Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:17
Static task
static1
Behavioral task
behavioral1
Sample
f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f.exe
Resource
win10v2004-20241007-en
General
-
Target
f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f.exe
-
Size
489KB
-
MD5
92715da1c21f041b86fc01e2b99c78b7
-
SHA1
d56fb965d9676256b02bbd7926fb80dc7c3da6b4
-
SHA256
f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f
-
SHA512
f2b46923258186d10b5ddbbaa8dba6d9b18097d7137eb88761d03d2c8428a8c0a01d1e3d014fd4abc85de26aaade53a5afd117b937fb409bd04acd426cbb6879
-
SSDEEP
12288:YMr6y90YjMJzUoUU5c1u31WTf7Mamxoj2nIoxkSSJ:yyBI7X8TzMamxHnV3o
Malware Config
Extracted
redline
lulsa
217.196.96.101:4132
-
auth_value
2bb8e3870ce0ad119d2840b124222121
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4100-15-0x0000000002120000-0x000000000213A000-memory.dmp healer behavioral1/memory/4100-19-0x0000000004970000-0x0000000004988000-memory.dmp healer behavioral1/memory/4100-47-0x0000000004970000-0x0000000004982000-memory.dmp healer behavioral1/memory/4100-45-0x0000000004970000-0x0000000004982000-memory.dmp healer behavioral1/memory/4100-43-0x0000000004970000-0x0000000004982000-memory.dmp healer behavioral1/memory/4100-41-0x0000000004970000-0x0000000004982000-memory.dmp healer behavioral1/memory/4100-39-0x0000000004970000-0x0000000004982000-memory.dmp healer behavioral1/memory/4100-37-0x0000000004970000-0x0000000004982000-memory.dmp healer behavioral1/memory/4100-35-0x0000000004970000-0x0000000004982000-memory.dmp healer behavioral1/memory/4100-33-0x0000000004970000-0x0000000004982000-memory.dmp healer behavioral1/memory/4100-31-0x0000000004970000-0x0000000004982000-memory.dmp healer behavioral1/memory/4100-29-0x0000000004970000-0x0000000004982000-memory.dmp healer behavioral1/memory/4100-27-0x0000000004970000-0x0000000004982000-memory.dmp healer behavioral1/memory/4100-25-0x0000000004970000-0x0000000004982000-memory.dmp healer behavioral1/memory/4100-23-0x0000000004970000-0x0000000004982000-memory.dmp healer behavioral1/memory/4100-21-0x0000000004970000-0x0000000004982000-memory.dmp healer behavioral1/memory/4100-20-0x0000000004970000-0x0000000004982000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" o7268346.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection o7268346.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" o7268346.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" o7268346.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" o7268346.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" o7268346.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b3a-54.dat family_redline behavioral1/memory/4852-55-0x00000000009C0000-0x00000000009F0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 972 z0011099.exe 4100 o7268346.exe 4852 r6137304.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features o7268346.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" o7268346.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z0011099.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 868 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language z0011099.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o7268346.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language r6137304.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4100 o7268346.exe 4100 o7268346.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4100 o7268346.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1032 wrote to memory of 972 1032 f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f.exe 84 PID 1032 wrote to memory of 972 1032 f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f.exe 84 PID 1032 wrote to memory of 972 1032 f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f.exe 84 PID 972 wrote to memory of 4100 972 z0011099.exe 85 PID 972 wrote to memory of 4100 972 z0011099.exe 85 PID 972 wrote to memory of 4100 972 z0011099.exe 85 PID 972 wrote to memory of 4852 972 z0011099.exe 92 PID 972 wrote to memory of 4852 972 z0011099.exe 92 PID 972 wrote to memory of 4852 972 z0011099.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f.exe"C:\Users\Admin\AppData\Local\Temp\f1e96eb4fa6af56f0366127f1b80da320fe2247fdefc0bd951343ebdf9bd0d1f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0011099.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0011099.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7268346.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7268346.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6137304.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6137304.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4852
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:868
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD506763e4230c4281042b047ccfcbaf0a8
SHA1c6394855ccd190244610b03aaa680df90783a862
SHA256ea95f894a0d53f68f825d0a2e744db88d9d818e3f49e5633884f3842313e3cc9
SHA512b47240aa84b5fe0096028b8e0500951d3ca4bc84d23923486bcb39808285f90e3efdf81a278ffc55d53e1bf2926d506a979f1c4e37d14313401cb5802fe8758e
-
Filesize
181KB
MD5440382d1d97b4e83336a47b520050cd6
SHA118965aa83d01228806df83b9b2b3e16193e2d6f8
SHA25621b2925cfc627a4d78b2a9a7798b35d4a4694741d25a46ad9cd643d02f00a63c
SHA51237b9871cfa2fa0c84888bcdc2ec7487510a881ded96fb5f4f4d54e90593cd96462cf8428494f8581e0e49eadf6cc7f7b68aad5dc756338bfe560579a8d16017a
-
Filesize
168KB
MD5d9a15ce2c578fc659f30592b83f9d413
SHA1949bdf817c229976266b691c6782d8af7cd5f4e0
SHA2561c2accd44808e80a86aba6f6aead3ab3e632bc17e36758a8f3fb5588efc7359a
SHA512032b1c09d234b1e2d314354fc1052cefd9f87580976404d8c970ac9515a828024fabe223eda20a3fdb9949153dabf0f2f22c9f3eb3b827ede6e485c100c1ac37