Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:01
Static task
static1
Behavioral task
behavioral1
Sample
9a74e739722e9f66f96e6310ab51d850fbaa1bb71aca886875707dda1a24b219.exe
Resource
win10v2004-20241007-en
General
-
Target
9a74e739722e9f66f96e6310ab51d850fbaa1bb71aca886875707dda1a24b219.exe
-
Size
682KB
-
MD5
8ab8ef52ecf8ee794ceb8e8b83dd7e32
-
SHA1
7bcbb719d8c6a49839f685ddbc10432f5bc2a5e0
-
SHA256
9a74e739722e9f66f96e6310ab51d850fbaa1bb71aca886875707dda1a24b219
-
SHA512
ebf4a1414bdccf48f1d7d71b6d9d2d4733137835819c6be0a9e367d52ce2a12ca71f6f1e047e9c60b55c2e36e7cf1801cc1535f517d32a112ea052190a58b0c4
-
SSDEEP
12288:3Mrdy90bnGrUVU/EhznEN68fwiGPE49N+9I39bQgEt+uGMmzCuhhagW:KyqnG4VUsLKrz0E43u6vE8u3iNW
Malware Config
Extracted
redline
stek
melevv.eu:4162
-
auth_value
4205381daf6946b2df5fe3bc7eacc918
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4996-17-0x0000000004C50000-0x0000000004C6A000-memory.dmp healer behavioral1/memory/4996-19-0x0000000004E00000-0x0000000004E18000-memory.dmp healer behavioral1/memory/4996-32-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4996-48-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4996-46-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4996-44-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4996-42-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4996-40-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4996-38-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4996-36-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4996-34-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4996-30-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4996-28-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4996-26-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4996-24-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4996-22-0x0000000004E00000-0x0000000004E12000-memory.dmp healer behavioral1/memory/4996-21-0x0000000004E00000-0x0000000004E12000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" urVl47CN02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" urVl47CN02.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection urVl47CN02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" urVl47CN02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" urVl47CN02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" urVl47CN02.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/920-59-0x0000000007150000-0x0000000007196000-memory.dmp family_redline behavioral1/memory/920-60-0x00000000071D0000-0x0000000007214000-memory.dmp family_redline behavioral1/memory/920-68-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/920-66-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/920-64-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/920-62-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/920-61-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/920-94-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/920-92-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/920-90-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/920-88-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/920-86-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/920-84-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/920-82-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/920-80-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/920-78-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/920-76-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/920-74-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/920-72-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline behavioral1/memory/920-70-0x00000000071D0000-0x000000000720E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2236 ychI61Wo47.exe 4996 urVl47CN02.exe 920 wrJh16Zo47.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features urVl47CN02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" urVl47CN02.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9a74e739722e9f66f96e6310ab51d850fbaa1bb71aca886875707dda1a24b219.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ychI61Wo47.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3656 4996 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9a74e739722e9f66f96e6310ab51d850fbaa1bb71aca886875707dda1a24b219.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ychI61Wo47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language urVl47CN02.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wrJh16Zo47.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4996 urVl47CN02.exe 4996 urVl47CN02.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4996 urVl47CN02.exe Token: SeDebugPrivilege 920 wrJh16Zo47.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1244 wrote to memory of 2236 1244 9a74e739722e9f66f96e6310ab51d850fbaa1bb71aca886875707dda1a24b219.exe 83 PID 1244 wrote to memory of 2236 1244 9a74e739722e9f66f96e6310ab51d850fbaa1bb71aca886875707dda1a24b219.exe 83 PID 1244 wrote to memory of 2236 1244 9a74e739722e9f66f96e6310ab51d850fbaa1bb71aca886875707dda1a24b219.exe 83 PID 2236 wrote to memory of 4996 2236 ychI61Wo47.exe 85 PID 2236 wrote to memory of 4996 2236 ychI61Wo47.exe 85 PID 2236 wrote to memory of 4996 2236 ychI61Wo47.exe 85 PID 2236 wrote to memory of 920 2236 ychI61Wo47.exe 98 PID 2236 wrote to memory of 920 2236 ychI61Wo47.exe 98 PID 2236 wrote to memory of 920 2236 ychI61Wo47.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a74e739722e9f66f96e6310ab51d850fbaa1bb71aca886875707dda1a24b219.exe"C:\Users\Admin\AppData\Local\Temp\9a74e739722e9f66f96e6310ab51d850fbaa1bb71aca886875707dda1a24b219.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ychI61Wo47.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ychI61Wo47.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urVl47CN02.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urVl47CN02.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 10804⤵
- Program crash
PID:3656
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrJh16Zo47.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrJh16Zo47.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:920
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4996 -ip 49961⤵PID:2712
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
538KB
MD5f8f9074d4bcb4f3c0e14705605205791
SHA1c1e0eb601d1cc1e00e02297c4a61013f56323d1e
SHA2560645e68a30911ae9f0d414b52c53c32aad3adba40e0a941b5a002df279dfe1ea
SHA512bb71835aa36f2449a38d688c34d611a3603b7e346efc3f21ecc2bcdccd1661bf7b3cb62298118268bbf0c1f576115d8fb38f61168f07eaf77d1f8166d55e9cf0
-
Filesize
318KB
MD50819b539ffb60d7590cb337bb711f58e
SHA1d346ebf2765a656b8905f3f48975f07429abd52a
SHA256037e41f5a95e619cec1a5f3f39a298e29da890dbc4617ecb67ff09c0ebf4f2d0
SHA512128dd46cc3fab171867139dd39ae7f61d121ca54df1e687772de07edc2732c9ebe225e96a3649325820e82e64fc6bf3a0b713de91bae2a44ccc7bd78b9dd0843
-
Filesize
377KB
MD5f1ee2f9260487ebcd921054e948b7c77
SHA1653a941f90804cc68f78db483e0c0e559b1eefb7
SHA25653d391e42f7a8a701906e246d5ed87be400f65f779e4689a448d0497adaf8df9
SHA512ece3849635baa6ef692dec38f3415d566f6419ffb4854043c60708578f748a3f2112360e3794d9e3f5a64e8feaf26b6f0a17efcd852d009d3a7063cde9895222