Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:32
Static task
static1
Behavioral task
behavioral1
Sample
602b88acc037a78a6d28e4c020773b844410695c6e3c4abd5c80babd87e27b18.exe
Resource
win10v2004-20241007-en
General
-
Target
602b88acc037a78a6d28e4c020773b844410695c6e3c4abd5c80babd87e27b18.exe
-
Size
479KB
-
MD5
afcad893788b15a2355d0af32bcf6326
-
SHA1
fb6d908de8585513d4784f2a96aaf886d638a1d4
-
SHA256
602b88acc037a78a6d28e4c020773b844410695c6e3c4abd5c80babd87e27b18
-
SHA512
7f9ab5bf9f196f3c50e1eee8936434c244dee3d8782928f1804539bde8c4c0e6dcb8dfff650b7edaec3e888317def859588eb45fcfbe71f73d0e9f7a1286b4eb
-
SSDEEP
12288:hMrLy90Gqos3MSrSogyLWZ9gpwCMQQTsmYB:Ky0os3oo7GG
Malware Config
Extracted
redline
murka
217.196.96.101:4132
-
auth_value
878a0681ac6ad0e4eb10ef9db07abdd9
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3620-15-0x0000000000970000-0x000000000098A000-memory.dmp healer behavioral1/memory/3620-18-0x0000000002560000-0x0000000002578000-memory.dmp healer behavioral1/memory/3620-19-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3620-46-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3620-44-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3620-42-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3620-40-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3620-38-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3620-36-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3620-34-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3620-32-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3620-30-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3620-28-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3620-26-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3620-24-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3620-22-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3620-20-0x0000000002560000-0x0000000002572000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a6655238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a6655238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a6655238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a6655238.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a6655238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a6655238.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/memory/3388-55-0x00000000009A0000-0x00000000009D0000-memory.dmp family_redline behavioral1/files/0x0007000000023cb8-54.dat family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1148 v5713863.exe 3620 a6655238.exe 3388 b9287928.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a6655238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a6655238.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v5713863.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 602b88acc037a78a6d28e4c020773b844410695c6e3c4abd5c80babd87e27b18.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b9287928.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 602b88acc037a78a6d28e4c020773b844410695c6e3c4abd5c80babd87e27b18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v5713863.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6655238.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3620 a6655238.exe 3620 a6655238.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3620 a6655238.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2216 wrote to memory of 1148 2216 602b88acc037a78a6d28e4c020773b844410695c6e3c4abd5c80babd87e27b18.exe 84 PID 2216 wrote to memory of 1148 2216 602b88acc037a78a6d28e4c020773b844410695c6e3c4abd5c80babd87e27b18.exe 84 PID 2216 wrote to memory of 1148 2216 602b88acc037a78a6d28e4c020773b844410695c6e3c4abd5c80babd87e27b18.exe 84 PID 1148 wrote to memory of 3620 1148 v5713863.exe 85 PID 1148 wrote to memory of 3620 1148 v5713863.exe 85 PID 1148 wrote to memory of 3620 1148 v5713863.exe 85 PID 1148 wrote to memory of 3388 1148 v5713863.exe 98 PID 1148 wrote to memory of 3388 1148 v5713863.exe 98 PID 1148 wrote to memory of 3388 1148 v5713863.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\602b88acc037a78a6d28e4c020773b844410695c6e3c4abd5c80babd87e27b18.exe"C:\Users\Admin\AppData\Local\Temp\602b88acc037a78a6d28e4c020773b844410695c6e3c4abd5c80babd87e27b18.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5713863.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5713863.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6655238.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6655238.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3620
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9287928.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9287928.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3388
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD57ddb2f0f867e5478cecf2243e63a41d2
SHA1c53f3922f76822982dfc12caf27a1afbc6b20857
SHA2560ad55a3d765b97237841ba009ab7fdc4dbd558cc66fa71822c514ae97033b923
SHA5121f270e9473d9b6ea3789564c42ce546d0c5e7ae0afdaf166a99014d31a42b4a3e95e3776a08ca9babd8d22bf5bb23a8f36702210d1205d9a9fc933f4b55ffa37
-
Filesize
181KB
MD5cec2835572fad45aa6303a551b440485
SHA1a94709cfe3e2e5a895abbe6578651bf64b81f8c8
SHA256c7fda5957257b8fbe1a28904aaecb39549bd51aa78debc06f115799db50db999
SHA512fee4ab2deaf23714ee3a1e173ac7d20badc2684b831a3b31c4d367ca429669782a77fd1d06299ccfec09d84d07077d99669dffe612880f12a417fdb82d33876b
-
Filesize
168KB
MD535c1842d6f1272a5977590d8434cea11
SHA1fcdc912cd1ab19c3c0cb43da0fca83b1b1ba709e
SHA256424d3fea2a0fdc21eb73b72d3390d395da962d30745c90322a706c2aef330813
SHA51293021bf6d4754d72390afc392179b154417384460d98bcbf6c42b02a6c5ef48cee5f345f7e4de70cfabcc60ca08db76193269d14dc783d5ad968baa03ee84b17