Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:44
Static task
static1
Behavioral task
behavioral1
Sample
305b69b779ec95afa82e5e4a533f3f93dcc4a7bee1f0cdf8a4206588ee572277.exe
Resource
win10v2004-20241007-en
General
-
Target
305b69b779ec95afa82e5e4a533f3f93dcc4a7bee1f0cdf8a4206588ee572277.exe
-
Size
569KB
-
MD5
c9d241cfb7a7c3fcf2f31dfeb2f65d99
-
SHA1
9bc62227176bea6f5421f2a13c3aa27d155fd511
-
SHA256
305b69b779ec95afa82e5e4a533f3f93dcc4a7bee1f0cdf8a4206588ee572277
-
SHA512
b302cafdcf4016c9dc4c36e92f03fde4ee9aae5af7a1f48f5e76e9bf54bbe7c884b99f481161a5650c4a565e8716211b8f91bfb40bf3446bfc0c6de9d4fbbdaf
-
SSDEEP
12288:iy90XCBIulZQCBUG4YxGC7AiW47T1vENAkc+:iyxBIulZQkjT37tW47Hkj
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b9d-12.dat healer behavioral1/memory/2200-15-0x0000000000BE0000-0x0000000000BEA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it155784.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it155784.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it155784.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it155784.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it155784.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it155784.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2412-21-0x0000000007120000-0x000000000715C000-memory.dmp family_redline behavioral1/memory/2412-23-0x0000000007760000-0x000000000779A000-memory.dmp family_redline behavioral1/memory/2412-27-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-35-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-33-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-31-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-29-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-79-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-59-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-41-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-25-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-24-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-87-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-85-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-83-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-81-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-77-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-75-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-73-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-71-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-69-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-67-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-65-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-63-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-61-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-57-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-55-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-53-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-51-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-49-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-47-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-45-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-43-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-39-0x0000000007760000-0x0000000007795000-memory.dmp family_redline behavioral1/memory/2412-37-0x0000000007760000-0x0000000007795000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4948 ziQM3381.exe 2200 it155784.exe 2412 kp545341.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it155784.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziQM3381.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 305b69b779ec95afa82e5e4a533f3f93dcc4a7bee1f0cdf8a4206588ee572277.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziQM3381.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp545341.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 305b69b779ec95afa82e5e4a533f3f93dcc4a7bee1f0cdf8a4206588ee572277.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2200 it155784.exe 2200 it155784.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2200 it155784.exe Token: SeDebugPrivilege 2412 kp545341.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2444 wrote to memory of 4948 2444 305b69b779ec95afa82e5e4a533f3f93dcc4a7bee1f0cdf8a4206588ee572277.exe 84 PID 2444 wrote to memory of 4948 2444 305b69b779ec95afa82e5e4a533f3f93dcc4a7bee1f0cdf8a4206588ee572277.exe 84 PID 2444 wrote to memory of 4948 2444 305b69b779ec95afa82e5e4a533f3f93dcc4a7bee1f0cdf8a4206588ee572277.exe 84 PID 4948 wrote to memory of 2200 4948 ziQM3381.exe 85 PID 4948 wrote to memory of 2200 4948 ziQM3381.exe 85 PID 4948 wrote to memory of 2412 4948 ziQM3381.exe 95 PID 4948 wrote to memory of 2412 4948 ziQM3381.exe 95 PID 4948 wrote to memory of 2412 4948 ziQM3381.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\305b69b779ec95afa82e5e4a533f3f93dcc4a7bee1f0cdf8a4206588ee572277.exe"C:\Users\Admin\AppData\Local\Temp\305b69b779ec95afa82e5e4a533f3f93dcc4a7bee1f0cdf8a4206588ee572277.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQM3381.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQM3381.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it155784.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it155784.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp545341.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp545341.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
415KB
MD5bb0f6596f8481397c088da30b09693ca
SHA1feba9114e452a59a795487f92fd90f4e93087709
SHA25659d93549244969abf7ad8a49b528c58b16aa2f5faaf2229b6b3a654ad8483ebb
SHA5126987c4139895d5ca0816caabe571a29788fd047afe2fe3c8921976ea48eddb482e6bd5f60426baba0dc5ae1a3b7ffd33f2d3b25f45afa924a611a5175bac097f
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
368KB
MD567337c138c64c10caaa669073d5cb541
SHA18076a8a997bbc1b1592d581675d3bda450e2df40
SHA2568c25936df9b940e9a1fca244d82ce3c6d4c571e6e339c96b72c45bba24f817ef
SHA51211a8dac0387e1242007f11acfe02e7adbf492c4f60a3b552336153d037d44e56c16078e76f90dbf3ea431c9b369e0a110cdcb9fc16ac1d08cbcbca0282dc4cc9