Analysis
-
max time kernel
141s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:29
Static task
static1
Behavioral task
behavioral1
Sample
221ae1efb162d5732b033fe120c073cc402dba98d4a543b67a2d59c436731542.exe
Resource
win10v2004-20241007-en
General
-
Target
221ae1efb162d5732b033fe120c073cc402dba98d4a543b67a2d59c436731542.exe
-
Size
826KB
-
MD5
fd52e7207b35a4fbee0b3dd00dfa9045
-
SHA1
4ac541cee5a2da2d66b4919fa355232dbf0d8ee4
-
SHA256
221ae1efb162d5732b033fe120c073cc402dba98d4a543b67a2d59c436731542
-
SHA512
cff7c3be9eb6b19a600b88d4912b0002cff089c3528e4094f0f05fcb72a1bae71672d92196f0f24c3e7321d69a0985926be6e86cfe55c33c1027c978ae805467
-
SSDEEP
12288:Qy90XXMch4rpe8N7qTuoxFuEr0iEeO29v2Jb/IwIvAQlDNN3v8oFy:QyTe8VuDEeVNuODlBN3Vy
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b96-19.dat healer behavioral1/memory/4920-22-0x0000000000DF0000-0x0000000000DFA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it614376.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it614376.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it614376.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it614376.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it614376.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it614376.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/412-29-0x0000000007230000-0x000000000726C000-memory.dmp family_redline behavioral1/memory/412-31-0x00000000072E0000-0x000000000731A000-memory.dmp family_redline behavioral1/memory/412-39-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-43-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-95-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-91-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-89-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-87-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-85-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-83-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-81-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-79-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-75-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-73-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-71-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-69-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-67-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-65-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-63-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-61-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-59-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-57-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-53-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-51-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-49-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-47-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-45-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-41-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-37-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-35-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-93-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-77-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-55-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-33-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/412-32-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 3476 zijT3442.exe 2024 zizn4045.exe 4920 it614376.exe 412 jr380253.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it614376.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 221ae1efb162d5732b033fe120c073cc402dba98d4a543b67a2d59c436731542.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zijT3442.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" zizn4045.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5016 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 221ae1efb162d5732b033fe120c073cc402dba98d4a543b67a2d59c436731542.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zijT3442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zizn4045.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jr380253.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4920 it614376.exe 4920 it614376.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4920 it614376.exe Token: SeDebugPrivilege 412 jr380253.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1788 wrote to memory of 3476 1788 221ae1efb162d5732b033fe120c073cc402dba98d4a543b67a2d59c436731542.exe 84 PID 1788 wrote to memory of 3476 1788 221ae1efb162d5732b033fe120c073cc402dba98d4a543b67a2d59c436731542.exe 84 PID 1788 wrote to memory of 3476 1788 221ae1efb162d5732b033fe120c073cc402dba98d4a543b67a2d59c436731542.exe 84 PID 3476 wrote to memory of 2024 3476 zijT3442.exe 85 PID 3476 wrote to memory of 2024 3476 zijT3442.exe 85 PID 3476 wrote to memory of 2024 3476 zijT3442.exe 85 PID 2024 wrote to memory of 4920 2024 zizn4045.exe 86 PID 2024 wrote to memory of 4920 2024 zizn4045.exe 86 PID 2024 wrote to memory of 412 2024 zizn4045.exe 95 PID 2024 wrote to memory of 412 2024 zizn4045.exe 95 PID 2024 wrote to memory of 412 2024 zizn4045.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\221ae1efb162d5732b033fe120c073cc402dba98d4a543b67a2d59c436731542.exe"C:\Users\Admin\AppData\Local\Temp\221ae1efb162d5732b033fe120c073cc402dba98d4a543b67a2d59c436731542.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijT3442.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijT3442.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zizn4045.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zizn4045.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it614376.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it614376.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr380253.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr380253.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:412
-
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:5016
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
568KB
MD59ee323c1cb25f3bfad71d10eb8c0ed17
SHA10a2d653a71180b0f94cd75a8b521151f92e6179b
SHA256ca276f6ffb813bbf89130b8259a589aafddd6e41c36cea31aefd6c277dd72821
SHA512f6b08683a61d2b3fe26f40d4d1462970103fd2b608657fb0b4e79c183375141a4d0ba3765551ce72d04b99ad3167812709da106e994bf9175ad1c410469c03fa
-
Filesize
414KB
MD587607aa15cd3daadb324551436329151
SHA14accfbe56bcb6959b832066accb23cf8bf4175f3
SHA256844ebd915832baa036be462016101fff78f82510876c57a8a53668556493cea2
SHA512bba6f1bd06ee141d358d2aec8bc608d043339d3ec9186e23b2d9c0591467a96f8858f4b8f8daf7c97a341de5513ce0c46a0c87e98a9074600eb7feed85ec4e0d
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
381KB
MD5b60f1f27e9e66ef7f906888f873b2453
SHA12b2427ee3ac09f43ea1fa68ca7d2b5807a3a186d
SHA2561cb6284c538b4dde34d3b4f44b188d18d075a7306fc236bdc2685841dbf69ba9
SHA5120eb6b713dc1d36ee3516f79118e45d93af1017f1145aeeacdda4d1d492d53d9cffbef0f0b5796e81c4691b5961dad0483f1b7427d66f78717a275ad9683d627b