Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 19:46
Static task
static1
Behavioral task
behavioral1
Sample
8f55a9b58d5fc80b05ca37070b74b9742c4e802f4896c8bcc846026a26a5d180N.exe
Resource
win10v2004-20241007-en
General
-
Target
8f55a9b58d5fc80b05ca37070b74b9742c4e802f4896c8bcc846026a26a5d180N.exe
-
Size
647KB
-
MD5
03e5533da45e3bd236f264df6b76b480
-
SHA1
4425a5b40a3183b4281246361b5cd51f42a17a62
-
SHA256
8f55a9b58d5fc80b05ca37070b74b9742c4e802f4896c8bcc846026a26a5d180
-
SHA512
365abc19bee3bf68b0c77e49c1c531eb698755d67ef73b002b93e8081ee547e7c3fb5edd1d7ff604aa1c184f4fbdb9b64d248ba20a84535aa6737c70ee2b557c
-
SSDEEP
12288:mMrNy90GZ7vUk/xTUvaMALJ3HWmTfPBkpZJZjmOrrIcJy4ywQ4EPAGpz6oUtEy:DyHNUkKZi3n3cLr1bzjmLQCy
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1668-12-0x0000000002470000-0x000000000248A000-memory.dmp healer behavioral1/memory/1668-14-0x0000000002510000-0x0000000002528000-memory.dmp healer behavioral1/memory/1668-41-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1668-38-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1668-36-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1668-34-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1668-33-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1668-42-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1668-30-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1668-28-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1668-26-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1668-24-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1668-22-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1668-20-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1668-18-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1668-16-0x0000000002510000-0x0000000002522000-memory.dmp healer behavioral1/memory/1668-15-0x0000000002510000-0x0000000002522000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7535.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7535.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7535.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7535.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7535.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro7535.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/5000-2139-0x0000000005420000-0x0000000005452000-memory.dmp family_redline behavioral1/files/0x000c000000022719-2144.dat family_redline behavioral1/memory/5632-2152-0x0000000000A70000-0x0000000000AA0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation qu6501.exe -
Executes dropped EXE 3 IoCs
pid Process 1668 pro7535.exe 5000 qu6501.exe 5632 1.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro7535.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7535.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8f55a9b58d5fc80b05ca37070b74b9742c4e802f4896c8bcc846026a26a5d180N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2584 1668 WerFault.exe 83 5784 5000 WerFault.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8f55a9b58d5fc80b05ca37070b74b9742c4e802f4896c8bcc846026a26a5d180N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro7535.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu6501.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1668 pro7535.exe 1668 pro7535.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1668 pro7535.exe Token: SeDebugPrivilege 5000 qu6501.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5112 wrote to memory of 1668 5112 8f55a9b58d5fc80b05ca37070b74b9742c4e802f4896c8bcc846026a26a5d180N.exe 83 PID 5112 wrote to memory of 1668 5112 8f55a9b58d5fc80b05ca37070b74b9742c4e802f4896c8bcc846026a26a5d180N.exe 83 PID 5112 wrote to memory of 1668 5112 8f55a9b58d5fc80b05ca37070b74b9742c4e802f4896c8bcc846026a26a5d180N.exe 83 PID 5112 wrote to memory of 5000 5112 8f55a9b58d5fc80b05ca37070b74b9742c4e802f4896c8bcc846026a26a5d180N.exe 96 PID 5112 wrote to memory of 5000 5112 8f55a9b58d5fc80b05ca37070b74b9742c4e802f4896c8bcc846026a26a5d180N.exe 96 PID 5112 wrote to memory of 5000 5112 8f55a9b58d5fc80b05ca37070b74b9742c4e802f4896c8bcc846026a26a5d180N.exe 96 PID 5000 wrote to memory of 5632 5000 qu6501.exe 97 PID 5000 wrote to memory of 5632 5000 qu6501.exe 97 PID 5000 wrote to memory of 5632 5000 qu6501.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f55a9b58d5fc80b05ca37070b74b9742c4e802f4896c8bcc846026a26a5d180N.exe"C:\Users\Admin\AppData\Local\Temp\8f55a9b58d5fc80b05ca37070b74b9742c4e802f4896c8bcc846026a26a5d180N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7535.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7535.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 10803⤵
- Program crash
PID:2584
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu6501.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu6501.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 15163⤵
- Program crash
PID:5784
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1668 -ip 16681⤵PID:2416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5000 -ip 50001⤵PID:5700
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD55afd8481fd0a6c5b6a5841a61e1e67bc
SHA1a9fa758ec4922c23eafd54c789d14ce34617a438
SHA2565918a68b9c1fcba339cf993563a58c9c374bdfbbd083afc29c152a2f6a1af90b
SHA512af0a0fa0ed61bdb2d03c35a325bbdf9f9e950dcc343788bb46249d01170be4590db977de4e4689e9de228791723b006bf905ff85c2194ec6ace963a576b3c181
-
Filesize
435KB
MD5258306eedb76ec706475e8dca32c2be6
SHA1acf4f5734fa75016eecf937a2ccebd1d5f9aa014
SHA256476feb2532dd371912066c303eee372322990f66b3ed17047abd5c64137776d6
SHA5129b59d4202eabbfc1a08001990487ec5af85f8a83ecb19714cb25152c034b95dc1fe4b494aed47f1147afc01b4e1503fe5a2bfe4bf62093b49c4685ec8132e868
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0