Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:54
Static task
static1
Behavioral task
behavioral1
Sample
c644a77abfb0cc4cb387e2b9fe8b39d8e1ef666826d371176cc68b774738879b.exe
Resource
win10v2004-20241007-en
General
-
Target
c644a77abfb0cc4cb387e2b9fe8b39d8e1ef666826d371176cc68b774738879b.exe
-
Size
683KB
-
MD5
788c35f252eccbdce632afb735d7abe1
-
SHA1
8761439dd6f893e60b8d09d18341a11b499b8717
-
SHA256
c644a77abfb0cc4cb387e2b9fe8b39d8e1ef666826d371176cc68b774738879b
-
SHA512
7a5f042d983d0ddea6ddb8840c23259551cb008bdb4683dd1a0f69f763ca7ecca0c4e5ec46734ca5c9dab2568f814f7e05a15f83331556da656c609e60f47ccb
-
SSDEEP
12288:oMrhy90c/4dnRBdRY/u/mssfEKwMti4uUejmmLLbIwor:Jy1ADBdRY/4ztMju7mmLQwi
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3724-17-0x0000000004A20000-0x0000000004A3A000-memory.dmp healer behavioral1/memory/3724-20-0x0000000004A40000-0x0000000004A58000-memory.dmp healer behavioral1/memory/3724-48-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/3724-46-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/3724-44-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/3724-42-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/3724-40-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/3724-38-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/3724-36-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/3724-35-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/3724-32-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/3724-30-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/3724-28-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/3724-26-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/3724-24-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/3724-22-0x0000000004A40000-0x0000000004A52000-memory.dmp healer behavioral1/memory/3724-21-0x0000000004A40000-0x0000000004A52000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro5233.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro5233.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro5233.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro5233.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro5233.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro5233.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2828-60-0x0000000004E30000-0x0000000004E74000-memory.dmp family_redline behavioral1/memory/2828-59-0x0000000004A70000-0x0000000004AB6000-memory.dmp family_redline behavioral1/memory/2828-74-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/2828-66-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/2828-64-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/2828-62-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/2828-61-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/2828-94-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/2828-92-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/2828-90-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/2828-88-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/2828-86-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/2828-84-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/2828-82-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/2828-80-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/2828-78-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/2828-76-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/2828-72-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/2828-70-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/2828-68-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 752 un185745.exe 3724 pro5233.exe 2828 qu3540.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro5233.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro5233.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c644a77abfb0cc4cb387e2b9fe8b39d8e1ef666826d371176cc68b774738879b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un185745.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2664 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3576 3724 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu3540.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c644a77abfb0cc4cb387e2b9fe8b39d8e1ef666826d371176cc68b774738879b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un185745.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro5233.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3724 pro5233.exe 3724 pro5233.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3724 pro5233.exe Token: SeDebugPrivilege 2828 qu3540.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 540 wrote to memory of 752 540 c644a77abfb0cc4cb387e2b9fe8b39d8e1ef666826d371176cc68b774738879b.exe 83 PID 540 wrote to memory of 752 540 c644a77abfb0cc4cb387e2b9fe8b39d8e1ef666826d371176cc68b774738879b.exe 83 PID 540 wrote to memory of 752 540 c644a77abfb0cc4cb387e2b9fe8b39d8e1ef666826d371176cc68b774738879b.exe 83 PID 752 wrote to memory of 3724 752 un185745.exe 84 PID 752 wrote to memory of 3724 752 un185745.exe 84 PID 752 wrote to memory of 3724 752 un185745.exe 84 PID 752 wrote to memory of 2828 752 un185745.exe 99 PID 752 wrote to memory of 2828 752 un185745.exe 99 PID 752 wrote to memory of 2828 752 un185745.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\c644a77abfb0cc4cb387e2b9fe8b39d8e1ef666826d371176cc68b774738879b.exe"C:\Users\Admin\AppData\Local\Temp\c644a77abfb0cc4cb387e2b9fe8b39d8e1ef666826d371176cc68b774738879b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un185745.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un185745.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5233.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5233.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3724 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 10844⤵
- Program crash
PID:3576
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3540.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3540.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3724 -ip 37241⤵PID:1524
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2664
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
541KB
MD5947b20c003d0893737b10a8949eef54c
SHA1fc26b5315430fe8cefb9c3afef792c0a222c5224
SHA25610c55c4bb9d9639f19b1ad407f590010d9e9be3d31f0833bcd277c8aebb4b89b
SHA5128250d5bafe67df1a9e21b4e599f28eede15f2f63a864e757d9b5f10c5dfaec2cc5a981283d54c9c922028b173ec95f53587da2de380f748b4cd0ae470af1dbfe
-
Filesize
321KB
MD52e81ac42e873b7f43d8656c3c425aca2
SHA1113d9d1393be223b38a63298f11097f65ac919b5
SHA256be53890a6b0163aacf5e184e385318eb619fbdd128f61efede67420bc2b7672c
SHA512f31f98563d99000b78bd8195e15152f2df7bcd7e4c09d5436e449986c4f5ec7bc0510248adc33fb18d17e4ee65c5279741904f976e7f24d8a665b5ed36b14cc4
-
Filesize
380KB
MD57501371acf0524f7ddefddf3d6e131bd
SHA19c94b80c9b2ffe372600ef5c327a47cef72063ed
SHA256e721bb015dd22024da291e16845909cee4cb8b3e47212efd1b129a9fc434c7c9
SHA5125d9524017b7a4021551613e0d54aef6483efbea0b8ca2da32cfde67d69691f7dc693fc95295bc6c8a2c4a1fefc7e81cc07e019e3b0e53045b00779b2b9d0a23b