Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:57
Static task
static1
Behavioral task
behavioral1
Sample
377e39ac6b592c81202a49627a311e67a948daeb950ac3823f2b69f0318d6450.exe
Resource
win10v2004-20241007-en
General
-
Target
377e39ac6b592c81202a49627a311e67a948daeb950ac3823f2b69f0318d6450.exe
-
Size
376KB
-
MD5
fdf4ad48c5c9a8f7f85c8dfb461a1702
-
SHA1
ffc2f7486a3568c32b6ce0839222516e9dd666da
-
SHA256
377e39ac6b592c81202a49627a311e67a948daeb950ac3823f2b69f0318d6450
-
SHA512
4d3668b390fc5070cb4d50bbfe69d23c723205e590b7730ee9bf2ea3d0be0e34cea58223571ac3b5cc1a6ac5567e072c89e2376eb81e325f17ee67625da4045d
-
SSDEEP
6144:Kny+bnr+Hp0yN90QEEbVgUy5uMeyA/oE65PTEYuiVCcZRtNWYP1:NMrTy90jnReyA565oYuiVCcNNn
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cbc-12.dat healer behavioral1/memory/1116-15-0x00000000008A0000-0x00000000008AA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k6956980.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection k6956980.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k6956980.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k6956980.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k6956980.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k6956980.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cbd-19.dat family_redline behavioral1/memory/876-21-0x0000000000240000-0x0000000000268000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4040 y4690222.exe 1116 k6956980.exe 876 l5880462.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" k6956980.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y4690222.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 377e39ac6b592c81202a49627a311e67a948daeb950ac3823f2b69f0318d6450.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l5880462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 377e39ac6b592c81202a49627a311e67a948daeb950ac3823f2b69f0318d6450.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y4690222.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1116 k6956980.exe 1116 k6956980.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1116 k6956980.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4492 wrote to memory of 4040 4492 377e39ac6b592c81202a49627a311e67a948daeb950ac3823f2b69f0318d6450.exe 83 PID 4492 wrote to memory of 4040 4492 377e39ac6b592c81202a49627a311e67a948daeb950ac3823f2b69f0318d6450.exe 83 PID 4492 wrote to memory of 4040 4492 377e39ac6b592c81202a49627a311e67a948daeb950ac3823f2b69f0318d6450.exe 83 PID 4040 wrote to memory of 1116 4040 y4690222.exe 84 PID 4040 wrote to memory of 1116 4040 y4690222.exe 84 PID 4040 wrote to memory of 876 4040 y4690222.exe 93 PID 4040 wrote to memory of 876 4040 y4690222.exe 93 PID 4040 wrote to memory of 876 4040 y4690222.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\377e39ac6b592c81202a49627a311e67a948daeb950ac3823f2b69f0318d6450.exe"C:\Users\Admin\AppData\Local\Temp\377e39ac6b592c81202a49627a311e67a948daeb950ac3823f2b69f0318d6450.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4690222.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4690222.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6956980.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6956980.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5880462.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5880462.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:876
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD5dd18f402ef1a0d59c704b4541220aa04
SHA1e59f4d922c46e574480a71f46c05406538719f73
SHA2560aa33bbac5d374f7f7e62a1e4a31c83d37a0c3a1b6b5ba363aaa3e1c16b14f7d
SHA5128cb698e29e78b1beebcbeb983e6fa8919a8345282e43f92293fb61917a513113cae47ace50551a38fa7c554c40d0edd9858de48196f95d2c7d7fa8fad84ff3cc
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
136KB
MD56e8ef3264d2f20d394d84809a3042b6a
SHA1b8c91b452db622a589a774ead74cec244d40ac4c
SHA2568f488264baed9cca064c9ac8bb1566826336333ac5b1f891b45cfe0fb23ad815
SHA512099d02da0093e8c672d99a1836f108e9e2114505df6104d42ff5156d7a8a3316372eb9be88b16f86ea3c5ebcf5c2102a5fe2da8bc4d2ae625665224f7c863acc