Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:15
Static task
static1
Behavioral task
behavioral1
Sample
406e52d271161d7045f61c8d0f7acfcb5233bf077729d8de454b55cbe3c7365f.exe
Resource
win10v2004-20241007-en
General
-
Target
406e52d271161d7045f61c8d0f7acfcb5233bf077729d8de454b55cbe3c7365f.exe
-
Size
560KB
-
MD5
e3c0ba04f86de1673b0916cc5d9b7c27
-
SHA1
93be082b2618a3192192c7180c3bc4b1029e3835
-
SHA256
406e52d271161d7045f61c8d0f7acfcb5233bf077729d8de454b55cbe3c7365f
-
SHA512
1c1dfae5460b5eb1e05a3b927ea78e7b8c399b0331c68768e3618535a7ce3c13078dea2d15573d2e23fc02c09a0866e75a8b3dbcc278a8bbe6cc1435280d79c6
-
SSDEEP
12288:Hy90QtYMWOEQyU/Xz36Z+phXtXFT61BJudVJQhV8diM:HyXY9OOU/j36kHEj3VMiM
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b9d-13.dat healer behavioral1/memory/4988-15-0x0000000000F30000-0x0000000000F3A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it577915.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it577915.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it577915.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it577915.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it577915.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it577915.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/5060-22-0x0000000007290000-0x00000000072CC000-memory.dmp family_redline behavioral1/memory/5060-24-0x00000000078C0000-0x00000000078FA000-memory.dmp family_redline behavioral1/memory/5060-32-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-38-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-88-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-86-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-82-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-80-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-78-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-77-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-74-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-72-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-70-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-68-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-66-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-64-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-62-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-58-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-56-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-54-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-53-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-48-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-47-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-44-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-42-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-40-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-36-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-34-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-84-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-60-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-50-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-30-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-28-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-26-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline behavioral1/memory/5060-25-0x00000000078C0000-0x00000000078F5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3212 ziBt8252.exe 4988 it577915.exe 5060 kp129363.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it577915.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 406e52d271161d7045f61c8d0f7acfcb5233bf077729d8de454b55cbe3c7365f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziBt8252.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziBt8252.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp129363.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 406e52d271161d7045f61c8d0f7acfcb5233bf077729d8de454b55cbe3c7365f.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4988 it577915.exe 4988 it577915.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4988 it577915.exe Token: SeDebugPrivilege 5060 kp129363.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1636 wrote to memory of 3212 1636 406e52d271161d7045f61c8d0f7acfcb5233bf077729d8de454b55cbe3c7365f.exe 83 PID 1636 wrote to memory of 3212 1636 406e52d271161d7045f61c8d0f7acfcb5233bf077729d8de454b55cbe3c7365f.exe 83 PID 1636 wrote to memory of 3212 1636 406e52d271161d7045f61c8d0f7acfcb5233bf077729d8de454b55cbe3c7365f.exe 83 PID 3212 wrote to memory of 4988 3212 ziBt8252.exe 85 PID 3212 wrote to memory of 4988 3212 ziBt8252.exe 85 PID 3212 wrote to memory of 5060 3212 ziBt8252.exe 93 PID 3212 wrote to memory of 5060 3212 ziBt8252.exe 93 PID 3212 wrote to memory of 5060 3212 ziBt8252.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\406e52d271161d7045f61c8d0f7acfcb5233bf077729d8de454b55cbe3c7365f.exe"C:\Users\Admin\AppData\Local\Temp\406e52d271161d7045f61c8d0f7acfcb5233bf077729d8de454b55cbe3c7365f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBt8252.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBt8252.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it577915.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it577915.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp129363.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp129363.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5060
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
406KB
MD55d5f6ca06b3aba64ae85052c5129a970
SHA1a2407aaf063004fdb5aae53bfcc50b0c5a05a176
SHA256949d3a61154c22238d4634ad5c7d6ea5356c9197b2804086e76089c9af185c0d
SHA51233950a32af55393f640fc2a42927d46b534419e1f05400eda2250d0ecf57891d001308245ce4069b59f00ab82a74091e7e9e3c85c2328726bbd6461cbacbc0e4
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
353KB
MD5d8db75e61a8b48fac62cd610cde09877
SHA1a34f0726e1b7c205da422e8f3d579059c831d5b2
SHA256d64c122a345499d2586551b0fc54b07e89d49f827caa588237769f47fcd8ed5e
SHA512d606eb8311c5c385bf0c57b66831b0c6b4c203001db88bc6d2c7053c82b9fe542313a35b6909093f7addca00473750503e54f5069359924bbfb9dbfa38d3bc71