Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:56
Static task
static1
Behavioral task
behavioral1
Sample
8083a15c972bda5bcbba44e9db10abc8b38528948166828bc6567845e4835231.exe
Resource
win10v2004-20241007-en
General
-
Target
8083a15c972bda5bcbba44e9db10abc8b38528948166828bc6567845e4835231.exe
-
Size
682KB
-
MD5
ccb03bf02f686ffb7e2c18d744ffa957
-
SHA1
b6e431156cd186046c37321cf8aa004e8c697293
-
SHA256
8083a15c972bda5bcbba44e9db10abc8b38528948166828bc6567845e4835231
-
SHA512
29f40001ec5a58e13b2f87df652324ed2354d38dc9d7e91606b84d0df8a63e1e2495d3ebf07dc4d0123ed198a83e652458094eb52dde9b8f806352f0958c4df4
-
SSDEEP
12288:0MrCy90RJPQxFfs1kGxNCH+RDQbkiBWZPuk/CO4PqNeSxX:my04KxLpQb3WLCO4PqNeSxX
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1732-18-0x00000000046D0000-0x00000000046EA000-memory.dmp healer behavioral1/memory/1732-20-0x0000000007130000-0x0000000007148000-memory.dmp healer behavioral1/memory/1732-21-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/1732-48-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/1732-46-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/1732-44-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/1732-42-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/1732-40-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/1732-38-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/1732-36-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/1732-34-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/1732-32-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/1732-30-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/1732-28-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/1732-26-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/1732-24-0x0000000007130000-0x0000000007142000-memory.dmp healer behavioral1/memory/1732-22-0x0000000007130000-0x0000000007142000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro4106.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro4106.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro4106.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro4106.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro4106.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro4106.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1968-60-0x0000000002FA0000-0x0000000002FE6000-memory.dmp family_redline behavioral1/memory/1968-61-0x0000000004E70000-0x0000000004EB4000-memory.dmp family_redline behavioral1/memory/1968-67-0x0000000004E70000-0x0000000004EAE000-memory.dmp family_redline behavioral1/memory/1968-95-0x0000000004E70000-0x0000000004EAE000-memory.dmp family_redline behavioral1/memory/1968-93-0x0000000004E70000-0x0000000004EAE000-memory.dmp family_redline behavioral1/memory/1968-91-0x0000000004E70000-0x0000000004EAE000-memory.dmp family_redline behavioral1/memory/1968-89-0x0000000004E70000-0x0000000004EAE000-memory.dmp family_redline behavioral1/memory/1968-87-0x0000000004E70000-0x0000000004EAE000-memory.dmp family_redline behavioral1/memory/1968-85-0x0000000004E70000-0x0000000004EAE000-memory.dmp family_redline behavioral1/memory/1968-83-0x0000000004E70000-0x0000000004EAE000-memory.dmp family_redline behavioral1/memory/1968-81-0x0000000004E70000-0x0000000004EAE000-memory.dmp family_redline behavioral1/memory/1968-79-0x0000000004E70000-0x0000000004EAE000-memory.dmp family_redline behavioral1/memory/1968-77-0x0000000004E70000-0x0000000004EAE000-memory.dmp family_redline behavioral1/memory/1968-75-0x0000000004E70000-0x0000000004EAE000-memory.dmp family_redline behavioral1/memory/1968-73-0x0000000004E70000-0x0000000004EAE000-memory.dmp family_redline behavioral1/memory/1968-71-0x0000000004E70000-0x0000000004EAE000-memory.dmp family_redline behavioral1/memory/1968-69-0x0000000004E70000-0x0000000004EAE000-memory.dmp family_redline behavioral1/memory/1968-65-0x0000000004E70000-0x0000000004EAE000-memory.dmp family_redline behavioral1/memory/1968-63-0x0000000004E70000-0x0000000004EAE000-memory.dmp family_redline behavioral1/memory/1968-62-0x0000000004E70000-0x0000000004EAE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3184 un211849.exe 1732 pro4106.exe 1968 qu2332.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro4106.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro4106.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un211849.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8083a15c972bda5bcbba44e9db10abc8b38528948166828bc6567845e4835231.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4964 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8083a15c972bda5bcbba44e9db10abc8b38528948166828bc6567845e4835231.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un211849.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro4106.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu2332.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1732 pro4106.exe 1732 pro4106.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1732 pro4106.exe Token: SeDebugPrivilege 1968 qu2332.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3056 wrote to memory of 3184 3056 8083a15c972bda5bcbba44e9db10abc8b38528948166828bc6567845e4835231.exe 83 PID 3056 wrote to memory of 3184 3056 8083a15c972bda5bcbba44e9db10abc8b38528948166828bc6567845e4835231.exe 83 PID 3056 wrote to memory of 3184 3056 8083a15c972bda5bcbba44e9db10abc8b38528948166828bc6567845e4835231.exe 83 PID 3184 wrote to memory of 1732 3184 un211849.exe 84 PID 3184 wrote to memory of 1732 3184 un211849.exe 84 PID 3184 wrote to memory of 1732 3184 un211849.exe 84 PID 3184 wrote to memory of 1968 3184 un211849.exe 95 PID 3184 wrote to memory of 1968 3184 un211849.exe 95 PID 3184 wrote to memory of 1968 3184 un211849.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\8083a15c972bda5bcbba44e9db10abc8b38528948166828bc6567845e4835231.exe"C:\Users\Admin\AppData\Local\Temp\8083a15c972bda5bcbba44e9db10abc8b38528948166828bc6567845e4835231.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un211849.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un211849.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4106.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4106.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2332.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2332.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4964
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
540KB
MD5bc47b904ad3bb3642ef2ac372a9e91e9
SHA1d75df21a370259181fa644bd48fab4c85caf8508
SHA25627e7a72c028e0fcbeeee3c56e633e53d54dff30e2b408552a3ebb5c190063923
SHA5128e61fe3a35ff9b1872721f4efb21c86c690b251d7fe801237620cd9b6fd49c4ded75d2c98884c02f39b2b9ea825399dd957b765fa3cbd056162c04a704c85799
-
Filesize
322KB
MD5062310268515bd203315e18af3126c8f
SHA1bcb30b3f6e99a727def58e0b0d5c6b878b70c07c
SHA2562860e7cb01aa294da160b86bf9b0d7f2825ea4a715781de38e3933291ec7760b
SHA5128219b23a987117f4d7944d10d7e97cc4e66d75334aa2cb0d279414ecd4e5cb881f69d449cea85a2873fb9e9518bf0d7cb6f37ba5876a046a114ca7af4d096948
-
Filesize
379KB
MD51fa44b0bf5e51dc2c9e229867a466066
SHA15e0eb2ba56044d1ed3accaebf3762e6a27e460c4
SHA25692ab1f51a393d8ea89fe677c262574127608089600b81f23e22e969b645cc5b3
SHA512d5f8b7c255cd79f985a2fbad44025eb91b43e02a6ccda00ee9f122cd7338d0e419985b03659fe342a93661b814b471df09543d561286cb73f31ca7d2951ce545