Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:47
Static task
static1
Behavioral task
behavioral1
Sample
ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993.exe
Resource
win10v2004-20241007-en
General
-
Target
ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993.exe
-
Size
479KB
-
MD5
00094a0be7cfc5ec649041acaf0a2439
-
SHA1
4111726cfa214895355d03d618838ef07f5ac946
-
SHA256
ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993
-
SHA512
457de62acf095c342359c08adae77f752a55922c765340040bf50efb7068978c2d2abf9f0db2adef554337490acd2813a57926bd560824d8a5fd9d53029577b6
-
SSDEEP
12288:iMrty90TxOs+EAB3Jfc6Hok/fPEo7UyIz10:XyRFJfc6bIl10
Malware Config
Extracted
redline
morty
217.196.96.101:4132
-
auth_value
fe1a24c211cc8e5bf9ff11c737ce0e97
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1376-15-0x00000000022E0000-0x00000000022FA000-memory.dmp healer behavioral1/memory/1376-18-0x0000000004AC0000-0x0000000004AD8000-memory.dmp healer behavioral1/memory/1376-38-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1376-46-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1376-44-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1376-42-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1376-40-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1376-24-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1376-22-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1376-20-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1376-19-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1376-36-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1376-34-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1376-32-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1376-30-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1376-28-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1376-26-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a7111238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a7111238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a7111238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a7111238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a7111238.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a7111238.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b79-54.dat family_redline behavioral1/memory/3516-56-0x0000000000E10000-0x0000000000E3E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2276 v1928575.exe 1376 a7111238.exe 3516 b7654610.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a7111238.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a7111238.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1928575.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v1928575.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a7111238.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b7654610.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1376 a7111238.exe 1376 a7111238.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1376 a7111238.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3768 wrote to memory of 2276 3768 ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993.exe 85 PID 3768 wrote to memory of 2276 3768 ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993.exe 85 PID 3768 wrote to memory of 2276 3768 ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993.exe 85 PID 2276 wrote to memory of 1376 2276 v1928575.exe 86 PID 2276 wrote to memory of 1376 2276 v1928575.exe 86 PID 2276 wrote to memory of 1376 2276 v1928575.exe 86 PID 2276 wrote to memory of 3516 2276 v1928575.exe 89 PID 2276 wrote to memory of 3516 2276 v1928575.exe 89 PID 2276 wrote to memory of 3516 2276 v1928575.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993.exe"C:\Users\Admin\AppData\Local\Temp\ce580d7e396d4ea838280dc1df5c96ba15f12f48f636baed921d944c9070b993.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1928575.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1928575.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7111238.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7111238.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7654610.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7654610.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3516
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD50f7d47a0299def03ca3ef88b86ed9b0c
SHA147e7fcb6b2b170b1293e164d96b8f7b9e388d93b
SHA25654a3fde7e46d1272a10e4cd5afc50c2617b54df80e0c056c3efd1be38c49469d
SHA51200f3841c6b96d351a73cff9bb4b9262c8b1be97be8f707749e2b1d84b3361f8f3ba4fec80a03d5feae2efa47e3ea232eba390868fdf1b0d63d731480a489611b
-
Filesize
178KB
MD56d735b881e688fdad871d365b9658884
SHA1254805a6938659202acd6ad816aa831b1c9b8aea
SHA256e22287fb4c517a7aff4aa45c9167e5ff3d75cd6f388873ec50737ccef98f044c
SHA512daf25fc101f8ca17f2a78660290f71206032e740736c15f133033fca39c07171ea0191bc21ee3880deae731d57de3ad3263225f96d946f8aad3715f0281d425d
-
Filesize
168KB
MD531a1d5fc103ed9748d799939a341d64d
SHA1d353f0437ebf301fec4eb0d4325720c834b0a7f4
SHA256449cf4bf7bae17b69f23caa3686b66fb65f637ccae279860906bfebc23f99b05
SHA51246c72d5c51224eb2f2c6c111cd04dc5151c1782e72d886697224c889078824afc97acd188f9aec83afe6bb3a26c6798c1fbf271bf02f23fdf6bd6bfb2706068a