Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2024 21:36
Static task
static1
Behavioral task
behavioral1
Sample
0b49c4660806e1439caf7d3e3499ece706cd9c476371ddad919283133679eaeb.exe
Resource
win10v2004-20241007-en
General
-
Target
0b49c4660806e1439caf7d3e3499ece706cd9c476371ddad919283133679eaeb.exe
-
Size
1.5MB
-
MD5
fbd46982e2845ad803edb569cc9ac627
-
SHA1
d32896454d3eccd2d66804f00be156b997531167
-
SHA256
0b49c4660806e1439caf7d3e3499ece706cd9c476371ddad919283133679eaeb
-
SHA512
e1b6fa081dac305e2f491d045a2baec5a18667038a201ab5021c7496122608deb02695d5258152b45590d6c7798d06fdbbca13fe0396df026ae0a790577a201f
-
SSDEEP
24576:vyDFcw7PyWymJjFz61IDEKYppR4620k/Qj/sZPsobXpWSYdWgsyu6agBU:6DdLhSODpErIxQg7p8dWQ
Malware Config
Extracted
redline
max
185.161.248.73:4164
-
auth_value
efb1499709a5d08ed1ddf71cff71211f
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2532-35-0x0000000002350000-0x000000000236A000-memory.dmp healer behavioral1/memory/2532-37-0x00000000023C0000-0x00000000023D8000-memory.dmp healer behavioral1/memory/2532-65-0x00000000023C0000-0x00000000023D3000-memory.dmp healer behavioral1/memory/2532-63-0x00000000023C0000-0x00000000023D3000-memory.dmp healer behavioral1/memory/2532-59-0x00000000023C0000-0x00000000023D3000-memory.dmp healer behavioral1/memory/2532-57-0x00000000023C0000-0x00000000023D3000-memory.dmp healer behavioral1/memory/2532-55-0x00000000023C0000-0x00000000023D3000-memory.dmp healer behavioral1/memory/2532-53-0x00000000023C0000-0x00000000023D3000-memory.dmp healer behavioral1/memory/2532-49-0x00000000023C0000-0x00000000023D3000-memory.dmp healer behavioral1/memory/2532-47-0x00000000023C0000-0x00000000023D3000-memory.dmp healer behavioral1/memory/2532-45-0x00000000023C0000-0x00000000023D3000-memory.dmp healer behavioral1/memory/2532-43-0x00000000023C0000-0x00000000023D3000-memory.dmp healer behavioral1/memory/2532-61-0x00000000023C0000-0x00000000023D3000-memory.dmp healer behavioral1/memory/2532-41-0x00000000023C0000-0x00000000023D3000-memory.dmp healer behavioral1/memory/2532-51-0x00000000023C0000-0x00000000023D3000-memory.dmp healer behavioral1/memory/2532-39-0x00000000023C0000-0x00000000023D3000-memory.dmp healer behavioral1/memory/2532-38-0x00000000023C0000-0x00000000023D3000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a73106153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a73106153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a73106153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a73106153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a73106153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a73106153.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cb4-69.dat family_redline behavioral1/memory/3340-70-0x0000000000360000-0x0000000000390000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 4776 i57805258.exe 3176 i01915325.exe 3164 i14906422.exe 3352 i14591860.exe 2532 a73106153.exe 3340 b87968139.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a73106153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a73106153.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i14906422.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i14591860.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0b49c4660806e1439caf7d3e3499ece706cd9c476371ddad919283133679eaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i57805258.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i01915325.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0b49c4660806e1439caf7d3e3499ece706cd9c476371ddad919283133679eaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i57805258.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i01915325.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i14906422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i14591860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a73106153.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b87968139.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2532 a73106153.exe 2532 a73106153.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2532 a73106153.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1976 wrote to memory of 4776 1976 0b49c4660806e1439caf7d3e3499ece706cd9c476371ddad919283133679eaeb.exe 86 PID 1976 wrote to memory of 4776 1976 0b49c4660806e1439caf7d3e3499ece706cd9c476371ddad919283133679eaeb.exe 86 PID 1976 wrote to memory of 4776 1976 0b49c4660806e1439caf7d3e3499ece706cd9c476371ddad919283133679eaeb.exe 86 PID 4776 wrote to memory of 3176 4776 i57805258.exe 87 PID 4776 wrote to memory of 3176 4776 i57805258.exe 87 PID 4776 wrote to memory of 3176 4776 i57805258.exe 87 PID 3176 wrote to memory of 3164 3176 i01915325.exe 88 PID 3176 wrote to memory of 3164 3176 i01915325.exe 88 PID 3176 wrote to memory of 3164 3176 i01915325.exe 88 PID 3164 wrote to memory of 3352 3164 i14906422.exe 89 PID 3164 wrote to memory of 3352 3164 i14906422.exe 89 PID 3164 wrote to memory of 3352 3164 i14906422.exe 89 PID 3352 wrote to memory of 2532 3352 i14591860.exe 90 PID 3352 wrote to memory of 2532 3352 i14591860.exe 90 PID 3352 wrote to memory of 2532 3352 i14591860.exe 90 PID 3352 wrote to memory of 3340 3352 i14591860.exe 103 PID 3352 wrote to memory of 3340 3352 i14591860.exe 103 PID 3352 wrote to memory of 3340 3352 i14591860.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b49c4660806e1439caf7d3e3499ece706cd9c476371ddad919283133679eaeb.exe"C:\Users\Admin\AppData\Local\Temp\0b49c4660806e1439caf7d3e3499ece706cd9c476371ddad919283133679eaeb.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i57805258.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i57805258.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01915325.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01915325.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i14906422.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i14906422.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i14591860.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i14591860.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a73106153.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a73106153.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b87968139.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b87968139.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3340
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5ae3120de142240133369adcd054863ae
SHA1751c2625cdb857f7aa35e308b4d1a3414514b3e7
SHA256fde3b9f4c67f1179771603a27f0ca8a7acb12f6b42fc2d5d0b0431d8b411f1fb
SHA512c74bf2d5ad3dd79e154f26508aeba08baad8ea046b877af8ac6a750367bd9b09dcadd0f3fcb2674bd225ade43a78f4e55dc780b6bee1e8f890bf458119127ea4
-
Filesize
1.1MB
MD5c3e47f6981b4403d6024b7e0f03572fa
SHA1d1bd01524c475e81f40fa8f80698994260eb75db
SHA256313ec4442d2bc3f8444a8d32c7a98a8cb1d53b3c9ec984970c0535549f52278f
SHA512c5a45cbfaae3814bec15680372a8aa73507cf34b10eccdb9e5baa781cc76058b6a3550ddd36da2e3ba8d03c45dc845e870a5213ad3cbe872eded0344409f4b5b
-
Filesize
590KB
MD5ab7975778b0884fd105b9a43a1badc85
SHA1a519b8ee0dc5bb56c9212319fffbbe5aca80b6df
SHA256322481e4f929eed7133bcb446cdbdbaa21168a9d4889320487c085ab9a79f955
SHA51206bad8ae3652ae23b72c6f40e353e21514c7d1659ad9ff9697002e25c988c7ae5ac14779a803422747c5d4e20821a8633d6190f01d27eb483808468b741f1292
-
Filesize
310KB
MD5db35c62fd3611fcdf2bb0a01faf83b9d
SHA1361fb3a2a41f3331e9132b1b72b786f732b85bc0
SHA2560769f2a6ad821f4ccecfb59628deabdbc8fe7bcef858e2cfe84c1590c3bf420d
SHA5121a48c1acf594d00dbf3be53fb764edf890784e1eb28599efdf29fc0d7d311e0d5d2e5533eb60131127e22a78390ac64787ad4ccf3df48fc6665580f19d1c7f74
-
Filesize
177KB
MD5035673723873f1197ed4161cdc5d949d
SHA1699847dd4757f20391d17cbb616da3240db5e48d
SHA256b25eaf6dd2e8752ed2a8b7081217a01bb94ce7e116e1d7802205cf8afe62ea95
SHA51296fa0103c259a12c87e2f0f57e21b950c908256f2e3e1ca765dd39da534aa2b8e9ae819cdf1f61edcb1fab09614cef17e7dfa842917b33fb370f935f58a56568
-
Filesize
168KB
MD5300774f7b4fd8b774aa9ccad4ef94993
SHA1ff0b64209b0fde7eaba149a0b79598e717aea859
SHA256e2e69ca36f0c193004383528daeb9968f97e7d31a4fd96417759702798a1b92b
SHA5124d273ada8623571a1f1912d883e0ff78ff3ba4d5d9eb2780a3f26400a1e82580af479f27739ce752f94246476de7b0f3e08a8985c9b9ce65f76f425a4adf256d