Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:52
Static task
static1
Behavioral task
behavioral1
Sample
7e3024bb4f58e854289bcfe6c3ceef3f76351b448fc113c59e16541511176a8a.exe
Resource
win10v2004-20241007-en
General
-
Target
7e3024bb4f58e854289bcfe6c3ceef3f76351b448fc113c59e16541511176a8a.exe
-
Size
655KB
-
MD5
2ed427569d36389c2d3cc3e83de750b1
-
SHA1
5d43d6c4fb0282b55455ad672910b1aa19da7027
-
SHA256
7e3024bb4f58e854289bcfe6c3ceef3f76351b448fc113c59e16541511176a8a
-
SHA512
58c163d86fee8ab096ba8b09239186af5cf1226c43e5a4474380f3295a203d96eef3c921edefdb7a1be30805108d6e1453cadb6543f834b654f27aaa127397e5
-
SSDEEP
12288:jMrpy90EhhVn7DF1gQcNiFbPSRaO+SxhVIpa2zGzz1divYxLGY+7:yyB7VfPgQLSVIprGdMvcC
Malware Config
Extracted
redline
lint
193.233.20.28:4125
-
auth_value
0e95262fb78243c67430f3148303e5b7
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x000b000000023b5c-19.dat healer behavioral1/memory/1104-22-0x0000000000AE0000-0x0000000000AEA000-memory.dmp healer behavioral1/memory/4864-29-0x0000000002240000-0x000000000225A000-memory.dmp healer behavioral1/memory/4864-31-0x00000000024E0000-0x00000000024F8000-memory.dmp healer behavioral1/memory/4864-32-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4864-37-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4864-59-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4864-57-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4864-55-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4864-53-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4864-51-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4864-49-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4864-47-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4864-45-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4864-43-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4864-41-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4864-39-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4864-35-0x00000000024E0000-0x00000000024F2000-memory.dmp healer behavioral1/memory/4864-33-0x00000000024E0000-0x00000000024F2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" py27wT29.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" py27wT29.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ns5895NP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" py27wT29.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" py27wT29.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ns5895NP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ns5895NP.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection py27wT29.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" py27wT29.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection ns5895NP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ns5895NP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ns5895NP.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b5a-64.dat family_redline behavioral1/memory/4900-66-0x00000000006D0000-0x0000000000702000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 4212 will1640.exe 3360 will3596.exe 1104 ns5895NP.exe 4864 py27wT29.exe 4900 qs2268uq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" ns5895NP.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features py27wT29.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" py27wT29.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7e3024bb4f58e854289bcfe6c3ceef3f76351b448fc113c59e16541511176a8a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" will1640.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" will3596.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3244 4864 WerFault.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7e3024bb4f58e854289bcfe6c3ceef3f76351b448fc113c59e16541511176a8a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language will1640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language will3596.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language py27wT29.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qs2268uq.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1104 ns5895NP.exe 1104 ns5895NP.exe 4864 py27wT29.exe 4864 py27wT29.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1104 ns5895NP.exe Token: SeDebugPrivilege 4864 py27wT29.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4284 wrote to memory of 4212 4284 7e3024bb4f58e854289bcfe6c3ceef3f76351b448fc113c59e16541511176a8a.exe 83 PID 4284 wrote to memory of 4212 4284 7e3024bb4f58e854289bcfe6c3ceef3f76351b448fc113c59e16541511176a8a.exe 83 PID 4284 wrote to memory of 4212 4284 7e3024bb4f58e854289bcfe6c3ceef3f76351b448fc113c59e16541511176a8a.exe 83 PID 4212 wrote to memory of 3360 4212 will1640.exe 84 PID 4212 wrote to memory of 3360 4212 will1640.exe 84 PID 4212 wrote to memory of 3360 4212 will1640.exe 84 PID 3360 wrote to memory of 1104 3360 will3596.exe 86 PID 3360 wrote to memory of 1104 3360 will3596.exe 86 PID 3360 wrote to memory of 4864 3360 will3596.exe 94 PID 3360 wrote to memory of 4864 3360 will3596.exe 94 PID 3360 wrote to memory of 4864 3360 will3596.exe 94 PID 4212 wrote to memory of 4900 4212 will1640.exe 98 PID 4212 wrote to memory of 4900 4212 will1640.exe 98 PID 4212 wrote to memory of 4900 4212 will1640.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e3024bb4f58e854289bcfe6c3ceef3f76351b448fc113c59e16541511176a8a.exe"C:\Users\Admin\AppData\Local\Temp\7e3024bb4f58e854289bcfe6c3ceef3f76351b448fc113c59e16541511176a8a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1640.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will1640.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3596.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3596.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns5895NP.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns5895NP.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py27wT29.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py27wT29.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 10805⤵
- Program crash
PID:3244
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs2268uq.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs2268uq.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4900
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4864 -ip 48641⤵PID:2528
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
469KB
MD50183d46462a8432048d5f444f574db2b
SHA19e3825047dd0501ad1689428266cff9484fae1d7
SHA256b90376e47e48635afe76a8834dc7f29d2cc687ad8f6d06eb19079a5783278ee0
SHA5128f77208fb827cd39fa0dc01a78dbbc7f80243229e99fd279e0632e61e2ba296f74e91fdd9faa0cfee770a3a3c6b060d1ea28b120610b387d663e202c9983c4cb
-
Filesize
175KB
MD50ecc8ab62b7278cc6650517251f1543c
SHA1b4273cda193a20d48e83241275ffc34ddad412f2
SHA256b0f1238e54ac8e3534af7ecb4f834bea3223120fedb1eab80f7a1bf00fb5b97a
SHA512c79d266c82b766ca39377fd02b3bc307fce4b59f53936e97c162200de3f8b3f72f6beda2aef2ab9ecd9be669b625c6ed0aaefa157cca7ac11d78b1939f660092
-
Filesize
324KB
MD516cb30859d491d214b0505385e3aec47
SHA1178f65874fdaaaaf882c637715b235fcf87da999
SHA256d2325b4e70c63535e7c79bce6d90317114ca41976473b871da355c3ca85df695
SHA512e8fdc0cb6bf11e9c35f64bd2c9d9ccdb26ed7e97cb3a33d76cee1c4bda68afee2e09050ed957f25642908b3338e2912adbc67dc873da2982edc366f689b0ed0d
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
225KB
MD5a568525b24c8343e56fe967268858cb0
SHA12e8fb5b3db9f552100e94ff1564f2acbf4e059e6
SHA256473dc23efc724f62a562b7585a1e5d760a027ca67d32d11b67139714633ca392
SHA512f233b1592cb0d3b3bec14cd08cc328a0337db58dda943e05ec4f1b111c09d6935435ff290c4bf3c3f94228fca335415fe8c134752ff3f99df7d76ac996908e5e