Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb.exe
Resource
win10v2004-20241007-en
General
-
Target
9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb.exe
-
Size
490KB
-
MD5
1215d76105b0078674248a8cb221c748
-
SHA1
db1016eb26aa74a2149c7d5d1b6d63adef0c3313
-
SHA256
9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb
-
SHA512
f6d00c0a8d8f66d46ed239d28471a53ddb1f4777e0fca97c946e0018f1c744c327fe4a531e64c6a84e54e051c3d4a82f059200ff16b23be5d0f3b9a8b3acecce
-
SSDEEP
12288:xMrqy90Mj0cJSaGqqX1G0oAbziFQkQAj89lE0G0/:HyRjVTUX1G0FxkX43/
Malware Config
Extracted
redline
lulsa
217.196.96.101:4132
-
auth_value
2bb8e3870ce0ad119d2840b124222121
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/372-15-0x0000000000960000-0x000000000097A000-memory.dmp healer behavioral1/memory/372-18-0x00000000021D0000-0x00000000021E8000-memory.dmp healer behavioral1/memory/372-25-0x00000000021D0000-0x00000000021E2000-memory.dmp healer behavioral1/memory/372-23-0x00000000021D0000-0x00000000021E2000-memory.dmp healer behavioral1/memory/372-47-0x00000000021D0000-0x00000000021E2000-memory.dmp healer behavioral1/memory/372-45-0x00000000021D0000-0x00000000021E2000-memory.dmp healer behavioral1/memory/372-43-0x00000000021D0000-0x00000000021E2000-memory.dmp healer behavioral1/memory/372-41-0x00000000021D0000-0x00000000021E2000-memory.dmp healer behavioral1/memory/372-39-0x00000000021D0000-0x00000000021E2000-memory.dmp healer behavioral1/memory/372-37-0x00000000021D0000-0x00000000021E2000-memory.dmp healer behavioral1/memory/372-35-0x00000000021D0000-0x00000000021E2000-memory.dmp healer behavioral1/memory/372-33-0x00000000021D0000-0x00000000021E2000-memory.dmp healer behavioral1/memory/372-21-0x00000000021D0000-0x00000000021E2000-memory.dmp healer behavioral1/memory/372-20-0x00000000021D0000-0x00000000021E2000-memory.dmp healer behavioral1/memory/372-31-0x00000000021D0000-0x00000000021E2000-memory.dmp healer behavioral1/memory/372-29-0x00000000021D0000-0x00000000021E2000-memory.dmp healer behavioral1/memory/372-27-0x00000000021D0000-0x00000000021E2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection o4594391.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" o4594391.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" o4594391.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" o4594391.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" o4594391.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" o4594391.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cbd-54.dat family_redline behavioral1/memory/5028-56-0x0000000000280000-0x00000000002B0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4616 z1501834.exe 372 o4594391.exe 5028 r9632447.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features o4594391.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" o4594391.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z1501834.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language z1501834.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o4594391.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language r9632447.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 372 o4594391.exe 372 o4594391.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 372 o4594391.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3164 wrote to memory of 4616 3164 9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb.exe 84 PID 3164 wrote to memory of 4616 3164 9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb.exe 84 PID 3164 wrote to memory of 4616 3164 9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb.exe 84 PID 4616 wrote to memory of 372 4616 z1501834.exe 85 PID 4616 wrote to memory of 372 4616 z1501834.exe 85 PID 4616 wrote to memory of 372 4616 z1501834.exe 85 PID 4616 wrote to memory of 5028 4616 z1501834.exe 94 PID 4616 wrote to memory of 5028 4616 z1501834.exe 94 PID 4616 wrote to memory of 5028 4616 z1501834.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb.exe"C:\Users\Admin\AppData\Local\Temp\9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1501834.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1501834.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4594391.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4594391.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9632447.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9632447.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5028
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD53d2f4ef876bd909c0b6d75673702d38d
SHA1707097866b5af1bf4db16f389d085042fbe43b82
SHA2569ddc432228d4ba9e10ec94b5f782b97320bc748884abc0e89fdc44c30a4f7b60
SHA5129f5a899f3c73aac480c50c2ee5bd369183e35686a63e4e92b17bd9847405f3549bbc2fb3fb1ac62eaa8b878fe4047bde409f388052264b4ff0a83b333d1dde29
-
Filesize
181KB
MD5e8718337779b9a242b1d796090552450
SHA19357adfb8e3c0a9c52d7cca79dcca38d855d289b
SHA2568fa0ce732399bf674d7b33cc6ad6762fa92aaaaead6e419c73361cf200f2b7b4
SHA512316d6415e2d6a91f30f7da357c4ac0604ae61523ca51c36b4bf33af8f06ffed68ba1754dd98be5bfd9dafd8f34388c56782fb4d4d922f3fb838bd6422fa6e0fb
-
Filesize
168KB
MD565a87881f0802e85c5c2ce4122508680
SHA1899fe5a301af18797cd8ea6aaff94299733f1934
SHA2567ec8e27669397c45b6d132adfef1b023fa60deacdc5bbf26dde973224a5a7090
SHA512720bd6ef2681752e29b3094ba6e9d38c206a69bdf3546fc6bf5e056aae7fca1216ece7c5f649aaa5aa56f2d3d77593a972628428ed50d88909c39a6fa5691b84