Analysis
-
max time kernel
138s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:58
Static task
static1
Behavioral task
behavioral1
Sample
6810ce175b65d169fa6b9a45e595ddd451fa60157e6f4f194efb510763062a0a.exe
Resource
win10v2004-20241007-en
General
-
Target
6810ce175b65d169fa6b9a45e595ddd451fa60157e6f4f194efb510763062a0a.exe
-
Size
480KB
-
MD5
ea2189a1c77af0ec95c34dba54071aed
-
SHA1
3f67b82ab1d2380ae4803a3328c4abd4fe170691
-
SHA256
6810ce175b65d169fa6b9a45e595ddd451fa60157e6f4f194efb510763062a0a
-
SHA512
29f17d62d05cfa559197361095f8ce1d86bc4b09e7aef3c9e16245906a89105fc89277fa862de38d341a5a555a17e63936225e954e191833a675423bc9b114be
-
SSDEEP
6144:Kqy+bnr+zp0yN90QETL+i/LqkisAp7B5/kch4gG/PiNbxbcpN7Hs+7VLwuhD/fga:+Mrry90BtssApL/kcVbxQMoLww4/i
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/756-15-0x0000000002150000-0x000000000216A000-memory.dmp healer behavioral1/memory/756-18-0x0000000004AD0000-0x0000000004AE8000-memory.dmp healer behavioral1/memory/756-25-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/756-47-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/756-45-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/756-43-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/756-41-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/756-39-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/756-37-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/756-35-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/756-33-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/756-31-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/756-29-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/756-27-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/756-23-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/756-21-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer behavioral1/memory/756-20-0x0000000004AD0000-0x0000000004AE2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a5833093.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a5833093.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a5833093.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a5833093.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a5833093.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a5833093.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023bd2-54.dat family_redline behavioral1/memory/2044-56-0x0000000000C40000-0x0000000000C68000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3368 v8579548.exe 756 a5833093.exe 2044 b0014086.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a5833093.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a5833093.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6810ce175b65d169fa6b9a45e595ddd451fa60157e6f4f194efb510763062a0a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v8579548.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6810ce175b65d169fa6b9a45e595ddd451fa60157e6f4f194efb510763062a0a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v8579548.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5833093.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0014086.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 756 a5833093.exe 756 a5833093.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 756 a5833093.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1176 wrote to memory of 3368 1176 6810ce175b65d169fa6b9a45e595ddd451fa60157e6f4f194efb510763062a0a.exe 83 PID 1176 wrote to memory of 3368 1176 6810ce175b65d169fa6b9a45e595ddd451fa60157e6f4f194efb510763062a0a.exe 83 PID 1176 wrote to memory of 3368 1176 6810ce175b65d169fa6b9a45e595ddd451fa60157e6f4f194efb510763062a0a.exe 83 PID 3368 wrote to memory of 756 3368 v8579548.exe 84 PID 3368 wrote to memory of 756 3368 v8579548.exe 84 PID 3368 wrote to memory of 756 3368 v8579548.exe 84 PID 3368 wrote to memory of 2044 3368 v8579548.exe 95 PID 3368 wrote to memory of 2044 3368 v8579548.exe 95 PID 3368 wrote to memory of 2044 3368 v8579548.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\6810ce175b65d169fa6b9a45e595ddd451fa60157e6f4f194efb510763062a0a.exe"C:\Users\Admin\AppData\Local\Temp\6810ce175b65d169fa6b9a45e595ddd451fa60157e6f4f194efb510763062a0a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8579548.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8579548.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5833093.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5833093.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0014086.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0014086.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2044
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD5d97e104a238a4c8e8ef4be348deb9b0c
SHA17f4b0df51216dec0bcb491f54221c177f6285093
SHA256579a1a378d320d4a3a7ca3cbfc484dd6a2b96787816b3393e39aced7af032deb
SHA512d700123b023921477631483bb868136d18fc801340344c06046f66c0c810d960358d582184878c2f0f9c1904781a1098ddffad9c958e658a6dbc397d6f723102
-
Filesize
175KB
MD584b17549722d461d7f74f303eb15cd90
SHA1bd9d461a857266ec90bdd7ac0d0a170743e5ab8c
SHA256ef4ae8575ffe36799a8831baea716f9d506fd58752e17e5ca9ce962058a4a789
SHA5120d7d4953c18169301981530acd97fa45cc0bffe07b7f03514d3f04e8e34217409fed777104b651632b2b5a4b3328a323936718a8d58364a7889532142eaba1c5
-
Filesize
136KB
MD5d761b483361ead4b2b279af34ac67e41
SHA147771b1ef02fd4c159ba3b2cd744d99739dee5f6
SHA25694e5eada65839a3dcc6ef8b3fed3177351c707e5ffc531c44766655cdd538e77
SHA512fe151b7efc349a8e63a31a2041b7c4a48bb44fd334931d790abd66cc955c72c1909d8aec7d861849c963f09898a4befffbca3d3626d67ed90a424cb4cd160127