Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:49
Static task
static1
Behavioral task
behavioral1
Sample
c548d0fab7e854a99b82604c2aaca75a4ae1b9d21ecf0851c277df20d572b897.exe
Resource
win10v2004-20241007-en
General
-
Target
c548d0fab7e854a99b82604c2aaca75a4ae1b9d21ecf0851c277df20d572b897.exe
-
Size
569KB
-
MD5
765ba94352bfa0d803cd34fc64b474ed
-
SHA1
ee2b927d27d026e28a099eac39a207d2abb28566
-
SHA256
c548d0fab7e854a99b82604c2aaca75a4ae1b9d21ecf0851c277df20d572b897
-
SHA512
a4127c5f00fc6e0bce57c147d41dfb33cf9c63880f539792b0260f1afcf59399ee6e820c21abce34185bc509963d70b8b6f77d67f558db3184e3c62c5bd9911a
-
SSDEEP
12288:sy90w3p2FhBrUaF5dTnhY8L0LT3hA04L10/:sy35HaxTnrLYRmI
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023c2c-12.dat healer behavioral1/memory/3132-15-0x0000000000080000-0x000000000008A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it666516.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it666516.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it666516.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it666516.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it666516.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it666516.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1652-22-0x0000000007230000-0x000000000726C000-memory.dmp family_redline behavioral1/memory/1652-24-0x00000000078A0000-0x00000000078DA000-memory.dmp family_redline behavioral1/memory/1652-30-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-28-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-26-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-25-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-44-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-88-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-84-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-82-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-80-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-78-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-76-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-74-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-72-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-70-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-66-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-64-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-62-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-60-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-58-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-56-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-54-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-52-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-50-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-48-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-42-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-40-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-38-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-36-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-34-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-32-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-86-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-68-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline behavioral1/memory/1652-46-0x00000000078A0000-0x00000000078D5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3672 zicG6694.exe 3132 it666516.exe 1652 kp826838.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it666516.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c548d0fab7e854a99b82604c2aaca75a4ae1b9d21ecf0851c277df20d572b897.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zicG6694.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zicG6694.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp826838.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c548d0fab7e854a99b82604c2aaca75a4ae1b9d21ecf0851c277df20d572b897.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3132 it666516.exe 3132 it666516.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3132 it666516.exe Token: SeDebugPrivilege 1652 kp826838.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3904 wrote to memory of 3672 3904 c548d0fab7e854a99b82604c2aaca75a4ae1b9d21ecf0851c277df20d572b897.exe 83 PID 3904 wrote to memory of 3672 3904 c548d0fab7e854a99b82604c2aaca75a4ae1b9d21ecf0851c277df20d572b897.exe 83 PID 3904 wrote to memory of 3672 3904 c548d0fab7e854a99b82604c2aaca75a4ae1b9d21ecf0851c277df20d572b897.exe 83 PID 3672 wrote to memory of 3132 3672 zicG6694.exe 86 PID 3672 wrote to memory of 3132 3672 zicG6694.exe 86 PID 3672 wrote to memory of 1652 3672 zicG6694.exe 93 PID 3672 wrote to memory of 1652 3672 zicG6694.exe 93 PID 3672 wrote to memory of 1652 3672 zicG6694.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\c548d0fab7e854a99b82604c2aaca75a4ae1b9d21ecf0851c277df20d572b897.exe"C:\Users\Admin\AppData\Local\Temp\c548d0fab7e854a99b82604c2aaca75a4ae1b9d21ecf0851c277df20d572b897.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zicG6694.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zicG6694.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it666516.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it666516.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp826838.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp826838.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
415KB
MD5594b0b6c8ba76bdd258d909227708eec
SHA184f40ce24c7816746b4b9cc908d7bfb6dbac1b58
SHA2560f22adb86bc3b7e34089e8a80b378fbd96bc3fac63bfea3dc5fd26c04a2075e2
SHA51227330921d578410a7482895e50c985167d806bd126bb41b442e7ca531b4d04ec6577e822646cb5d30e2894c3841076e6a10a43aefc7d72a191dee9d07a01ff24
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
382KB
MD53e7afef9109dadbb1e4420520db61f51
SHA164e244c6859a70513e77f95433d1f0336c65dc16
SHA25634b8be5115ba6c4245352866e8c0143e43699e4b8ab2ce3581c7a9883fc5dae6
SHA5129864b8957548af3669138a53296c8371e21c24f6325dffe7cf02e3c621fa76ba2c78f70c11d4bbcdc999699d987500cec08d9f35056d42c6dabfe80ca87dc621