Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:03
Static task
static1
Behavioral task
behavioral1
Sample
00fc5fa50068d1f30b442dd348f2c87d456e967e96c7895b972a109b92a6da56.exe
Resource
win10v2004-20241007-en
General
-
Target
00fc5fa50068d1f30b442dd348f2c87d456e967e96c7895b972a109b92a6da56.exe
-
Size
479KB
-
MD5
a12ad6f25fecdf9ee097441a910d3509
-
SHA1
19159f2c6602323b0db76ffa6dd5e2b0f4d98814
-
SHA256
00fc5fa50068d1f30b442dd348f2c87d456e967e96c7895b972a109b92a6da56
-
SHA512
4579c0637adfad4a6359d4778d576ae5ce3faa57e65385161e6739c37c4bb8db52489a33a49277c3bc580276c1e0d7e61bd3d05c92dddcb8e622f1adae46fc12
-
SSDEEP
12288:mMrUy90GMABzEOX4SgLeVdnk33paD31h9fOe:OypMkorSgidkpG3T5Oe
Malware Config
Extracted
redline
divan
217.196.96.102:4132
-
auth_value
b414986bebd7f5a3ec9aee0341b8e769
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1900-15-0x0000000002480000-0x000000000249A000-memory.dmp healer behavioral1/memory/1900-19-0x0000000004AC0000-0x0000000004AD8000-memory.dmp healer behavioral1/memory/1900-29-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1900-47-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1900-43-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1900-41-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1900-39-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1900-37-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1900-35-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1900-33-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1900-31-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1900-27-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1900-25-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1900-23-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1900-21-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1900-20-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/1900-45-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k3043998.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k3043998.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k3043998.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k3043998.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k3043998.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k3043998.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c00-53.dat family_redline behavioral1/memory/4732-55-0x0000000000E40000-0x0000000000E6E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2028 y6978484.exe 1900 k3043998.exe 4732 l5505641.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k3043998.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k3043998.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 00fc5fa50068d1f30b442dd348f2c87d456e967e96c7895b972a109b92a6da56.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y6978484.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1696 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y6978484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k3043998.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l5505641.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00fc5fa50068d1f30b442dd348f2c87d456e967e96c7895b972a109b92a6da56.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1900 k3043998.exe 1900 k3043998.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1900 k3043998.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1516 wrote to memory of 2028 1516 00fc5fa50068d1f30b442dd348f2c87d456e967e96c7895b972a109b92a6da56.exe 84 PID 1516 wrote to memory of 2028 1516 00fc5fa50068d1f30b442dd348f2c87d456e967e96c7895b972a109b92a6da56.exe 84 PID 1516 wrote to memory of 2028 1516 00fc5fa50068d1f30b442dd348f2c87d456e967e96c7895b972a109b92a6da56.exe 84 PID 2028 wrote to memory of 1900 2028 y6978484.exe 85 PID 2028 wrote to memory of 1900 2028 y6978484.exe 85 PID 2028 wrote to memory of 1900 2028 y6978484.exe 85 PID 2028 wrote to memory of 4732 2028 y6978484.exe 92 PID 2028 wrote to memory of 4732 2028 y6978484.exe 92 PID 2028 wrote to memory of 4732 2028 y6978484.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\00fc5fa50068d1f30b442dd348f2c87d456e967e96c7895b972a109b92a6da56.exe"C:\Users\Admin\AppData\Local\Temp\00fc5fa50068d1f30b442dd348f2c87d456e967e96c7895b972a109b92a6da56.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6978484.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6978484.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3043998.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3043998.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5505641.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5505641.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4732
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1696
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5ad089dfd328c7d19e6e4d4dcbf3be4e2
SHA1f3955eb8eaecd184ee2b78eba15fd1817823cc04
SHA256fe33197485768ff9592e12edaf60d0f0e17708c72312a8321e828562946f9d95
SHA51290c8285cf05d47d046ef94459bc9facfaf2ff627a9eee043dd6216448b01e5294cb46d1a83ee5252a3803812104588d252c777fdfaff95f756b55758d676e80a
-
Filesize
182KB
MD57040ac814b92f6712953448e5d540017
SHA1420ec4ce343f744d074f659cf8d21d9cad1a6a43
SHA25607805d2c1a73bafd48b36fa5c6267baf13a0e8df7550ef80a1a1c50d9f231d41
SHA512821ff4f70991da1e88493a77c3dca7d27976cf8806fd6e3e405335284fdd249d9aa217ee3839855e4b9e44d29730149022d3d38386e69882c9413413ba01f998
-
Filesize
168KB
MD58e00e42c79ccb8834dbc5f54f6f9a128
SHA1b6cd49c731738c8e3762ea33375655b93d1d539f
SHA2566c7c41070449626130302b7ce39496d55901c5c806007fd8d0b7464353f28241
SHA51223d3511439a6ffa56bdb0b13bd798f846741256d345683e1e82256596d0f766a8b7bedef8dea589ab1d483f235f8002f99cbb16c3b03de97acd3e4330ee834b5