Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:20
Static task
static1
Behavioral task
behavioral1
Sample
6c807444608823f3445ec74745837f134c5d1dd4d42c64fda02c9adec78f6ae2.exe
Resource
win10v2004-20241007-en
General
-
Target
6c807444608823f3445ec74745837f134c5d1dd4d42c64fda02c9adec78f6ae2.exe
-
Size
691KB
-
MD5
4039ec61d4dbb84cecc93208c4009539
-
SHA1
1ee91bc70fc2f9fdde3d1a7642955d9929b3a88e
-
SHA256
6c807444608823f3445ec74745837f134c5d1dd4d42c64fda02c9adec78f6ae2
-
SHA512
f24c7d443c7d96b471ca07f35afe654ee1517c40f64f4ff499c2c15b895e9497b67e2cff27563f111a6430d5c99f15b1b04ea728c6173b4cd8e9b5a0a9d891fe
-
SSDEEP
12288:/y90qFZTkgNtmd4rAVWhsfVu0TaOh70i80crm2KmAUGlQrCM:/ytFRvNtAVWhsfVpTN4lq2KhUTOM
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3824-26-0x0000000002140000-0x000000000215A000-memory.dmp healer behavioral1/memory/3824-28-0x0000000002420000-0x0000000002438000-memory.dmp healer behavioral1/memory/3824-34-0x0000000002420000-0x0000000002433000-memory.dmp healer behavioral1/memory/3824-56-0x0000000002420000-0x0000000002433000-memory.dmp healer behavioral1/memory/3824-54-0x0000000002420000-0x0000000002433000-memory.dmp healer behavioral1/memory/3824-52-0x0000000002420000-0x0000000002433000-memory.dmp healer behavioral1/memory/3824-50-0x0000000002420000-0x0000000002433000-memory.dmp healer behavioral1/memory/3824-49-0x0000000002420000-0x0000000002433000-memory.dmp healer behavioral1/memory/3824-46-0x0000000002420000-0x0000000002433000-memory.dmp healer behavioral1/memory/3824-44-0x0000000002420000-0x0000000002433000-memory.dmp healer behavioral1/memory/3824-42-0x0000000002420000-0x0000000002433000-memory.dmp healer behavioral1/memory/3824-40-0x0000000002420000-0x0000000002433000-memory.dmp healer behavioral1/memory/3824-38-0x0000000002420000-0x0000000002433000-memory.dmp healer behavioral1/memory/3824-36-0x0000000002420000-0x0000000002433000-memory.dmp healer behavioral1/memory/3824-32-0x0000000002420000-0x0000000002433000-memory.dmp healer behavioral1/memory/3824-30-0x0000000002420000-0x0000000002433000-memory.dmp healer behavioral1/memory/3824-29-0x0000000002420000-0x0000000002433000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 34583703.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 34583703.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 34583703.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 34583703.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 34583703.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 34583703.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/1928-58-0x0000000002360000-0x000000000239C000-memory.dmp family_redline behavioral1/memory/1928-59-0x0000000002710000-0x000000000274A000-memory.dmp family_redline behavioral1/memory/1928-89-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/1928-87-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/1928-85-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/1928-83-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/1928-81-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/1928-79-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/1928-77-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/1928-75-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/1928-73-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/1928-71-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/1928-69-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/1928-67-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/1928-65-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/1928-63-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/1928-61-0x0000000002710000-0x0000000002745000-memory.dmp family_redline behavioral1/memory/1928-60-0x0000000002710000-0x0000000002745000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 1888 un962232.exe 4692 34583703.exe 3824 34583703.exe 1928 rk807190.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 34583703.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 34583703.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6c807444608823f3445ec74745837f134c5d1dd4d42c64fda02c9adec78f6ae2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un962232.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4692 set thread context of 3824 4692 34583703.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 34583703.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 34583703.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk807190.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6c807444608823f3445ec74745837f134c5d1dd4d42c64fda02c9adec78f6ae2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un962232.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3824 34583703.exe 3824 34583703.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3824 34583703.exe Token: SeDebugPrivilege 1928 rk807190.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2292 wrote to memory of 1888 2292 6c807444608823f3445ec74745837f134c5d1dd4d42c64fda02c9adec78f6ae2.exe 86 PID 2292 wrote to memory of 1888 2292 6c807444608823f3445ec74745837f134c5d1dd4d42c64fda02c9adec78f6ae2.exe 86 PID 2292 wrote to memory of 1888 2292 6c807444608823f3445ec74745837f134c5d1dd4d42c64fda02c9adec78f6ae2.exe 86 PID 1888 wrote to memory of 4692 1888 un962232.exe 87 PID 1888 wrote to memory of 4692 1888 un962232.exe 87 PID 1888 wrote to memory of 4692 1888 un962232.exe 87 PID 4692 wrote to memory of 3824 4692 34583703.exe 89 PID 4692 wrote to memory of 3824 4692 34583703.exe 89 PID 4692 wrote to memory of 3824 4692 34583703.exe 89 PID 4692 wrote to memory of 3824 4692 34583703.exe 89 PID 4692 wrote to memory of 3824 4692 34583703.exe 89 PID 4692 wrote to memory of 3824 4692 34583703.exe 89 PID 4692 wrote to memory of 3824 4692 34583703.exe 89 PID 4692 wrote to memory of 3824 4692 34583703.exe 89 PID 4692 wrote to memory of 3824 4692 34583703.exe 89 PID 1888 wrote to memory of 1928 1888 un962232.exe 90 PID 1888 wrote to memory of 1928 1888 un962232.exe 90 PID 1888 wrote to memory of 1928 1888 un962232.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c807444608823f3445ec74745837f134c5d1dd4d42c64fda02c9adec78f6ae2.exe"C:\Users\Admin\AppData\Local\Temp\6c807444608823f3445ec74745837f134c5d1dd4d42c64fda02c9adec78f6ae2.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un962232.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un962232.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\34583703.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\34583703.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\34583703.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\34583703.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3824
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk807190.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk807190.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD5d9d0c108920dcb75cb3fe26b6e80cbb9
SHA114ba0569814450586936d7c3aee600e55405d0fe
SHA256d548896af66d46e61368a1708588e0296aed74efb38dbbd0c91b8f8a1ed26eb5
SHA512308a379455b52371d8af59ed4188010857ff1b9c1dd57cf8f592d9db4f134f501a3d34dfb1e5e841d477be60b5d70e3069f0273dae44d28b2e8e9dd5a4165c58
-
Filesize
259KB
MD53089e3d34d8b3877aabca615439fa762
SHA1ccd2128261e714582f18d20aa30dd6ab082c4e0d
SHA2565f125a98cb892a5bf1fc8f734646aad90e29ccc7c68e7511ce2077ccfedc137f
SHA5128e07e656d5e970a0f5b02b4825e3dc5daf4b9386b3827ab251a438f8dbf69d015da8624a77e478d89d17190fbe07c69e5d2f6a833df053eb9f5fb8ff02444478
-
Filesize
341KB
MD5a74957eacecdff4da8c10eaa0767dcab
SHA1040b152ca2127ebad20bbca3bc277f5c58ccf01b
SHA2561d61d2fabac1c7cb13da85a3aae5f2640cdd58c6171cbebd4d3d340880c04b4d
SHA512d0cd92ba8469f21d4bbb0220b13eb0c3db7d43eb0bf9f477f6de9422d30b4207d25a90035d861282ca7c9220f7cea002c2dc8378400b86bf3eb3df7f98be1b18