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1364-36-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1364-34-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1364-32-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1364-30-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1364-28-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1364-26-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1364-24-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1364-22-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1364-21-0x0000000007810000-0x0000000007822000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8187.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8187.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8187.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro8187.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8187.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8187.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1712-60-0x0000000004A30000-0x0000000004A76000-memory.dmp family_redline behavioral1/memory/1712-61-0x0000000004D20000-0x0000000004D64000-memory.dmp family_redline behavioral1/memory/1712-62-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1712-91-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1712-67-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1712-95-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1712-93-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1712-89-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1712-87-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1712-85-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1712-83-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1712-81-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1712-79-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1712-77-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1712-75-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1712-73-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1712-71-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1712-69-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1712-65-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/1712-63-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1740 un743290.exe 1364 pro8187.exe 1712 qu0503.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8187.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8187.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 83b468de9174597980dc06b727e9b9dd3bc30c419700e7fb8d6d75802d21cc28.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un743290.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 428 1364 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 83b468de9174597980dc06b727e9b9dd3bc30c419700e7fb8d6d75802d21cc28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un743290.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro8187.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu0503.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1364 pro8187.exe 1364 pro8187.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1364 pro8187.exe Token: SeDebugPrivilege 1712 qu0503.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2608 wrote to memory of 1740 2608 83b468de9174597980dc06b727e9b9dd3bc30c419700e7fb8d6d75802d21cc28.exe 83 PID 2608 wrote to memory of 1740 2608 83b468de9174597980dc06b727e9b9dd3bc30c419700e7fb8d6d75802d21cc28.exe 83 PID 2608 wrote to memory of 1740 2608 83b468de9174597980dc06b727e9b9dd3bc30c419700e7fb8d6d75802d21cc28.exe 83 PID 1740 wrote to memory of 1364 1740 un743290.exe 84 PID 1740 wrote to memory of 1364 1740 un743290.exe 84 PID 1740 wrote to memory of 1364 1740 un743290.exe 84 PID 1740 wrote to memory of 1712 1740 un743290.exe 98 PID 1740 wrote to memory of 1712 1740 un743290.exe 98 PID 1740 wrote to memory of 1712 1740 un743290.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\83b468de9174597980dc06b727e9b9dd3bc30c419700e7fb8d6d75802d21cc28.exe"C:\Users\Admin\AppData\Local\Temp\83b468de9174597980dc06b727e9b9dd3bc30c419700e7fb8d6d75802d21cc28.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un743290.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un743290.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8187.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8187.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 10044⤵
- Program crash
PID:428
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0503.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0503.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1364 -ip 13641⤵PID:3392
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
546KB
MD5552e323580e67a24ec8775ae87f86bd0
SHA1baa87541179b70e56e6eaa9a5c85b0de5fc596b9
SHA256c38422d0ae3582113db4f634dbedb434f51de9dbc29cc2e187a5d96e29171af9
SHA512c3e5a2708b6e9517ac0441ef2d08bd69317a41479a334942ada26859ef930a6d6b37e4eff8e816bba21d865a22a2bd6b0674c814ad27a11368e593740d503d99
-
Filesize
328KB
MD555786364c8f9dfc969dc5b09d752010a
SHA1b860fae2dc6c32ed4c91f9dd4c805418c1b5783b
SHA2562d535783522e623d1a4ec2d67485360097ce918096349523eeb619c33981c8d9
SHA512b99b68d4659e0446ec816fde1eb25bde4bad00c8bec559d51e33b3b7ef1e6d839fcbf47e3e6f9a452080b5b13e80cd98725cd5e3647b52d1e17d0d86c1db3be7
-
Filesize
385KB
MD5e0365c458211f9d45396fef47c221773
SHA1b7623db1d1bcc2cee7d1d1961570f4574a7b3273
SHA256fd2bdbefa5a05fbb7712d48bb33655eb732e19e14f6c4f13cae467bd1511c835
SHA512c72f0752f7cc4d265b24a4c25fe4bcb31d359f0492bb43daef38ec1a3c857cd0e174ec4e0366c7ee24299bdab1da226f17cd6d00d98956c60aa94560120e6af0