Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:31
Static task
static1
Behavioral task
behavioral1
Sample
b83c9355cd8899c270c7dd4dc0c4b05032ce6f9ab28ff2e23d509a18f224bf6f.exe
Resource
win10v2004-20241007-en
General
-
Target
b83c9355cd8899c270c7dd4dc0c4b05032ce6f9ab28ff2e23d509a18f224bf6f.exe
-
Size
828KB
-
MD5
8188be46f838f8f67a6a01e822a73cba
-
SHA1
55152ef03bdf05675aa75a1930138dcde63f015d
-
SHA256
b83c9355cd8899c270c7dd4dc0c4b05032ce6f9ab28ff2e23d509a18f224bf6f
-
SHA512
a02cc4150823edc78b3d3246fba7c9e554cc65d1ceda136d01f3bde29ce03b29f66ea6eb0a9a094a8c2a8fa9fb49dba8183f2642901deb65068a5df30eb5177d
-
SSDEEP
12288:/y90gaoacoBvaAOPeCGAbeTAKXsQHOxK51bEwS9K3kGC6z+JzhjiqvP/wcW5:/y/aoacg3CtCV0xuKUpCgc17Zu
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023caf-19.dat healer behavioral1/memory/4820-22-0x0000000000EF0000-0x0000000000EFA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it761873.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it761873.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it761873.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it761873.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it761873.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it761873.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4176-29-0x0000000004C30000-0x0000000004C6C000-memory.dmp family_redline behavioral1/memory/4176-31-0x00000000072D0000-0x000000000730A000-memory.dmp family_redline behavioral1/memory/4176-39-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-43-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-95-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-93-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-91-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-89-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-88-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-85-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-83-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-81-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-79-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-77-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-73-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-71-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-69-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-67-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-65-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-63-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-61-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-59-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-57-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-55-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-53-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-51-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-47-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-41-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-75-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-49-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-45-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-37-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-35-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-33-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/4176-32-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 4648 zitK8494.exe 3964 ziwS8433.exe 4820 it761873.exe 4176 jr700239.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it761873.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b83c9355cd8899c270c7dd4dc0c4b05032ce6f9ab28ff2e23d509a18f224bf6f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zitK8494.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ziwS8433.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3560 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jr700239.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b83c9355cd8899c270c7dd4dc0c4b05032ce6f9ab28ff2e23d509a18f224bf6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zitK8494.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziwS8433.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4820 it761873.exe 4820 it761873.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4820 it761873.exe Token: SeDebugPrivilege 4176 jr700239.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4232 wrote to memory of 4648 4232 b83c9355cd8899c270c7dd4dc0c4b05032ce6f9ab28ff2e23d509a18f224bf6f.exe 84 PID 4232 wrote to memory of 4648 4232 b83c9355cd8899c270c7dd4dc0c4b05032ce6f9ab28ff2e23d509a18f224bf6f.exe 84 PID 4232 wrote to memory of 4648 4232 b83c9355cd8899c270c7dd4dc0c4b05032ce6f9ab28ff2e23d509a18f224bf6f.exe 84 PID 4648 wrote to memory of 3964 4648 zitK8494.exe 85 PID 4648 wrote to memory of 3964 4648 zitK8494.exe 85 PID 4648 wrote to memory of 3964 4648 zitK8494.exe 85 PID 3964 wrote to memory of 4820 3964 ziwS8433.exe 86 PID 3964 wrote to memory of 4820 3964 ziwS8433.exe 86 PID 3964 wrote to memory of 4176 3964 ziwS8433.exe 95 PID 3964 wrote to memory of 4176 3964 ziwS8433.exe 95 PID 3964 wrote to memory of 4176 3964 ziwS8433.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\b83c9355cd8899c270c7dd4dc0c4b05032ce6f9ab28ff2e23d509a18f224bf6f.exe"C:\Users\Admin\AppData\Local\Temp\b83c9355cd8899c270c7dd4dc0c4b05032ce6f9ab28ff2e23d509a18f224bf6f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitK8494.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitK8494.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziwS8433.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziwS8433.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it761873.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it761873.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr700239.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr700239.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4176
-
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3560
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
568KB
MD5ed88251c866eec185a13335f77b0bb4d
SHA1c893b503ef27b705caa412c7b6638f5d351c685d
SHA25638b3779b54be28dcb1d3507199de56e52cb5e91bf90268eb497b71898b7d68a8
SHA512fe6c626ddb37e97a5814de2493f8a42319898a1f58eec6c3306775ed21985d124f99c6825ce0cf885814ae3147909cefdc4334817973bb1d33e0fed5fdf2c6b8
-
Filesize
414KB
MD52f991ec9f83d0027323888e343a74ffd
SHA14bfe2e77f8def86d9d5f27e4e74a72c3aa420d45
SHA2567fb9a974c2baab0ec9a8249e561a1934b4b4c8bff60331392a8de886e08fb800
SHA5121a65c83835a94e67c9221e19bca5ab5c2a5234bda8504886d2c78edf88a54e9863baaed44550c5c404c8f629532257c72b5862a820dbe03d480f8fb6e36a27d3
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
360KB
MD58e4d60ab53d5ea6e7bc5bb1cba1a2ac3
SHA1bc6e714b77cdd15103388e8e3c75b6a35b4fb5e9
SHA2563f4cc75c6e668e9207773d384bf2767231fbe2040d89e3b2edc3f94f0b6453e3
SHA51274197bb41780fdae817f0c8d6dbb4e0ab59cb20ee423d2875a9bd5822d5515ee1841f8cc06c96c8feab69b9ae5da10fa236016cb9a9f50518bacef6f8cae311a