Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:29
Static task
static1
Behavioral task
behavioral1
Sample
1cbb659dd101804ff3c9135d9807c68922a0495e27608a70659dbd6342965860.exe
Resource
win10v2004-20241007-en
General
-
Target
1cbb659dd101804ff3c9135d9807c68922a0495e27608a70659dbd6342965860.exe
-
Size
479KB
-
MD5
c330c63a64330b1d9d5bdc9f8a5133f4
-
SHA1
ebe86bb47ea14f5ae7a32223f4c4764bc654cb37
-
SHA256
1cbb659dd101804ff3c9135d9807c68922a0495e27608a70659dbd6342965860
-
SHA512
a36506acefeb09b5af7ad726f5e3edd3ee3651a6fcf0dcf50ca4cde3c2e6f4d5a2791405c034ceb84db6399f29228cbd101984f811525d19f3659b4d0764e5b1
-
SSDEEP
12288:NMriy901Dgzny0uC2wdYvFHNKWJOeXlYrXFmJ:jyRxbyHXliX2
Malware Config
Extracted
redline
divan
217.196.96.102:4132
-
auth_value
b414986bebd7f5a3ec9aee0341b8e769
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1176-15-0x0000000000880000-0x000000000089A000-memory.dmp healer behavioral1/memory/1176-19-0x0000000002620000-0x0000000002638000-memory.dmp healer behavioral1/memory/1176-47-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/1176-45-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/1176-43-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/1176-41-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/1176-39-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/1176-37-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/1176-36-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/1176-33-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/1176-31-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/1176-29-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/1176-27-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/1176-25-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/1176-23-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/1176-21-0x0000000002620000-0x0000000002632000-memory.dmp healer behavioral1/memory/1176-20-0x0000000002620000-0x0000000002632000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k4365813.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k4365813.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k4365813.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k4365813.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k4365813.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k4365813.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023c64-53.dat family_redline behavioral1/memory/1860-55-0x0000000000DF0000-0x0000000000E1E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2280 y8512987.exe 1176 k4365813.exe 1860 l2855295.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k4365813.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k4365813.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1cbb659dd101804ff3c9135d9807c68922a0495e27608a70659dbd6342965860.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y8512987.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4932 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1cbb659dd101804ff3c9135d9807c68922a0495e27608a70659dbd6342965860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y8512987.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k4365813.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l2855295.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1176 k4365813.exe 1176 k4365813.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1176 k4365813.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3476 wrote to memory of 2280 3476 1cbb659dd101804ff3c9135d9807c68922a0495e27608a70659dbd6342965860.exe 84 PID 3476 wrote to memory of 2280 3476 1cbb659dd101804ff3c9135d9807c68922a0495e27608a70659dbd6342965860.exe 84 PID 3476 wrote to memory of 2280 3476 1cbb659dd101804ff3c9135d9807c68922a0495e27608a70659dbd6342965860.exe 84 PID 2280 wrote to memory of 1176 2280 y8512987.exe 85 PID 2280 wrote to memory of 1176 2280 y8512987.exe 85 PID 2280 wrote to memory of 1176 2280 y8512987.exe 85 PID 2280 wrote to memory of 1860 2280 y8512987.exe 94 PID 2280 wrote to memory of 1860 2280 y8512987.exe 94 PID 2280 wrote to memory of 1860 2280 y8512987.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cbb659dd101804ff3c9135d9807c68922a0495e27608a70659dbd6342965860.exe"C:\Users\Admin\AppData\Local\Temp\1cbb659dd101804ff3c9135d9807c68922a0495e27608a70659dbd6342965860.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8512987.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8512987.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4365813.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4365813.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2855295.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2855295.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1860
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4932
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5f85123d46c9fa5df8e8139f385e36cc0
SHA173249f202bcb2e8560031ee918abb391ad280094
SHA256ce5875bef078bd003e7c6d94ca709d15fab3c6c056247b5983c215fe77dd64a5
SHA5120d53a3999b0cf33b99cac943e127f108fa1d2c3bcd9aa1f8276ecf5c6fd12b0c139764b535561fa964102511c1c7d4a778b2eee151bea6cdf96d25ee6fa08bdf
-
Filesize
182KB
MD5865816311697278f7c1a095efcfd1c96
SHA111c42020316b072fbf41f0468deee2d310bb482d
SHA2562599505d8e40b87b4a3e3e29092d4f9921e4d2dba9e25ec2de7435fc6864080a
SHA512f37410f668d3cecb6c7828e78302d135092011a98a267a5b031b3e4c87b3a454020c4385d76668c8b69df7305918d85c2a52f2a615ae7cf0714bd49e0dbc8705
-
Filesize
168KB
MD5f65a77cd15213a2431161d27ac0ff126
SHA1943949961af68d2f9c42e600f0f3ec94ff1f9976
SHA256713baa4b610982ba115981b57580750d9f9dcabdaeda3aa85ac800bce336b1ac
SHA5123dc847edb95f059c6e05d4a5b6f452084b6907471adb5b2632873203d83739b5fa3bebff1f7c7305b27effe9ac3658b3cff4b5e384d8e72bb52a4970db05650e