Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:03
Static task
static1
Behavioral task
behavioral1
Sample
8bbaa36dd1b3b7298167c143d285e319b886adac33ea0d0c9c8156d836d0224e.exe
Resource
win10v2004-20241007-en
General
-
Target
8bbaa36dd1b3b7298167c143d285e319b886adac33ea0d0c9c8156d836d0224e.exe
-
Size
481KB
-
MD5
98c8595ece67bbabbf4f48b590ef5022
-
SHA1
620fedcd3d3f8f9a6b063e728410ed57d13e48b6
-
SHA256
8bbaa36dd1b3b7298167c143d285e319b886adac33ea0d0c9c8156d836d0224e
-
SHA512
fb9d514c6b80287230c79fcae816fdf9b183f22516b2258d7123b0374e61d6077df47a72f7e90b650630dcc97cbc5388e338027d08aa7085e197615019baa846
-
SSDEEP
12288:7Mrby90ZTTU1dn5zK96HgDSAdtNcg0XOsVo:MyM8pADSev0+sVo
Malware Config
Extracted
redline
misfa
217.196.96.101:4132
-
auth_value
be2e6d9f1a5e54a81340947b20e561c1
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4600-15-0x00000000025A0000-0x00000000025BA000-memory.dmp healer behavioral1/memory/4600-18-0x0000000004AC0000-0x0000000004AD8000-memory.dmp healer behavioral1/memory/4600-20-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4600-46-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4600-45-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4600-42-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4600-41-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4600-38-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4600-36-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4600-34-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4600-32-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4600-30-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4600-28-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4600-26-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4600-24-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4600-22-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4600-19-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a5569309.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a5569309.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a5569309.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a5569309.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a5569309.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a5569309.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cc8-54.dat family_redline behavioral1/memory/3304-56-0x0000000000380000-0x00000000003AE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2364 v0945503.exe 4600 a5569309.exe 3304 b3926594.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a5569309.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a5569309.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8bbaa36dd1b3b7298167c143d285e319b886adac33ea0d0c9c8156d836d0224e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v0945503.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8bbaa36dd1b3b7298167c143d285e319b886adac33ea0d0c9c8156d836d0224e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v0945503.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5569309.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b3926594.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4600 a5569309.exe 4600 a5569309.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4600 a5569309.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4796 wrote to memory of 2364 4796 8bbaa36dd1b3b7298167c143d285e319b886adac33ea0d0c9c8156d836d0224e.exe 83 PID 4796 wrote to memory of 2364 4796 8bbaa36dd1b3b7298167c143d285e319b886adac33ea0d0c9c8156d836d0224e.exe 83 PID 4796 wrote to memory of 2364 4796 8bbaa36dd1b3b7298167c143d285e319b886adac33ea0d0c9c8156d836d0224e.exe 83 PID 2364 wrote to memory of 4600 2364 v0945503.exe 84 PID 2364 wrote to memory of 4600 2364 v0945503.exe 84 PID 2364 wrote to memory of 4600 2364 v0945503.exe 84 PID 2364 wrote to memory of 3304 2364 v0945503.exe 95 PID 2364 wrote to memory of 3304 2364 v0945503.exe 95 PID 2364 wrote to memory of 3304 2364 v0945503.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bbaa36dd1b3b7298167c143d285e319b886adac33ea0d0c9c8156d836d0224e.exe"C:\Users\Admin\AppData\Local\Temp\8bbaa36dd1b3b7298167c143d285e319b886adac33ea0d0c9c8156d836d0224e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0945503.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0945503.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5569309.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5569309.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4600
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3926594.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3926594.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3304
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
309KB
MD529fff0ddc29923dcaed6c3583f191011
SHA1fb97079be80def69d388c4f82e48c009584d09ac
SHA2564ab5875b4605ffe4c65a0c70da4588e10668c26a213617f6b46d304ede12f911
SHA5123ee6116d30e5ea719b2ff6a3bf41edf6524b254261e7ffc422f2b20c55e33b8bfcdf25c782fc5d6f40f4f2c4dcef8b7d28591cf4308ce4d934818634073087ee
-
Filesize
177KB
MD58b8dfdc32650ccedf8224311f7a5a4bd
SHA1589e705b77abc103366a29aed8d9a889fe7102f7
SHA256ba01134ca6f1a08bd8aecc1d39602df2222c32f9573a45a201816aef167f3ba4
SHA512389e4f1e3457b814aff95ff4117e22cf7d0ff53e1d9d272ebc5afbd5ba322d86abf514f98f225d3c7240713687f7490057219f06c01d6e1ba9ff857f868b1c96
-
Filesize
168KB
MD54c6de1b3b1272da63915c9c604076ebc
SHA1ed3f175d95122f7b319f5acb899cdce0d11ed8e4
SHA256e1678c4cc6d400fb193390b0a52505e6a32c88cbdc9b3e2194768332b893940c
SHA51275d494d854fc19b0f156b25ef89fe3e0b3f421f7dfa47be498352a5e7532ba5f03df1ab369bf7d2ce7acbc0f32508a9cf711235b4a46856cafe07c6474de6f21