Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 06:13
Static task
static1
Behavioral task
behavioral1
Sample
3792f24bb214aace5fa9b8ddd4d67b2e327e3f0f92296f11eb76e5d5732c1870.exe
Resource
win10v2004-20241007-en
General
-
Target
3792f24bb214aace5fa9b8ddd4d67b2e327e3f0f92296f11eb76e5d5732c1870.exe
-
Size
479KB
-
MD5
cd7f03dca0915b8580f927443a7e9f0c
-
SHA1
1d8fe1ea3c406ef81a782428c397fcae8f4dda03
-
SHA256
3792f24bb214aace5fa9b8ddd4d67b2e327e3f0f92296f11eb76e5d5732c1870
-
SHA512
ee44bd4aa198b3c5db1c9e70832cf3e4ea2a96b0889c21c8cc2b78b12802d60c6dd12386bf50a66c319410c7840967926c061bede58fc53b54dc13ab0a188f40
-
SSDEEP
6144:Kuy+bnr+/p0yN90QEkXEYwGZxRwv797gztQKyADdStBTNqpCtHh8o3jr5xbNn6e0:+Mr7y90lY9G7rKyAItpApCBGU5TX0
Malware Config
Extracted
redline
maher
217.196.96.101:4132
-
auth_value
c57763165f68aabcf4874e661a1ffbac
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1548-15-0x00000000023A0000-0x00000000023BA000-memory.dmp healer behavioral1/memory/1548-19-0x0000000002630000-0x0000000002648000-memory.dmp healer behavioral1/memory/1548-48-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/1548-46-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/1548-44-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/1548-42-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/1548-40-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/1548-38-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/1548-36-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/1548-34-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/1548-32-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/1548-30-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/1548-28-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/1548-27-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/1548-24-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/1548-22-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/1548-21-0x0000000002630000-0x0000000002642000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a5845182.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a5845182.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a5845182.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a5845182.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a5845182.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a5845182.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023c99-54.dat family_redline behavioral1/memory/3328-56-0x00000000005D0000-0x0000000000600000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2876 v3921378.exe 1548 a5845182.exe 3328 b1130488.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a5845182.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a5845182.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3792f24bb214aace5fa9b8ddd4d67b2e327e3f0f92296f11eb76e5d5732c1870.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3921378.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1824 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3792f24bb214aace5fa9b8ddd4d67b2e327e3f0f92296f11eb76e5d5732c1870.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v3921378.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5845182.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1130488.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1548 a5845182.exe 1548 a5845182.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1548 a5845182.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3512 wrote to memory of 2876 3512 3792f24bb214aace5fa9b8ddd4d67b2e327e3f0f92296f11eb76e5d5732c1870.exe 83 PID 3512 wrote to memory of 2876 3512 3792f24bb214aace5fa9b8ddd4d67b2e327e3f0f92296f11eb76e5d5732c1870.exe 83 PID 3512 wrote to memory of 2876 3512 3792f24bb214aace5fa9b8ddd4d67b2e327e3f0f92296f11eb76e5d5732c1870.exe 83 PID 2876 wrote to memory of 1548 2876 v3921378.exe 84 PID 2876 wrote to memory of 1548 2876 v3921378.exe 84 PID 2876 wrote to memory of 1548 2876 v3921378.exe 84 PID 2876 wrote to memory of 3328 2876 v3921378.exe 95 PID 2876 wrote to memory of 3328 2876 v3921378.exe 95 PID 2876 wrote to memory of 3328 2876 v3921378.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\3792f24bb214aace5fa9b8ddd4d67b2e327e3f0f92296f11eb76e5d5732c1870.exe"C:\Users\Admin\AppData\Local\Temp\3792f24bb214aace5fa9b8ddd4d67b2e327e3f0f92296f11eb76e5d5732c1870.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3921378.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3921378.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5845182.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5845182.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1130488.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1130488.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3328
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1824
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD57acf75193a8cea548abad73bd043b376
SHA13a3c490fd02e9499da1b1a55c806084026d7a741
SHA256e4727012f16f2b378310bdd1f14f3fc559a64644a62919204d751b60e97f1b12
SHA5120d7786cb1f65ec438befc51b0c97c4935cf3267cbf278c14bcad9b250641d23f84cd4d1fb7215952589430308f2ffae5f58d51f9a999b19e9192965895422691
-
Filesize
179KB
MD510fcba7830f50cee75aef0a49d9220de
SHA1b1511ebe7f43d34f834d461880aa5b9b9c2ec482
SHA256fe2dbd1b465217ae251b16f932afadb0af719438a4494be47b539a280218da37
SHA5120d80616d84289de672f1587bdeabdc3285896bf4df2ce8a0b26423d57785b825a95be6918d59cc611a39025d82d007ac0867d9d1d2c11ee2fb8afbd67515122d
-
Filesize
168KB
MD5be7e4d8cc6c9b7f2835528b4abc92363
SHA12d15c615d8239c0d673bc1f0358bd1b7efc0cbe5
SHA2561a914ef75e161e88315f1a745ed3232002c688281fcf3aa7b9aca4a8591df7b9
SHA512f0486cecf479e6e18029c210d288282961ba1bd247004605f42455c2d4e93f5add6f22bd3f7f077a7df9c83bb8220318520710ec403901e3e7a8dc7d1d10f691