Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 06:05
Static task
static1
Behavioral task
behavioral1
Sample
80f08ddcf129233f3731597c5ef6c6a2abf805a0d62727ec1db7a1a73e21ce29.exe
Resource
win10v2004-20241007-en
General
-
Target
80f08ddcf129233f3731597c5ef6c6a2abf805a0d62727ec1db7a1a73e21ce29.exe
-
Size
829KB
-
MD5
2ce5496eb967fad94a799d81ad8df38b
-
SHA1
2ac400538285cf724f5e7fa6bc92f8d7e9685ff2
-
SHA256
80f08ddcf129233f3731597c5ef6c6a2abf805a0d62727ec1db7a1a73e21ce29
-
SHA512
2e00075f0e44533666c7996d3ad5d3f80f03a3b18cbfc8607611c9a31e1909b69357685f601516c3e998497ec7c4fb99b141767558be4943ec01eb194bcfba55
-
SSDEEP
12288:ryy90SNx1F0GzCgRiDW7HSb9ZwQlnQ71QcdE4cY8X0SHdFGOO9kvuAiPQZpSwQdf:myZCxW7HKJiXE40Xl9tvuk3w
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023ba0-19.dat healer behavioral1/memory/3652-22-0x0000000000B90000-0x0000000000B9A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it268785.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it268785.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it268785.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it268785.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it268785.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it268785.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1324-29-0x0000000004A30000-0x0000000004A6C000-memory.dmp family_redline behavioral1/memory/1324-31-0x00000000071E0000-0x000000000721A000-memory.dmp family_redline behavioral1/memory/1324-37-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-47-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-95-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-93-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-91-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-89-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-85-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-83-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-81-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-79-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-77-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-75-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-73-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-71-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-69-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-65-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-63-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-62-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-57-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-55-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-54-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-52-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-49-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-45-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-43-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-41-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-39-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-87-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-67-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-59-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-35-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-33-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline behavioral1/memory/1324-32-0x00000000071E0000-0x0000000007215000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 4208 zixF5543.exe 2396 ziVV4042.exe 3652 it268785.exe 1324 jr778736.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it268785.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 80f08ddcf129233f3731597c5ef6c6a2abf805a0d62727ec1db7a1a73e21ce29.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zixF5543.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ziVV4042.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zixF5543.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziVV4042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jr778736.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80f08ddcf129233f3731597c5ef6c6a2abf805a0d62727ec1db7a1a73e21ce29.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3652 it268785.exe 3652 it268785.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3652 it268785.exe Token: SeDebugPrivilege 1324 jr778736.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3300 wrote to memory of 4208 3300 80f08ddcf129233f3731597c5ef6c6a2abf805a0d62727ec1db7a1a73e21ce29.exe 83 PID 3300 wrote to memory of 4208 3300 80f08ddcf129233f3731597c5ef6c6a2abf805a0d62727ec1db7a1a73e21ce29.exe 83 PID 3300 wrote to memory of 4208 3300 80f08ddcf129233f3731597c5ef6c6a2abf805a0d62727ec1db7a1a73e21ce29.exe 83 PID 4208 wrote to memory of 2396 4208 zixF5543.exe 84 PID 4208 wrote to memory of 2396 4208 zixF5543.exe 84 PID 4208 wrote to memory of 2396 4208 zixF5543.exe 84 PID 2396 wrote to memory of 3652 2396 ziVV4042.exe 85 PID 2396 wrote to memory of 3652 2396 ziVV4042.exe 85 PID 2396 wrote to memory of 1324 2396 ziVV4042.exe 95 PID 2396 wrote to memory of 1324 2396 ziVV4042.exe 95 PID 2396 wrote to memory of 1324 2396 ziVV4042.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\80f08ddcf129233f3731597c5ef6c6a2abf805a0d62727ec1db7a1a73e21ce29.exe"C:\Users\Admin\AppData\Local\Temp\80f08ddcf129233f3731597c5ef6c6a2abf805a0d62727ec1db7a1a73e21ce29.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF5543.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixF5543.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVV4042.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVV4042.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it268785.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it268785.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr778736.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr778736.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
569KB
MD5f9b3900bca5fba8f1db8110c8a307fbf
SHA13259263ca35ed2f0333e5fe4cd52b452756eecae
SHA256f2459e922b35b5383904f40ca49673a28fbabfdb022c5f8fecf9b5dbbaccb135
SHA512de2583af116cc7ced74688395f66aac878bfd1eebc97999a7320d6911375928474ebf7af564b13190b99fd63c9cb5ab6e07ca91063ac0fa49797cca9e3f1d222
-
Filesize
415KB
MD580bda0befe6522219cf54e1712667df0
SHA1b7a23a0791774cfb61e83d479ccf1efad8a1ebee
SHA256a654b4ef8483e18c4f895fc4f1b01b52fe497a622a63362ceef84e1e4ddc34ae
SHA51264d03ce2e3d57748748fe9fc54793102b997ad0016a4456045ea94d8b09707824500dbb32065f675d0e28255e8da5024d458e8090ef4d5255d4635c067cba15c
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
382KB
MD5b53e080ca68c735765074046852f942f
SHA174341dd2807c016e16031b3190a2929a3e5618bb
SHA256ff28224b737f5002b6f9f2697a5720b03cec248b05fce52e7efe19286ce322db
SHA51256de6f945054a67ed2737ed9940e70f970a81ffee22b1d908824b7bf75e6f9e7b9dfc8adf17221ac5a570be62acbec22b1d0ae955e8ad42046a9132d2d6a508a