Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:48
Static task
static1
Behavioral task
behavioral1
Sample
3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874.exe
Resource
win10v2004-20241007-en
General
-
Target
3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874.exe
-
Size
660KB
-
MD5
47707e3e0cb89e8791e6df3acfdbc993
-
SHA1
e77733696626cd37a1059b18b061a18c3a95cf38
-
SHA256
3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874
-
SHA512
da5f5668b22a06d0d2ad5be233e5009f52152fa946d3d4dd8eae0ce1b754b7c8c1149dfad79c0df94fc34e418b8f754c886f4bf95d27e840bb2e7ef09038ffec
-
SSDEEP
12288:BMrDy907518dh4ozllk4nfJ9LDPARQ50e3p90fsNrLiciZaWPgVcbmViYm:iyKXQh/zllkU9LD6Q5NZ9GsN6ciZ5kcP
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3988-19-0x0000000002310000-0x000000000232A000-memory.dmp healer behavioral1/memory/3988-21-0x0000000002380000-0x0000000002398000-memory.dmp healer behavioral1/memory/3988-22-0x0000000002380000-0x0000000002392000-memory.dmp healer behavioral1/memory/3988-29-0x0000000002380000-0x0000000002392000-memory.dmp healer behavioral1/memory/3988-49-0x0000000002380000-0x0000000002392000-memory.dmp healer behavioral1/memory/3988-47-0x0000000002380000-0x0000000002392000-memory.dmp healer behavioral1/memory/3988-45-0x0000000002380000-0x0000000002392000-memory.dmp healer behavioral1/memory/3988-44-0x0000000002380000-0x0000000002392000-memory.dmp healer behavioral1/memory/3988-41-0x0000000002380000-0x0000000002392000-memory.dmp healer behavioral1/memory/3988-37-0x0000000002380000-0x0000000002392000-memory.dmp healer behavioral1/memory/3988-35-0x0000000002380000-0x0000000002392000-memory.dmp healer behavioral1/memory/3988-33-0x0000000002380000-0x0000000002392000-memory.dmp healer behavioral1/memory/3988-31-0x0000000002380000-0x0000000002392000-memory.dmp healer behavioral1/memory/3988-27-0x0000000002380000-0x0000000002392000-memory.dmp healer behavioral1/memory/3988-25-0x0000000002380000-0x0000000002392000-memory.dmp healer behavioral1/memory/3988-23-0x0000000002380000-0x0000000002392000-memory.dmp healer behavioral1/memory/3988-39-0x0000000002380000-0x0000000002392000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7513.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7513.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7513.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro7513.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7513.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7513.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1236-61-0x00000000024D0000-0x0000000002516000-memory.dmp family_redline behavioral1/memory/1236-62-0x0000000004AA0000-0x0000000004AE4000-memory.dmp family_redline behavioral1/memory/1236-66-0x0000000004AA0000-0x0000000004ADF000-memory.dmp family_redline behavioral1/memory/1236-72-0x0000000004AA0000-0x0000000004ADF000-memory.dmp family_redline behavioral1/memory/1236-70-0x0000000004AA0000-0x0000000004ADF000-memory.dmp family_redline behavioral1/memory/1236-68-0x0000000004AA0000-0x0000000004ADF000-memory.dmp family_redline behavioral1/memory/1236-82-0x0000000004AA0000-0x0000000004ADF000-memory.dmp family_redline behavioral1/memory/1236-64-0x0000000004AA0000-0x0000000004ADF000-memory.dmp family_redline behavioral1/memory/1236-63-0x0000000004AA0000-0x0000000004ADF000-memory.dmp family_redline behavioral1/memory/1236-96-0x0000000004AA0000-0x0000000004ADF000-memory.dmp family_redline behavioral1/memory/1236-94-0x0000000004AA0000-0x0000000004ADF000-memory.dmp family_redline behavioral1/memory/1236-92-0x0000000004AA0000-0x0000000004ADF000-memory.dmp family_redline behavioral1/memory/1236-90-0x0000000004AA0000-0x0000000004ADF000-memory.dmp family_redline behavioral1/memory/1236-88-0x0000000004AA0000-0x0000000004ADF000-memory.dmp family_redline behavioral1/memory/1236-86-0x0000000004AA0000-0x0000000004ADF000-memory.dmp family_redline behavioral1/memory/1236-84-0x0000000004AA0000-0x0000000004ADF000-memory.dmp family_redline behavioral1/memory/1236-80-0x0000000004AA0000-0x0000000004ADF000-memory.dmp family_redline behavioral1/memory/1236-78-0x0000000004AA0000-0x0000000004ADF000-memory.dmp family_redline behavioral1/memory/1236-76-0x0000000004AA0000-0x0000000004ADF000-memory.dmp family_redline behavioral1/memory/1236-74-0x0000000004AA0000-0x0000000004ADF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4852 un166845.exe 3988 pro7513.exe 1236 qu8817.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro7513.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7513.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un166845.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3404 3988 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un166845.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro7513.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu8817.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3988 pro7513.exe 3988 pro7513.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3988 pro7513.exe Token: SeDebugPrivilege 1236 qu8817.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1588 wrote to memory of 4852 1588 3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874.exe 85 PID 1588 wrote to memory of 4852 1588 3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874.exe 85 PID 1588 wrote to memory of 4852 1588 3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874.exe 85 PID 4852 wrote to memory of 3988 4852 un166845.exe 86 PID 4852 wrote to memory of 3988 4852 un166845.exe 86 PID 4852 wrote to memory of 3988 4852 un166845.exe 86 PID 4852 wrote to memory of 1236 4852 un166845.exe 95 PID 4852 wrote to memory of 1236 4852 un166845.exe 95 PID 4852 wrote to memory of 1236 4852 un166845.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874.exe"C:\Users\Admin\AppData\Local\Temp\3ed432e444f1ffc3dd622c9967602ad55651995e12db2ff630bc0d7b9662b874.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un166845.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un166845.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7513.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7513.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 10844⤵
- Program crash
PID:3404
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8817.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8817.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3988 -ip 39881⤵PID:1552
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
518KB
MD5ff82513d4ab62580ba819cfd17d4d03b
SHA170b750f8fd5a4c874f45c0c7ea1ba4e285237973
SHA2569dd9bf0345e46b13b0d67ff0b29bc31015fda6d30685afdee6e400cbd6a6efc6
SHA5126851c870be753e60111620617565bf7160eff5b5b295b945f0a2a697e97babd8269f69758d7469aedda0b37e0e0363592879e022986f07f5f1c7d985b8f80343
-
Filesize
236KB
MD534cd1b5b9913a60bd4cf52d251f34cad
SHA18f3a4d03e205e37b508e3814aa108cd055265757
SHA2560765baeb28ff84e372d5ebc6df2e0ee31378f76546b040b531bdf48a4d615938
SHA5129eb686159554970c6913b9f92887914be1067b07f9cf68b9025e65de6aeb10a42e09ae1d0fabd3fc9f2dc8c2756619becf50492e1897f41baa8c8f74b2039909
-
Filesize
295KB
MD5186c74475e74be37fa4a0270b661dc1e
SHA19cae0e0f14039347e1fb7ffc260453c68ff9d1bb
SHA2560166fec5b379d176639b1e3ecfb6881b1f143580c3cd6c09ff45e0c9d983ae04
SHA512f65b920186b7b6475125314430c6cb72741ff43f2a30f4aeb60c0045646b51179c76725bec5cddc68cda4f9139c17ea96bfff45e94265452aaddbfff594f3869