Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2024 22:09
Static task
static1
Behavioral task
behavioral1
Sample
1d74f48646b449fcc497b045e8b9f95dc34b834653908d6c88affa96b860daa0.exe
Resource
win10v2004-20241007-en
General
-
Target
1d74f48646b449fcc497b045e8b9f95dc34b834653908d6c88affa96b860daa0.exe
-
Size
479KB
-
MD5
b6bf0f1a8b20c949745b9d66f0e39428
-
SHA1
dfdc3f44858e29305d0a6fd11f953cd4d27d1ec1
-
SHA256
1d74f48646b449fcc497b045e8b9f95dc34b834653908d6c88affa96b860daa0
-
SHA512
820c3675b52e8e35241ad4f864adcedf475e4a825391fa75205b130baecfa325c8792cc7ea32b4acf88637a70fa83741322996d3a405a4a5feed11845450cf17
-
SSDEEP
12288:MMrgy90Sb2Tl6i+A3dR0ncn9GwPDI94BgCq5QGxyJU:cyT2Tl3nd9G5Us5QXJU
Malware Config
Extracted
redline
dippo
217.196.96.102:4132
-
auth_value
79490ff628fd6af3b29170c3c163874b
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/4736-15-0x0000000002260000-0x000000000227A000-memory.dmp healer behavioral1/memory/4736-18-0x0000000002620000-0x0000000002638000-memory.dmp healer behavioral1/memory/4736-41-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/4736-47-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/4736-45-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/4736-43-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/4736-20-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/4736-35-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/4736-33-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/4736-31-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/4736-29-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/4736-27-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/4736-25-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/4736-23-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/4736-21-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/4736-39-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/4736-37-0x0000000002620000-0x0000000002632000-memory.dmp healer -
Healer family
-
Processes:
k4791152.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k4791152.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k4791152.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k4791152.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k4791152.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k4791152.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k4791152.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0299702.exe family_redline behavioral1/memory/2980-56-0x0000000000860000-0x000000000088E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
y0216182.exek4791152.exel0299702.exepid process 2552 y0216182.exe 4736 k4791152.exe 2980 l0299702.exe -
Processes:
k4791152.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k4791152.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k4791152.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1d74f48646b449fcc497b045e8b9f95dc34b834653908d6c88affa96b860daa0.exey0216182.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1d74f48646b449fcc497b045e8b9f95dc34b834653908d6c88affa96b860daa0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y0216182.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1d74f48646b449fcc497b045e8b9f95dc34b834653908d6c88affa96b860daa0.exey0216182.exek4791152.exel0299702.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1d74f48646b449fcc497b045e8b9f95dc34b834653908d6c88affa96b860daa0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y0216182.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k4791152.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l0299702.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
k4791152.exepid process 4736 k4791152.exe 4736 k4791152.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
k4791152.exedescription pid process Token: SeDebugPrivilege 4736 k4791152.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1d74f48646b449fcc497b045e8b9f95dc34b834653908d6c88affa96b860daa0.exey0216182.exedescription pid process target process PID 4676 wrote to memory of 2552 4676 1d74f48646b449fcc497b045e8b9f95dc34b834653908d6c88affa96b860daa0.exe y0216182.exe PID 4676 wrote to memory of 2552 4676 1d74f48646b449fcc497b045e8b9f95dc34b834653908d6c88affa96b860daa0.exe y0216182.exe PID 4676 wrote to memory of 2552 4676 1d74f48646b449fcc497b045e8b9f95dc34b834653908d6c88affa96b860daa0.exe y0216182.exe PID 2552 wrote to memory of 4736 2552 y0216182.exe k4791152.exe PID 2552 wrote to memory of 4736 2552 y0216182.exe k4791152.exe PID 2552 wrote to memory of 4736 2552 y0216182.exe k4791152.exe PID 2552 wrote to memory of 2980 2552 y0216182.exe l0299702.exe PID 2552 wrote to memory of 2980 2552 y0216182.exe l0299702.exe PID 2552 wrote to memory of 2980 2552 y0216182.exe l0299702.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d74f48646b449fcc497b045e8b9f95dc34b834653908d6c88affa96b860daa0.exe"C:\Users\Admin\AppData\Local\Temp\1d74f48646b449fcc497b045e8b9f95dc34b834653908d6c88affa96b860daa0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0216182.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0216182.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4791152.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4791152.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0299702.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0299702.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2980
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD57ab819597981d78eb5a50d1236a32652
SHA1dbe86060cabd300d91f60f75b17e0e99f17558b2
SHA256b9a5642bce27c5eea42447ea4fab81b1400fabcd018c2ad9695a44e41a5250f9
SHA51241ea296b622f78e2622108235d9e028465ecd1d115423ce53f743a09faccd499839d13a71ae8d9d4f43c9eda615e829821aebfe5255c571b37e6833a3c877716
-
Filesize
182KB
MD53ea8ec59e0f29b711b0d57daa1f5e90d
SHA1ec0e5a02528d84a0b2626e8bd73afc7442d271fc
SHA256d34efe5340ee6755f39fde09524a8e2ddd1cf3958c9b9d508fc8523150524319
SHA5122de78e1fd22aadb3010d11ef1d3ee40a36c414fcf588f5fc3e72a4cd4f4fe76a374cad08d8e4b686e98ae79b80832141813b1377fa1ed21a588acbc1478d31c5
-
Filesize
168KB
MD5dbefd527935d67202967fd2cf21097aa
SHA14b5542eaa0dfa460680a2665a51bff06b08be379
SHA2562716201d09b57f08153d5a39a9d3e9985d1db46328427fa258ea72a90a3cd3c8
SHA512ccb5da1b4428c52cffb1595f936c3c6fa64fc28a5a990702d62b1d01695f79a188eda6edaaedb70c807299a9b54f8efee223f8475fa1126393039749cfa0702d