Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:48
Static task
static1
Behavioral task
behavioral1
Sample
6b1d61302097fd392dd7d184c63f960a424435656c48855cdfd4f9f1637370c1.exe
Resource
win10v2004-20241007-en
General
-
Target
6b1d61302097fd392dd7d184c63f960a424435656c48855cdfd4f9f1637370c1.exe
-
Size
843KB
-
MD5
2677847f25e916809f8fa4a514c18d21
-
SHA1
9528074b7ef0ecacc22f247d6b7f099042959fe2
-
SHA256
6b1d61302097fd392dd7d184c63f960a424435656c48855cdfd4f9f1637370c1
-
SHA512
07e8b78a9b43fae74ff2ac9c8ca4ee6fd695a806935fa666f28173e13b4b9a271e648788c7d7bc5c152d4f43b10f7663c8bc62beac34307baa998a3edca3fd87
-
SSDEEP
12288:qMr5y90jD3+7DFcAa0iHe3mSv7OgI2JzqWDGP7ouQAQL07urLKKH:jy66o0Ae3mSvqgTzqWDGDonV02mKH
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1612-24-0x00000000025A0000-0x00000000025BA000-memory.dmp healer behavioral1/memory/1612-26-0x0000000004B90000-0x0000000004BA8000-memory.dmp healer behavioral1/memory/1612-28-0x0000000004B90000-0x0000000004BA2000-memory.dmp healer behavioral1/memory/1612-30-0x0000000004B90000-0x0000000004BA2000-memory.dmp healer behavioral1/memory/1612-54-0x0000000004B90000-0x0000000004BA2000-memory.dmp healer behavioral1/memory/1612-52-0x0000000004B90000-0x0000000004BA2000-memory.dmp healer behavioral1/memory/1612-50-0x0000000004B90000-0x0000000004BA2000-memory.dmp healer behavioral1/memory/1612-48-0x0000000004B90000-0x0000000004BA2000-memory.dmp healer behavioral1/memory/1612-46-0x0000000004B90000-0x0000000004BA2000-memory.dmp healer behavioral1/memory/1612-44-0x0000000004B90000-0x0000000004BA2000-memory.dmp healer behavioral1/memory/1612-42-0x0000000004B90000-0x0000000004BA2000-memory.dmp healer behavioral1/memory/1612-40-0x0000000004B90000-0x0000000004BA2000-memory.dmp healer behavioral1/memory/1612-38-0x0000000004B90000-0x0000000004BA2000-memory.dmp healer behavioral1/memory/1612-36-0x0000000004B90000-0x0000000004BA2000-memory.dmp healer behavioral1/memory/1612-34-0x0000000004B90000-0x0000000004BA2000-memory.dmp healer behavioral1/memory/1612-32-0x0000000004B90000-0x0000000004BA2000-memory.dmp healer behavioral1/memory/1612-27-0x0000000004B90000-0x0000000004BA2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr159610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr159610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr159610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr159610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr159610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr159610.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4416-63-0x00000000024A0000-0x00000000024E6000-memory.dmp family_redline behavioral1/memory/4416-64-0x0000000002640000-0x0000000002684000-memory.dmp family_redline behavioral1/memory/4416-84-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/4416-98-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/4416-96-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/4416-94-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/4416-92-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/4416-90-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/4416-88-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/4416-86-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/4416-82-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/4416-80-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/4416-79-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/4416-76-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/4416-74-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/4416-72-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/4416-70-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/4416-68-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/4416-66-0x0000000002640000-0x000000000267F000-memory.dmp family_redline behavioral1/memory/4416-65-0x0000000002640000-0x000000000267F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 2028 un060011.exe 3028 un930381.exe 1612 pr159610.exe 4416 qu665612.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr159610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr159610.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6b1d61302097fd392dd7d184c63f960a424435656c48855cdfd4f9f1637370c1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un060011.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un930381.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3672 1612 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un930381.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr159610.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu665612.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6b1d61302097fd392dd7d184c63f960a424435656c48855cdfd4f9f1637370c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un060011.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1612 pr159610.exe 1612 pr159610.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1612 pr159610.exe Token: SeDebugPrivilege 4416 qu665612.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1216 wrote to memory of 2028 1216 6b1d61302097fd392dd7d184c63f960a424435656c48855cdfd4f9f1637370c1.exe 85 PID 1216 wrote to memory of 2028 1216 6b1d61302097fd392dd7d184c63f960a424435656c48855cdfd4f9f1637370c1.exe 85 PID 1216 wrote to memory of 2028 1216 6b1d61302097fd392dd7d184c63f960a424435656c48855cdfd4f9f1637370c1.exe 85 PID 2028 wrote to memory of 3028 2028 un060011.exe 86 PID 2028 wrote to memory of 3028 2028 un060011.exe 86 PID 2028 wrote to memory of 3028 2028 un060011.exe 86 PID 3028 wrote to memory of 1612 3028 un930381.exe 87 PID 3028 wrote to memory of 1612 3028 un930381.exe 87 PID 3028 wrote to memory of 1612 3028 un930381.exe 87 PID 3028 wrote to memory of 4416 3028 un930381.exe 100 PID 3028 wrote to memory of 4416 3028 un930381.exe 100 PID 3028 wrote to memory of 4416 3028 un930381.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b1d61302097fd392dd7d184c63f960a424435656c48855cdfd4f9f1637370c1.exe"C:\Users\Admin\AppData\Local\Temp\6b1d61302097fd392dd7d184c63f960a424435656c48855cdfd4f9f1637370c1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un060011.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un060011.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un930381.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un930381.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr159610.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr159610.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 10645⤵
- Program crash
PID:3672
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu665612.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu665612.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1612 -ip 16121⤵PID:4324
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
661KB
MD5ca08b1778ca80ae766a64d25c5eb2570
SHA1f10eab9bc1f380272b46ffe2e452a5d7c39fb8ad
SHA256d50a47793fd00d51f8cced65c1175ce35be23cf9c97abe63d70d90680730209a
SHA5129f39208acc1f03d5fb98ce0804d1e7cca17b98f40df4d7894fa5260ec8f161ea4a62828c769ddd38a2ca0e155622c8274fbfb5ebcce864d2540b628a1e7e69b1
-
Filesize
519KB
MD5eed9003fe9ec552daf100bfb507d4c70
SHA1c079d090da93ef0c7b316448e022b652557606d8
SHA256ea634cbea1de3f0e9ec9de16a2dc1b568dec7856d0412e32326879c6948cdf8d
SHA512838a8901bbeb385d5ecc18630504f8ab1eb2b1f6707ee2e4e56bdf8067efc582611c7cc4eee3cd37dc44e3c5c4c0039fa74bfc0ac7d673c0f7ed9d77f12a1a45
-
Filesize
239KB
MD5d2f329aaf70c3fabe91ea43e49e76fac
SHA1ad977f1e96bbb6a24413a09260779dbc677726cf
SHA2562aaa4291031fcfa2e9e22aca1e4ebfcee266071a3a77179fbf25d57168e1940a
SHA51220c4e0d28c01eea4fc94835f55b14c3665501574f7183a26501680477ed45875a0805eb292db54e5c31252f84c4e83f56683d522ae30689b46a5fb66d0a874e9
-
Filesize
299KB
MD573eb807b11d623b3a098166d4a04198a
SHA16f1241480bad72feb4a42074bd511663ef97b884
SHA25616c55b36981c0e0a9a1575abc3bea8574ac8cef3ae3083bac0ab3e5928d43a69
SHA512236415409adb111c5270c8da5cc276fec351de76126b2c78575be9edd67faa8de53027aab4e957098d21a72578eca6131dae9b67c1359a9404bbc3d9b2022c2b