Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 12:37
Static task
static1
Behavioral task
behavioral1
Sample
3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exe
Resource
win10v2004-20241007-en
General
-
Target
3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exe
-
Size
524KB
-
MD5
b1e124ed78d5247ceae168381b631491
-
SHA1
5bd09a93ae0b765e499d516df3fd949bfba209ca
-
SHA256
3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248
-
SHA512
b835c7031135da4e306004cf22acba5756f2c8a1efbf3238fd51b193333b9cb66f2f37d697b77de7229ded7cc22c6f7d8cf8f02fe718c0de316a420410c94547
-
SSDEEP
12288:dMrLy90D5SKy3IKAE4aywMwJbrU6OH/wG9E1:Cy855y3I3ayqr+fwGm1
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/3876-12-0x0000000002520000-0x000000000253A000-memory.dmp healer behavioral1/memory/3876-14-0x0000000002960000-0x0000000002978000-memory.dmp healer behavioral1/memory/3876-18-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/3876-40-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/3876-38-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/3876-36-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/3876-34-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/3876-32-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/3876-31-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/3876-28-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/3876-26-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/3876-24-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/3876-22-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/3876-21-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/3876-16-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/3876-15-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/3876-42-0x0000000002960000-0x0000000002972000-memory.dmp healer -
Healer family
-
Processes:
pro7386.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7386.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro7386.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7386.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7386.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7386.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7386.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/4964-54-0x00000000029A0000-0x00000000029E6000-memory.dmp family_redline behavioral1/memory/4964-56-0x0000000004DE0000-0x0000000004E24000-memory.dmp family_redline behavioral1/memory/4964-88-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4964-90-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4964-86-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4964-84-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4964-82-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4964-80-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4964-78-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4964-76-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4964-74-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4964-72-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4964-70-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4964-68-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4964-66-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4964-64-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4964-62-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4964-60-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4964-58-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4964-57-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
pro7386.exequ8627.exepid Process 3876 pro7386.exe 4964 qu8627.exe -
Processes:
pro7386.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro7386.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7386.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2312 3876 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
qu8627.exe3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exepro7386.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu8627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro7386.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro7386.exepid Process 3876 pro7386.exe 3876 pro7386.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro7386.exequ8627.exedescription pid Process Token: SeDebugPrivilege 3876 pro7386.exe Token: SeDebugPrivilege 4964 qu8627.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exedescription pid Process procid_target PID 3880 wrote to memory of 3876 3880 3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exe 84 PID 3880 wrote to memory of 3876 3880 3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exe 84 PID 3880 wrote to memory of 3876 3880 3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exe 84 PID 3880 wrote to memory of 4964 3880 3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exe 99 PID 3880 wrote to memory of 4964 3880 3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exe 99 PID 3880 wrote to memory of 4964 3880 3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exe"C:\Users\Admin\AppData\Local\Temp\3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7386.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7386.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 10803⤵
- Program crash
PID:2312
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu8627.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu8627.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3876 -ip 38761⤵PID:4268
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
294KB
MD5ff3bc552737a47c16c36f3511b9b0c93
SHA150a65a98e62931422cc0c5a08cd1647f092f2f92
SHA2563ce75c5275201122e95a92a2937ca7a98f828dad2a0e3e7d12d5f53b7c2b8d6d
SHA512e3dcec77eb9a57b5aa39aff2501ba97d1ab2d675efbcc3a7bf4b74fca1e25d7de4ef8674143ea28329f5390bbeb784e9704b7f049ff3d05f9c573b0492eafaea
-
Filesize
352KB
MD51861f1299a87f43f91590ba62aaaeb6a
SHA1c82069209d27dd7388f8d008b5954b6621a6d84f
SHA2569b0d8e1b89988746776afa9de5aa3087e181e5b8c08e50ede88df82f116fe653
SHA512ca0396533a8933b7d7e98a9a1a85c64e163f7e789ec861627db70d1bbcf6cf239854ef3f287158f11e65866c7347da47f6b863a7d4b7b31df6be70b2e9288c34