Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:02
Static task
static1
Behavioral task
behavioral1
Sample
8d87beb9d708dcb7cd5e0281c4c525397a8e4d60190b2569f1bf5fcca598ddf0.exe
Resource
win10v2004-20241007-en
General
-
Target
8d87beb9d708dcb7cd5e0281c4c525397a8e4d60190b2569f1bf5fcca598ddf0.exe
-
Size
479KB
-
MD5
7507388efa6d22fd4da4cb098ca01ad1
-
SHA1
0a1e6fb1959f2d37122bca384284f87a3437f001
-
SHA256
8d87beb9d708dcb7cd5e0281c4c525397a8e4d60190b2569f1bf5fcca598ddf0
-
SHA512
94c62d299b513aefbda5741445cc8f9e2cb3f8a72debee8c08aefc51a674de924423b9d91a6ec1835d07c0ed0d3c6ef7850a2134c615e3ddaab11d7f941730bb
-
SSDEEP
12288:gMrjy90CvwnYBu+a6wdHTHL4CioRp/cfog6Yq/:Tyanj+av5nRpC6B/
Malware Config
Extracted
redline
morty
217.196.96.101:4132
-
auth_value
fe1a24c211cc8e5bf9ff11c737ce0e97
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2952-15-0x00000000022A0000-0x00000000022BA000-memory.dmp healer behavioral1/memory/2952-19-0x0000000004980000-0x0000000004998000-memory.dmp healer behavioral1/memory/2952-47-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/2952-45-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/2952-43-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/2952-41-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/2952-39-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/2952-37-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/2952-35-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/2952-33-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/2952-31-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/2952-29-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/2952-27-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/2952-25-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/2952-23-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/2952-21-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/2952-20-0x0000000004980000-0x0000000004992000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a4563776.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a4563776.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a4563776.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a4563776.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a4563776.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a4563776.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b7e-54.dat family_redline behavioral1/memory/3076-56-0x0000000000D50000-0x0000000000D7E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1692 v4332584.exe 2952 a4563776.exe 3076 b6534444.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a4563776.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a4563776.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8d87beb9d708dcb7cd5e0281c4c525397a8e4d60190b2569f1bf5fcca598ddf0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v4332584.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8d87beb9d708dcb7cd5e0281c4c525397a8e4d60190b2569f1bf5fcca598ddf0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v4332584.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4563776.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b6534444.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2952 a4563776.exe 2952 a4563776.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2952 a4563776.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4992 wrote to memory of 1692 4992 8d87beb9d708dcb7cd5e0281c4c525397a8e4d60190b2569f1bf5fcca598ddf0.exe 85 PID 4992 wrote to memory of 1692 4992 8d87beb9d708dcb7cd5e0281c4c525397a8e4d60190b2569f1bf5fcca598ddf0.exe 85 PID 4992 wrote to memory of 1692 4992 8d87beb9d708dcb7cd5e0281c4c525397a8e4d60190b2569f1bf5fcca598ddf0.exe 85 PID 1692 wrote to memory of 2952 1692 v4332584.exe 86 PID 1692 wrote to memory of 2952 1692 v4332584.exe 86 PID 1692 wrote to memory of 2952 1692 v4332584.exe 86 PID 1692 wrote to memory of 3076 1692 v4332584.exe 98 PID 1692 wrote to memory of 3076 1692 v4332584.exe 98 PID 1692 wrote to memory of 3076 1692 v4332584.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d87beb9d708dcb7cd5e0281c4c525397a8e4d60190b2569f1bf5fcca598ddf0.exe"C:\Users\Admin\AppData\Local\Temp\8d87beb9d708dcb7cd5e0281c4c525397a8e4d60190b2569f1bf5fcca598ddf0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4332584.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4332584.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4563776.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4563776.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6534444.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6534444.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3076
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5eb21177946b94342eccf490b098fefb5
SHA13ffd523d940a3a5c0760a43a5acfd4e88ac6fd31
SHA2567cffb20c6eabb9ce0dbf2ebe05b6c3381e15ea33057f485363fb722127efb9d2
SHA512ca204b4452ca60535529d24508b5d727ccb5a877e67db90075fa47a52baa4baddc83f0135ec7e83abf7c73c00fa0a1319393470d3fbe0ce9aef5b42f0393fa75
-
Filesize
178KB
MD580b20d8b075c0e86417f1a2b1cb0f82f
SHA1b6fb441963c757a9125d4586b6f2d07b1733fc73
SHA25601e1bc0c83578752d78e083bbaf8421cc4381af3304e7b8b7823420e630a89f1
SHA5128818687efe14def04961db3ad83a5d0855f3c5727a0592cfa9e931c0f3d6477d70adb4a46ec526b7c4b530b91adec3b41505dc001449b33d765cc46b8a862ea1
-
Filesize
168KB
MD598410df571da7e6f92433c1fe522296a
SHA115caca180a5c72bde8d7f919fdde68fcb0788136
SHA25676927b0dfc1ebfa2890ae6f6b5070f03d6e8a1d04d44ebe112ccb2595967881e
SHA5122f191f4b2742a621aa66a2b6eaf77e00129863b66a943c019b3c48b8b5c7dcffb80469505c5c5cc5336f60f83e7f8c401e47c72aa4fa89593d469f380445dca0