Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:54
Static task
static1
Behavioral task
behavioral1
Sample
9b9bf5c19c528282e0c88ecc3b36e181b6d8f38b6f7a9f766dd37f1bdb64a7ed.exe
Resource
win10v2004-20241007-en
General
-
Target
9b9bf5c19c528282e0c88ecc3b36e181b6d8f38b6f7a9f766dd37f1bdb64a7ed.exe
-
Size
689KB
-
MD5
cbfde2223c428839f0b4c13e2fa5a109
-
SHA1
d2713ab644c72d0394befdc1b11cb76dc0c63c7c
-
SHA256
9b9bf5c19c528282e0c88ecc3b36e181b6d8f38b6f7a9f766dd37f1bdb64a7ed
-
SHA512
3dee57201a7dbbea23cd5bd5b56c5c783e9af95586e6fb7bc5f58007686e92f873644127256efd5a3fcf46bd2e821d8b35136ce5e8c5875280d31bcbda748714
-
SSDEEP
12288:EMrKy903+6TK78iqaZIpCkdzLngimYh1oID43xBYMOKbcxXolf+IAhQDHXps7:+yr4XU1kdzLn51fD4hiMTIx4QoHXps7
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4900-18-0x0000000004680000-0x000000000469A000-memory.dmp healer behavioral1/memory/4900-20-0x00000000048B0000-0x00000000048C8000-memory.dmp healer behavioral1/memory/4900-21-0x00000000048B0000-0x00000000048C2000-memory.dmp healer behavioral1/memory/4900-48-0x00000000048B0000-0x00000000048C2000-memory.dmp healer behavioral1/memory/4900-46-0x00000000048B0000-0x00000000048C2000-memory.dmp healer behavioral1/memory/4900-44-0x00000000048B0000-0x00000000048C2000-memory.dmp healer behavioral1/memory/4900-42-0x00000000048B0000-0x00000000048C2000-memory.dmp healer behavioral1/memory/4900-41-0x00000000048B0000-0x00000000048C2000-memory.dmp healer behavioral1/memory/4900-38-0x00000000048B0000-0x00000000048C2000-memory.dmp healer behavioral1/memory/4900-36-0x00000000048B0000-0x00000000048C2000-memory.dmp healer behavioral1/memory/4900-34-0x00000000048B0000-0x00000000048C2000-memory.dmp healer behavioral1/memory/4900-32-0x00000000048B0000-0x00000000048C2000-memory.dmp healer behavioral1/memory/4900-30-0x00000000048B0000-0x00000000048C2000-memory.dmp healer behavioral1/memory/4900-26-0x00000000048B0000-0x00000000048C2000-memory.dmp healer behavioral1/memory/4900-24-0x00000000048B0000-0x00000000048C2000-memory.dmp healer behavioral1/memory/4900-22-0x00000000048B0000-0x00000000048C2000-memory.dmp healer behavioral1/memory/4900-28-0x00000000048B0000-0x00000000048C2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8576.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro8576.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8576.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8576.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8576.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8576.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1628-61-0x0000000007770000-0x00000000077B4000-memory.dmp family_redline behavioral1/memory/1628-60-0x0000000004890000-0x00000000048D6000-memory.dmp family_redline behavioral1/memory/1628-77-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/1628-79-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/1628-95-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/1628-93-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/1628-91-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/1628-89-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/1628-87-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/1628-85-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/1628-83-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/1628-81-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/1628-75-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/1628-73-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/1628-72-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/1628-69-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/1628-67-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/1628-65-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/1628-63-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/1628-62-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1360 unio7007.exe 4900 pro8576.exe 1628 qu5879.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8576.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8576.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9b9bf5c19c528282e0c88ecc3b36e181b6d8f38b6f7a9f766dd37f1bdb64a7ed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio7007.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4992 4900 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b9bf5c19c528282e0c88ecc3b36e181b6d8f38b6f7a9f766dd37f1bdb64a7ed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio7007.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro8576.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu5879.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4900 pro8576.exe 4900 pro8576.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4900 pro8576.exe Token: SeDebugPrivilege 1628 qu5879.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 636 wrote to memory of 1360 636 9b9bf5c19c528282e0c88ecc3b36e181b6d8f38b6f7a9f766dd37f1bdb64a7ed.exe 85 PID 636 wrote to memory of 1360 636 9b9bf5c19c528282e0c88ecc3b36e181b6d8f38b6f7a9f766dd37f1bdb64a7ed.exe 85 PID 636 wrote to memory of 1360 636 9b9bf5c19c528282e0c88ecc3b36e181b6d8f38b6f7a9f766dd37f1bdb64a7ed.exe 85 PID 1360 wrote to memory of 4900 1360 unio7007.exe 86 PID 1360 wrote to memory of 4900 1360 unio7007.exe 86 PID 1360 wrote to memory of 4900 1360 unio7007.exe 86 PID 1360 wrote to memory of 1628 1360 unio7007.exe 99 PID 1360 wrote to memory of 1628 1360 unio7007.exe 99 PID 1360 wrote to memory of 1628 1360 unio7007.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b9bf5c19c528282e0c88ecc3b36e181b6d8f38b6f7a9f766dd37f1bdb64a7ed.exe"C:\Users\Admin\AppData\Local\Temp\9b9bf5c19c528282e0c88ecc3b36e181b6d8f38b6f7a9f766dd37f1bdb64a7ed.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7007.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7007.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8576.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8576.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 10844⤵
- Program crash
PID:4992
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5879.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5879.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4900 -ip 49001⤵PID:2840
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD5feaef5e6aed1295ff920f087b839df88
SHA16730b405f750f0af4251e398d04f40e8a8d3d1e4
SHA2561d85e64bf132cae7f3059eae62e650aa26460a874719b5019638a20a464111a9
SHA5120f8eca5399e736197e25ccb650aa9947d21889aaacef44cbadb9a03b457352c3a9d7b396efd8a5ae8092bab41c9790ff0db521ccf5f36959bd5b9e2b75923868
-
Filesize
329KB
MD55afa900c6d3e420aa4ba6c863df5c50a
SHA11dac2c61e005d2be34d7d1f5d0591681bc4e97f8
SHA25655799900454f748982d22eda736d4434179853177fb5d903ab19551879c1dca4
SHA5125b08a2bfd40078167b61aa527f60ea8a765a1af26dc0e4a639e7aa9eb938dd61c12545c0ef08cb84170cf6e82dd3470c8ed9045dc11e625210b4598f80708701
-
Filesize
386KB
MD511adf9b51540b70184cd09eddd0ddd5e
SHA10291cd603d4e06994ecd311fbcd9e3d196c271da
SHA25611f00770994397337647b3881fdb1fb92cfe018abfb841853f46325b2618b280
SHA512dd20a50e2e517b0f543cfe7e66d43ba925be02f9514d75bcddf3c3b20b38461a1a74c0e72371e3fcd5801f5983cf69c6975e9842c6589d7fd536e18b7a1594db