Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:09
Static task
static1
Behavioral task
behavioral1
Sample
b448b04ac24d8fea46688845c0727ab3956f2782a0f95b76e1a515d220087044.exe
Resource
win10v2004-20241007-en
General
-
Target
b448b04ac24d8fea46688845c0727ab3956f2782a0f95b76e1a515d220087044.exe
-
Size
936KB
-
MD5
b73e5752ac0ba793c7b1d21672663870
-
SHA1
30fde319691396fbfccc4daa6436d968e7502bc5
-
SHA256
b448b04ac24d8fea46688845c0727ab3956f2782a0f95b76e1a515d220087044
-
SHA512
9e270c68ba259464fe298ff656b3fdb8cea86eb194aa045d4442425b9b21dbd81bae7b924d090b05a48d7e7d6d44c00f26355e7d3d39a112313260d2772c3869
-
SSDEEP
12288:Ay90GtLj+X5ZWvvHtvtP4ys6VmTThDCdF63rjqgKepgVlyOt/WtDwFdh:AyFtLKivKyhmTTtYe6VlyOKMx
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023bdb-19.dat healer behavioral1/memory/1376-22-0x0000000000B80000-0x0000000000B8A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it676378.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it676378.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it676378.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it676378.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it676378.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it676378.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/540-29-0x00000000026F0000-0x000000000272C000-memory.dmp family_redline behavioral1/memory/540-31-0x0000000004E30000-0x0000000004E6A000-memory.dmp family_redline behavioral1/memory/540-47-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-63-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-95-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-93-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-89-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-87-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-85-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-83-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-81-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-79-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-77-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-75-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-73-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-71-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-69-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-65-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-61-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-59-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-58-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-55-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-53-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-51-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-49-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-45-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-43-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-41-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-39-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-91-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-67-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-37-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-35-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-33-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline behavioral1/memory/540-32-0x0000000004E30000-0x0000000004E65000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 1200 zisT5017.exe 4148 zini9845.exe 1376 it676378.exe 540 jr838012.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it676378.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b448b04ac24d8fea46688845c0727ab3956f2782a0f95b76e1a515d220087044.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zisT5017.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" zini9845.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jr838012.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b448b04ac24d8fea46688845c0727ab3956f2782a0f95b76e1a515d220087044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zisT5017.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zini9845.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1376 it676378.exe 1376 it676378.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1376 it676378.exe Token: SeDebugPrivilege 540 jr838012.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1020 wrote to memory of 1200 1020 b448b04ac24d8fea46688845c0727ab3956f2782a0f95b76e1a515d220087044.exe 83 PID 1020 wrote to memory of 1200 1020 b448b04ac24d8fea46688845c0727ab3956f2782a0f95b76e1a515d220087044.exe 83 PID 1020 wrote to memory of 1200 1020 b448b04ac24d8fea46688845c0727ab3956f2782a0f95b76e1a515d220087044.exe 83 PID 1200 wrote to memory of 4148 1200 zisT5017.exe 84 PID 1200 wrote to memory of 4148 1200 zisT5017.exe 84 PID 1200 wrote to memory of 4148 1200 zisT5017.exe 84 PID 4148 wrote to memory of 1376 4148 zini9845.exe 85 PID 4148 wrote to memory of 1376 4148 zini9845.exe 85 PID 4148 wrote to memory of 540 4148 zini9845.exe 96 PID 4148 wrote to memory of 540 4148 zini9845.exe 96 PID 4148 wrote to memory of 540 4148 zini9845.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\b448b04ac24d8fea46688845c0727ab3956f2782a0f95b76e1a515d220087044.exe"C:\Users\Admin\AppData\Local\Temp\b448b04ac24d8fea46688845c0727ab3956f2782a0f95b76e1a515d220087044.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisT5017.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisT5017.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zini9845.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zini9845.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it676378.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it676378.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr838012.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr838012.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:540
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
623KB
MD5185e05bfc6f1566b6f97026e13c481df
SHA19cdb90cca9450187511e75a8e73846a1c67515a9
SHA256b915492254f92a219e82c5090175d6e999ec6ab1f803cd60589f8885cf5b49a0
SHA512f0cd449446095a16ed54ad456726010456959c3537df74a555aeb40babf9dcade7153437c782f47752a44089a1d4ac68fbc68f080a8bc1ad202e726a22d04870
-
Filesize
469KB
MD55f4f29c3efdad32b784f2804e42eb4b7
SHA12c4167a3063afdd6de18171a3b03f133a9c2e87f
SHA25699e4fe8c54bfe4354630158d849c62214a283baf17475fec5dd21c0e89a085bb
SHA512930309ad4daa81d6099041ea5e0ada3a22f6d57141efa620dad2c5cf064e8fe499cca439b9c1f0d0ba3303b70b3db9824a8425ad2cc40d9254a279e6c82ac8da
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
485KB
MD55f77a9c86c224db23845efdb2cd5e8ab
SHA12d912178f745bb5745c6d3dc57b7c6328964a964
SHA25626be89aae8b9e08e63548ba9f145185d31256fea0a7328831a786fa4e1a4e4c3
SHA5126781904b392fe6505b028d3bfe1d86504436dfd04139d8bbf5a9e0f3b0fdfa63b911f6ad302de84e428259eb6d3a6bf38eaacba8ea51c7917483afe248079608