Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:16
Static task
static1
Behavioral task
behavioral1
Sample
0f2cdc4bd0d044a85991be35423016fb908064b0882c5b617e6a762f35571443.exe
Resource
win10v2004-20241007-en
General
-
Target
0f2cdc4bd0d044a85991be35423016fb908064b0882c5b617e6a762f35571443.exe
-
Size
569KB
-
MD5
05306fee83e21142a466bd26494560a9
-
SHA1
a5e87626f1cdbaa84fd7d190d1303888d7a541fb
-
SHA256
0f2cdc4bd0d044a85991be35423016fb908064b0882c5b617e6a762f35571443
-
SHA512
a13dc59f0b252d41b3e4c2ddce3b819419bffef1e89c82e36b11b0271e2676f32d7e46a865706b8af201c666505c3e8b95b3aa34f138b5169c125b0fe61c9635
-
SSDEEP
12288:Iy90VwsY7UVNtUJ7wnrPwwmuOdz3/ubDp9X1vtEeqqxtgy/xu/I:IyyhNtYcrI9uOdz2t9X1vqDyz5z
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b99-12.dat healer behavioral1/memory/1760-15-0x0000000000690000-0x000000000069A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it946364.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it946364.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it946364.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it946364.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it946364.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it946364.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 36 IoCs
resource yara_rule behavioral1/memory/1392-22-0x0000000004D60000-0x0000000004D9C000-memory.dmp family_redline behavioral1/memory/1392-24-0x00000000072F0000-0x000000000732A000-memory.dmp family_redline behavioral1/memory/1392-42-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-50-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-88-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-84-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-82-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-80-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-78-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-76-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-74-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-72-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-70-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-66-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-64-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-62-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-60-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-58-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-54-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-52-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-48-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-46-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-44-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-40-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-39-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-36-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-37-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-34-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-32-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-30-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-86-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-68-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-56-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-28-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-26-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline behavioral1/memory/1392-25-0x00000000072F0000-0x0000000007325000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 924 zipL3995.exe 1760 it946364.exe 1392 kp996011.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it946364.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0f2cdc4bd0d044a85991be35423016fb908064b0882c5b617e6a762f35571443.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zipL3995.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zipL3995.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp996011.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0f2cdc4bd0d044a85991be35423016fb908064b0882c5b617e6a762f35571443.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1760 it946364.exe 1760 it946364.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1760 it946364.exe Token: SeDebugPrivilege 1392 kp996011.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4380 wrote to memory of 924 4380 0f2cdc4bd0d044a85991be35423016fb908064b0882c5b617e6a762f35571443.exe 85 PID 4380 wrote to memory of 924 4380 0f2cdc4bd0d044a85991be35423016fb908064b0882c5b617e6a762f35571443.exe 85 PID 4380 wrote to memory of 924 4380 0f2cdc4bd0d044a85991be35423016fb908064b0882c5b617e6a762f35571443.exe 85 PID 924 wrote to memory of 1760 924 zipL3995.exe 86 PID 924 wrote to memory of 1760 924 zipL3995.exe 86 PID 924 wrote to memory of 1392 924 zipL3995.exe 92 PID 924 wrote to memory of 1392 924 zipL3995.exe 92 PID 924 wrote to memory of 1392 924 zipL3995.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f2cdc4bd0d044a85991be35423016fb908064b0882c5b617e6a762f35571443.exe"C:\Users\Admin\AppData\Local\Temp\0f2cdc4bd0d044a85991be35423016fb908064b0882c5b617e6a762f35571443.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipL3995.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipL3995.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it946364.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it946364.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp996011.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp996011.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1392
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
414KB
MD5d8d013ab1c2e940cd080c154915b588c
SHA156e23f37ae7bed30f0aa17e6b49a966d45550a1b
SHA256c532b314c5c9bd1df441b8896c0771b08a9765db54df12da3aea0f25dd9eafaa
SHA512169927337859868807d713be5132899e671f17edd5ca667df6321df706e29bf291803055c18cfb37afe0ed0b01103d57c6905782b99c0d318e5f43b0ba991585
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
381KB
MD554f69fc39faf5df119404af29103dde6
SHA17fb3c05efb99871c7d8fe94a4454b04871ff6041
SHA2569dd8b6b77f8da4cde24aae39b44920292b93984c6b61a504eed1e3d8d1cc54a0
SHA512782b02625149ccc10776cc94f0157388947b3703b41eba03e0347f18ff677a25ee7984fbbbfd9bab9bea507222a94fdf4d5a5dc4ea317cc7ef9a248ddfee2ffd