Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:53
Static task
static1
Behavioral task
behavioral1
Sample
8587c68666dde7cded546a0707fdc98446e790f64ee893a14d04868716b2301b.exe
Resource
win10v2004-20241007-en
General
-
Target
8587c68666dde7cded546a0707fdc98446e790f64ee893a14d04868716b2301b.exe
-
Size
666KB
-
MD5
be074f58ad108656f2c23b4efbe3cd7f
-
SHA1
af3eda63e68dd0874ba412d9186db1fa353de729
-
SHA256
8587c68666dde7cded546a0707fdc98446e790f64ee893a14d04868716b2301b
-
SHA512
9fe82beca0aceaf6cc3adaa3082b70c52ec95ebbff576cc8757be17be035abd45cc7831b8405552576d2847735fc3faaa2ac7db560e5c7561ecafaba7b7cc2d1
-
SSDEEP
12288:LMrhy90ytASS6aW9rnX1r20CSn3aBWn8DrUUFK/wKpKGHHkTfWx:ey+7JsrdrXqBe8Drj0wSKeHT
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3572-19-0x0000000002560000-0x000000000257A000-memory.dmp healer behavioral1/memory/3572-21-0x0000000004DB0000-0x0000000004DC8000-memory.dmp healer behavioral1/memory/3572-27-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/3572-49-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/3572-47-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/3572-45-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/3572-43-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/3572-41-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/3572-39-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/3572-37-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/3572-35-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/3572-33-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/3572-32-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/3572-30-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/3572-25-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/3572-23-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer behavioral1/memory/3572-22-0x0000000004DB0000-0x0000000004DC2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro4997.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro4997.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro4997.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro4997.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro4997.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro4997.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2940-60-0x00000000028C0000-0x0000000002906000-memory.dmp family_redline behavioral1/memory/2940-61-0x00000000053D0000-0x0000000005414000-memory.dmp family_redline behavioral1/memory/2940-63-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/2940-77-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/2940-95-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/2940-93-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/2940-89-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/2940-85-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/2940-83-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/2940-81-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/2940-79-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/2940-75-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/2940-73-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/2940-71-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/2940-69-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/2940-67-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/2940-65-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/2940-91-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/2940-87-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline behavioral1/memory/2940-62-0x00000000053D0000-0x000000000540F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4068 un781868.exe 3572 pro4997.exe 2940 qu9011.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro4997.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro4997.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8587c68666dde7cded546a0707fdc98446e790f64ee893a14d04868716b2301b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un781868.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3920 3572 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu9011.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8587c68666dde7cded546a0707fdc98446e790f64ee893a14d04868716b2301b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un781868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro4997.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3572 pro4997.exe 3572 pro4997.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3572 pro4997.exe Token: SeDebugPrivilege 2940 qu9011.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4284 wrote to memory of 4068 4284 8587c68666dde7cded546a0707fdc98446e790f64ee893a14d04868716b2301b.exe 83 PID 4284 wrote to memory of 4068 4284 8587c68666dde7cded546a0707fdc98446e790f64ee893a14d04868716b2301b.exe 83 PID 4284 wrote to memory of 4068 4284 8587c68666dde7cded546a0707fdc98446e790f64ee893a14d04868716b2301b.exe 83 PID 4068 wrote to memory of 3572 4068 un781868.exe 84 PID 4068 wrote to memory of 3572 4068 un781868.exe 84 PID 4068 wrote to memory of 3572 4068 un781868.exe 84 PID 4068 wrote to memory of 2940 4068 un781868.exe 95 PID 4068 wrote to memory of 2940 4068 un781868.exe 95 PID 4068 wrote to memory of 2940 4068 un781868.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\8587c68666dde7cded546a0707fdc98446e790f64ee893a14d04868716b2301b.exe"C:\Users\Admin\AppData\Local\Temp\8587c68666dde7cded546a0707fdc98446e790f64ee893a14d04868716b2301b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un781868.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un781868.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4997.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4997.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 11004⤵
- Program crash
PID:3920
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9011.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9011.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3572 -ip 35721⤵PID:4600
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
524KB
MD5fe9b68aab5c5575ee293ed6e1a1ae55f
SHA17cde8d701cff05f800dbf39397e7cd68e53f8eaf
SHA256f29f5b9f6b159e49d521f70e6dc90a7b8dda43ef4e5eac9e9f4b289017100a71
SHA512e105771082fb4dd2789a62d85ae4ea0bd9a50cc8d290a0a657eddd259f06af25f1eb8eee082b3e0a4569e52b387116412472b43fd9d41997e181e1143899d218
-
Filesize
294KB
MD5663a71c19dd4a0355e54a46d42b65448
SHA1b646dec054f85e0d86855efd18fae1157815ae97
SHA2560fa049e51f73bccb5029a3d68baafcc4503108ee55933ca9a02e1cb289defe77
SHA51287f817705c6ff35fba44f9662aeebc60461f3a5e3c0cc02019d5155cf17dacc9e0f82d5eac081b584a0e5b25541da63976a35cda4dc88ff0393858f81d89c0d1
-
Filesize
352KB
MD51b902a520f9726f7215b0450f9c97fe7
SHA13233515f8e7fb59f1d76dd69040499aaa986172c
SHA256f04ddb14633d420799bd7578544b6b2f256121fb470153b5f0e74da2e32308a0
SHA51245bad1fea0d2dfbe3acb377a96bc7d17edbffecef7f74d8b8af9fd3e3440e7c48ca60137b911c376e7e30725c58188d329e128d67d8ea758bff458a9754866e4