Analysis
-
max time kernel
115s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 13:04
Static task
static1
Behavioral task
behavioral1
Sample
b3c7f41a7dd9851c86bd01ace067e0619161ae603c05dd2f33550bb39804f594N.exe
Resource
win10v2004-20241007-en
General
-
Target
b3c7f41a7dd9851c86bd01ace067e0619161ae603c05dd2f33550bb39804f594N.exe
-
Size
661KB
-
MD5
bb4b923aef0a6e6d4ba32e4eb5251880
-
SHA1
0c3aac15c5359d9f615d3e2be6c29585870f0fd2
-
SHA256
b3c7f41a7dd9851c86bd01ace067e0619161ae603c05dd2f33550bb39804f594
-
SHA512
0002325b355839882179748625f97698ad4cfc3b340d798a8cb9f8322c78beb8b4b4a0c233502255c88714f3910d514ef986947dce73d5a40db5dc1d943280b1
-
SSDEEP
12288:dMrwy90vntEIMDbD1QWCRJ1VfSGQ/0sJDp4OjP2CWxdtSZNfuDfEqI/nTygmE:pyMETDvuWavV8sqDp4OzhWxGAmDB
Malware Config
Extracted
redline
rosto
hueref.eu:4162
-
auth_value
07d81eba8cad42bbd0ae60042d48eac6
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/2008-19-0x00000000023B0000-0x00000000023CA000-memory.dmp healer behavioral1/memory/2008-21-0x0000000004B20000-0x0000000004B38000-memory.dmp healer behavioral1/memory/2008-49-0x0000000004B20000-0x0000000004B32000-memory.dmp healer behavioral1/memory/2008-47-0x0000000004B20000-0x0000000004B32000-memory.dmp healer behavioral1/memory/2008-45-0x0000000004B20000-0x0000000004B32000-memory.dmp healer behavioral1/memory/2008-43-0x0000000004B20000-0x0000000004B32000-memory.dmp healer behavioral1/memory/2008-41-0x0000000004B20000-0x0000000004B32000-memory.dmp healer behavioral1/memory/2008-39-0x0000000004B20000-0x0000000004B32000-memory.dmp healer behavioral1/memory/2008-37-0x0000000004B20000-0x0000000004B32000-memory.dmp healer behavioral1/memory/2008-35-0x0000000004B20000-0x0000000004B32000-memory.dmp healer behavioral1/memory/2008-33-0x0000000004B20000-0x0000000004B32000-memory.dmp healer behavioral1/memory/2008-31-0x0000000004B20000-0x0000000004B32000-memory.dmp healer behavioral1/memory/2008-29-0x0000000004B20000-0x0000000004B32000-memory.dmp healer behavioral1/memory/2008-27-0x0000000004B20000-0x0000000004B32000-memory.dmp healer behavioral1/memory/2008-25-0x0000000004B20000-0x0000000004B32000-memory.dmp healer behavioral1/memory/2008-23-0x0000000004B20000-0x0000000004B32000-memory.dmp healer behavioral1/memory/2008-22-0x0000000004B20000-0x0000000004B32000-memory.dmp healer -
Healer family
-
Processes:
urnP72xb95.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" urnP72xb95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" urnP72xb95.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection urnP72xb95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" urnP72xb95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" urnP72xb95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" urnP72xb95.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/5084-60-0x0000000002520000-0x0000000002566000-memory.dmp family_redline behavioral1/memory/5084-61-0x0000000002710000-0x0000000002754000-memory.dmp family_redline behavioral1/memory/5084-65-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5084-75-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5084-95-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5084-94-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5084-92-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5084-89-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5084-87-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5084-85-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5084-83-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5084-81-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5084-79-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5084-77-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5084-73-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5084-71-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5084-69-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5084-67-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5084-63-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5084-62-0x0000000002710000-0x000000000274E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
ycfk67Mz29.exeurnP72xb95.exewrny79FS13.exepid Process 4732 ycfk67Mz29.exe 2008 urnP72xb95.exe 5084 wrny79FS13.exe -
Processes:
urnP72xb95.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features urnP72xb95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" urnP72xb95.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b3c7f41a7dd9851c86bd01ace067e0619161ae603c05dd2f33550bb39804f594N.exeycfk67Mz29.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b3c7f41a7dd9851c86bd01ace067e0619161ae603c05dd2f33550bb39804f594N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ycfk67Mz29.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1060 2008 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b3c7f41a7dd9851c86bd01ace067e0619161ae603c05dd2f33550bb39804f594N.exeycfk67Mz29.exeurnP72xb95.exewrny79FS13.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b3c7f41a7dd9851c86bd01ace067e0619161ae603c05dd2f33550bb39804f594N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ycfk67Mz29.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language urnP72xb95.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wrny79FS13.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
urnP72xb95.exepid Process 2008 urnP72xb95.exe 2008 urnP72xb95.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
urnP72xb95.exewrny79FS13.exedescription pid Process Token: SeDebugPrivilege 2008 urnP72xb95.exe Token: SeDebugPrivilege 5084 wrny79FS13.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b3c7f41a7dd9851c86bd01ace067e0619161ae603c05dd2f33550bb39804f594N.exeycfk67Mz29.exedescription pid Process procid_target PID 4296 wrote to memory of 4732 4296 b3c7f41a7dd9851c86bd01ace067e0619161ae603c05dd2f33550bb39804f594N.exe 83 PID 4296 wrote to memory of 4732 4296 b3c7f41a7dd9851c86bd01ace067e0619161ae603c05dd2f33550bb39804f594N.exe 83 PID 4296 wrote to memory of 4732 4296 b3c7f41a7dd9851c86bd01ace067e0619161ae603c05dd2f33550bb39804f594N.exe 83 PID 4732 wrote to memory of 2008 4732 ycfk67Mz29.exe 84 PID 4732 wrote to memory of 2008 4732 ycfk67Mz29.exe 84 PID 4732 wrote to memory of 2008 4732 ycfk67Mz29.exe 84 PID 4732 wrote to memory of 5084 4732 ycfk67Mz29.exe 95 PID 4732 wrote to memory of 5084 4732 ycfk67Mz29.exe 95 PID 4732 wrote to memory of 5084 4732 ycfk67Mz29.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3c7f41a7dd9851c86bd01ace067e0619161ae603c05dd2f33550bb39804f594N.exe"C:\Users\Admin\AppData\Local\Temp\b3c7f41a7dd9851c86bd01ace067e0619161ae603c05dd2f33550bb39804f594N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycfk67Mz29.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycfk67Mz29.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urnP72xb95.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urnP72xb95.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 10844⤵
- Program crash
PID:1060
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrny79FS13.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrny79FS13.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2008 -ip 20081⤵PID:4452
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
516KB
MD544bc4a8cf1cac0c3120cac36c8ba72ed
SHA1229e22c8813529ed5579e540ecae11d0594cadf4
SHA256dd99a4ee2ac82356b0975de447695164df0d5d29eb3d4965357ebb5d6b6ceb40
SHA5129f6c38b3e251c6c60c7851ddc77817ba26c11526dffba2b36f4b1e5575c5f06cf7ae564c3fbec160b61a8b43daec54516a46f0c02c986e5e48f43050d5a549e1
-
Filesize
232KB
MD52120c6c2708aefaf06e59fce16a9e5ec
SHA1e953b0507cac25f46d483dd2a82c2770fbc2c5f4
SHA2568f9056673376ae658ed532e38040ae0dddf07d8a11aacc7ee92efc7d93f4e18b
SHA5128d3301488cd24d93bdcb808439d2c84b6e0d7e1a416e8058f812cae16c1d5c1ca40fb628ca3e91fd4020e79c0cff89b1ffe29f53890004f22154a90ffc3f9ebe
-
Filesize
290KB
MD575160aa498b0f13e4f6106ffe98857f3
SHA1154296294b8700f46187245fdb9a2c4d5aa7da3c
SHA25657ad72d53871e2d2f5576eca5bbf30e6c86fffef549ab740e9b2f89a81968547
SHA5128aade9003760df690e83dd35a309c64a67d7f10a37fb3e3138d4373d69a420885883417a1421f3bcdfb78776f5d6d38f83dab13b1f3f824186eae94ee1263813