Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:58
Static task
static1
Behavioral task
behavioral1
Sample
3348870bf55e555bf933ed84d8e5a6b8b15db45852d26750873514a337979b5c.exe
Resource
win10v2004-20241007-en
General
-
Target
3348870bf55e555bf933ed84d8e5a6b8b15db45852d26750873514a337979b5c.exe
-
Size
481KB
-
MD5
d2733a12ae7654140128e69465d829ef
-
SHA1
fe1a959f48a9972963c0c95c7aa37f61826ec1eb
-
SHA256
3348870bf55e555bf933ed84d8e5a6b8b15db45852d26750873514a337979b5c
-
SHA512
6ac182e94afb244e3656a2149382c406fc6c98a4aca0573cf482f546dba7f61b692042d0567550bf4fba4ae349009fea30d3c2323f44e9a5360c6aebd29ba204
-
SSDEEP
12288:RMrry90k2Qci1BLe0oIu2sXtAkv0ZlWSFs:iy32jeRJoHckv0nW4s
Malware Config
Extracted
redline
misfa
217.196.96.101:4132
-
auth_value
be2e6d9f1a5e54a81340947b20e561c1
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3924-15-0x0000000002160000-0x000000000217A000-memory.dmp healer behavioral1/memory/3924-19-0x0000000002520000-0x0000000002538000-memory.dmp healer behavioral1/memory/3924-41-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3924-47-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3924-45-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3924-43-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3924-39-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3924-37-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3924-35-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3924-33-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3924-31-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3924-29-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3924-27-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3924-25-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3924-23-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3924-21-0x0000000002520000-0x0000000002532000-memory.dmp healer behavioral1/memory/3924-20-0x0000000002520000-0x0000000002532000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a9864560.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a9864560.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a9864560.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a9864560.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a9864560.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a9864560.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023c81-53.dat family_redline behavioral1/memory/856-55-0x00000000006F0000-0x000000000071E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3084 v0635475.exe 3924 a9864560.exe 856 b6429715.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a9864560.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a9864560.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3348870bf55e555bf933ed84d8e5a6b8b15db45852d26750873514a337979b5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v0635475.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3348870bf55e555bf933ed84d8e5a6b8b15db45852d26750873514a337979b5c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v0635475.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9864560.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b6429715.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3924 a9864560.exe 3924 a9864560.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3924 a9864560.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4024 wrote to memory of 3084 4024 3348870bf55e555bf933ed84d8e5a6b8b15db45852d26750873514a337979b5c.exe 83 PID 4024 wrote to memory of 3084 4024 3348870bf55e555bf933ed84d8e5a6b8b15db45852d26750873514a337979b5c.exe 83 PID 4024 wrote to memory of 3084 4024 3348870bf55e555bf933ed84d8e5a6b8b15db45852d26750873514a337979b5c.exe 83 PID 3084 wrote to memory of 3924 3084 v0635475.exe 85 PID 3084 wrote to memory of 3924 3084 v0635475.exe 85 PID 3084 wrote to memory of 3924 3084 v0635475.exe 85 PID 3084 wrote to memory of 856 3084 v0635475.exe 92 PID 3084 wrote to memory of 856 3084 v0635475.exe 92 PID 3084 wrote to memory of 856 3084 v0635475.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\3348870bf55e555bf933ed84d8e5a6b8b15db45852d26750873514a337979b5c.exe"C:\Users\Admin\AppData\Local\Temp\3348870bf55e555bf933ed84d8e5a6b8b15db45852d26750873514a337979b5c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0635475.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0635475.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9864560.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9864560.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6429715.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6429715.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:856
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
309KB
MD5e12c014972ecf3cb6551044c605e4e26
SHA16432f4a4ef6ae20dc389373d1bc86aca7c654930
SHA256b35e35d3c9fb97b8c724b4d35b69edd0c73e6bbdde8978606edbcaac7320ba0e
SHA5128e49637e1fc653b7649f44e24a2c42e912bf164b9fe377d852f5bab963ef7bd8b3edcd1e9156db4eb29c8b891c6277387851d35a53b095e64ca071abe1596c5a
-
Filesize
177KB
MD5ad84ecebea379aa8da0e739fe9c78121
SHA1f589fe6f42b271019607af6d211b5d8149c812fc
SHA25681a08168f5d22dad67e79b47f7715de1df4883c3ca37d30d6a8efad26912d989
SHA51262aaff6b447ce1e1a2fcc0afe55e1cf606fd616ea689e0ec5dfd33461b009d01a7a6b7b1a1ebec19d29af7c81b246038ff089aa3460ad79b2e658b12ba548469
-
Filesize
168KB
MD531bdd15cae7701476422cec4fe8447be
SHA1e37b6a907af86163fc89502e9ec7228b94b49940
SHA256baad8179c2939044880acf7dfdabfc90595c0e40a6296851e4a54f82be3ca01d
SHA5120dff78483d7cf531d1d501fbaed60a9d5ef8dd6efe5c86f51bf65b2c25fd80bb3ebdb4d7b412026cc113b124c93b67b22121a391b0586e353b14a9ec3de5745a