Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:12
Static task
static1
Behavioral task
behavioral1
Sample
2d6da7e210cb1137446c31dc828c7103435ae729582d3b3b0945cb3236ab4c02.exe
Resource
win10v2004-20241007-en
General
-
Target
2d6da7e210cb1137446c31dc828c7103435ae729582d3b3b0945cb3236ab4c02.exe
-
Size
827KB
-
MD5
a1456af07201f801ff813b0008b63032
-
SHA1
2fa39dbf69aaff5fe44afbc1c1ea9d9968979d0d
-
SHA256
2d6da7e210cb1137446c31dc828c7103435ae729582d3b3b0945cb3236ab4c02
-
SHA512
82e9f992e690050cbb00e33b7a610187f6c5c6a82fe9b8b021010edeec64aaf0605ce1f7b4629a50a5b3b0e62c33d1c4224f803aa4012e775e36c496de482772
-
SSDEEP
12288:fy90jxuHUH3HxwFtI+/NZrLiYBO74xmo7KRxZR5mVWQ65HG1X53C5rI:fyhHU6Ff/OYBAAmC6ZRPs1Jb
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b96-19.dat healer behavioral1/memory/3708-22-0x0000000000A80000-0x0000000000A8A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it234711.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it234711.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it234711.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it234711.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it234711.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it234711.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1508-29-0x0000000004D50000-0x0000000004D8C000-memory.dmp family_redline behavioral1/memory/1508-31-0x00000000072E0000-0x000000000731A000-memory.dmp family_redline behavioral1/memory/1508-37-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-61-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-95-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-93-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-91-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-89-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-87-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-83-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-81-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-79-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-77-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-75-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-74-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-71-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-69-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-67-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-65-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-59-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-57-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-55-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-53-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-52-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-49-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-48-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-45-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-43-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-41-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-39-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-85-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-63-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-35-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-33-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/1508-32-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 2228 ziCn6009.exe 3816 ziLS6539.exe 3708 it234711.exe 1508 jr430422.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it234711.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2d6da7e210cb1137446c31dc828c7103435ae729582d3b3b0945cb3236ab4c02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziCn6009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ziLS6539.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2d6da7e210cb1137446c31dc828c7103435ae729582d3b3b0945cb3236ab4c02.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziCn6009.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziLS6539.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jr430422.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3708 it234711.exe 3708 it234711.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3708 it234711.exe Token: SeDebugPrivilege 1508 jr430422.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 364 wrote to memory of 2228 364 2d6da7e210cb1137446c31dc828c7103435ae729582d3b3b0945cb3236ab4c02.exe 83 PID 364 wrote to memory of 2228 364 2d6da7e210cb1137446c31dc828c7103435ae729582d3b3b0945cb3236ab4c02.exe 83 PID 364 wrote to memory of 2228 364 2d6da7e210cb1137446c31dc828c7103435ae729582d3b3b0945cb3236ab4c02.exe 83 PID 2228 wrote to memory of 3816 2228 ziCn6009.exe 85 PID 2228 wrote to memory of 3816 2228 ziCn6009.exe 85 PID 2228 wrote to memory of 3816 2228 ziCn6009.exe 85 PID 3816 wrote to memory of 3708 3816 ziLS6539.exe 87 PID 3816 wrote to memory of 3708 3816 ziLS6539.exe 87 PID 3816 wrote to memory of 1508 3816 ziLS6539.exe 94 PID 3816 wrote to memory of 1508 3816 ziLS6539.exe 94 PID 3816 wrote to memory of 1508 3816 ziLS6539.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d6da7e210cb1137446c31dc828c7103435ae729582d3b3b0945cb3236ab4c02.exe"C:\Users\Admin\AppData\Local\Temp\2d6da7e210cb1137446c31dc828c7103435ae729582d3b3b0945cb3236ab4c02.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCn6009.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCn6009.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziLS6539.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziLS6539.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it234711.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it234711.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr430422.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr430422.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
568KB
MD58ab4d3a530a099119fbe14c67d7adc7e
SHA11b33889ee187ab4fbea11c47cece075e846a815c
SHA256ca7639faa2afc0f45ea5f16fc221d7bd3a5b0f5ce01f92859231e118de597007
SHA512dfe5cfc6fc1489bee0361e54f1779aa141cc89f2f918f735aed57241b0a53894a0de775dd418834d8978d491c7d635103cde57b0bb4eea3c555a58f8252a8a71
-
Filesize
414KB
MD5c4956a03abc833a7f40a917d4001ced9
SHA1df9911cc72e939bf7c11bf1e7ba7eef40f4fe3b9
SHA256ef2671daadd271f229f17192052390705b22f63e7a64857080ef17d4159ab69f
SHA512ca3e438d1350da539ecba6810cea68426a21e1177616cffa7b2abd5f57e9e4a6c116cda43760615c34aeb9456d13f4cdda88c94f92bbc3ef068199c96275a2ce
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
381KB
MD50ce251144badabdce0a1d21e83281a34
SHA1d7f1f6baf898a8b60f5660484b801644f1cc7ece
SHA25697df185d8d5d408c94a5dfe22110c01c7a14c2e5208bcc92b099feb135a64be7
SHA51223276e2574b2a538a5d1d0e51050c71e9a28b22033c2feb53e7929ac9f8b43571d39a6b686eb0e2d3bb1010aea2c2fe4bd21dbcaaa8fcfc1f8645cf9b1b21da1