Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 06:14
Static task
static1
Behavioral task
behavioral1
Sample
cbbb535be7cab71e14d7bba40b6d2c852d59080ae9b890235820a8be13ab1df0.exe
Resource
win10v2004-20241007-en
General
-
Target
cbbb535be7cab71e14d7bba40b6d2c852d59080ae9b890235820a8be13ab1df0.exe
-
Size
479KB
-
MD5
70e4b6cc5c454b37fd6692f0ee31785a
-
SHA1
55c1da440587a9add5282952fff939ae198f72fc
-
SHA256
cbbb535be7cab71e14d7bba40b6d2c852d59080ae9b890235820a8be13ab1df0
-
SHA512
af5a76b3ea4c98afa15014909315c630664ec40de5a14b5e6d1239637382dd2820623271920b69cb77cc6b958d9b773d5af007f97cf73d860085e2d29a7858fb
-
SSDEEP
12288:WMrJy90/QdwNnomFkT0OuvGB6cFqs/AxpP:nyQWT0IFqks
Malware Config
Extracted
redline
murka
217.196.96.101:4132
-
auth_value
878a0681ac6ad0e4eb10ef9db07abdd9
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3320-15-0x0000000002240000-0x000000000225A000-memory.dmp healer behavioral1/memory/3320-18-0x0000000002540000-0x0000000002558000-memory.dmp healer behavioral1/memory/3320-47-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3320-45-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3320-43-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3320-41-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3320-39-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3320-37-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3320-35-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3320-33-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3320-31-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3320-29-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3320-27-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3320-25-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3320-23-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3320-21-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/3320-20-0x0000000002540000-0x0000000002552000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a5043918.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a5043918.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a5043918.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a5043918.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a5043918.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a5043918.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023ce5-53.dat family_redline behavioral1/memory/4280-55-0x0000000000BE0000-0x0000000000C10000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4904 v7907028.exe 3320 a5043918.exe 4280 b8872332.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a5043918.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a5043918.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cbbb535be7cab71e14d7bba40b6d2c852d59080ae9b890235820a8be13ab1df0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v7907028.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cbbb535be7cab71e14d7bba40b6d2c852d59080ae9b890235820a8be13ab1df0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v7907028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5043918.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8872332.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3320 a5043918.exe 3320 a5043918.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3320 a5043918.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1852 wrote to memory of 4904 1852 cbbb535be7cab71e14d7bba40b6d2c852d59080ae9b890235820a8be13ab1df0.exe 85 PID 1852 wrote to memory of 4904 1852 cbbb535be7cab71e14d7bba40b6d2c852d59080ae9b890235820a8be13ab1df0.exe 85 PID 1852 wrote to memory of 4904 1852 cbbb535be7cab71e14d7bba40b6d2c852d59080ae9b890235820a8be13ab1df0.exe 85 PID 4904 wrote to memory of 3320 4904 v7907028.exe 88 PID 4904 wrote to memory of 3320 4904 v7907028.exe 88 PID 4904 wrote to memory of 3320 4904 v7907028.exe 88 PID 4904 wrote to memory of 4280 4904 v7907028.exe 95 PID 4904 wrote to memory of 4280 4904 v7907028.exe 95 PID 4904 wrote to memory of 4280 4904 v7907028.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbbb535be7cab71e14d7bba40b6d2c852d59080ae9b890235820a8be13ab1df0.exe"C:\Users\Admin\AppData\Local\Temp\cbbb535be7cab71e14d7bba40b6d2c852d59080ae9b890235820a8be13ab1df0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7907028.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7907028.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5043918.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5043918.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8872332.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8872332.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4280
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5f8023d4e7256f122609b6b69c7108665
SHA18aaee6a6e0fa411feab682e02d0e4d5d899b1c2e
SHA256ce4848c724360433874c563e0789ff2802388a5590b8b30f08f26639347bcc99
SHA5129a5c2ae8794584c92a8142c1474f50c0b0bab729926d5b7d54be374c5c570f39667fbcaf5a25115cfb1ba50ff7fbbebe0d85ee5c237c0d5af22e9c0e1575b49b
-
Filesize
181KB
MD5564a331fe7df33a12748a2be41ce38ce
SHA16f2d9da6530d16de34bf753c4bd95d302bf3b69c
SHA2567a214100a1a7bd8c1dd40cafeb167a52d5807f87b2116ab432cefb2338aa50f4
SHA512e0afe495ea0395bf6244633ab41f15b2c41d7366a6cf10cdda6658164547ef021d3fdc428d59931730acfe32e156977d0bfab7a44d94a7d7b4d9a1219aeb3f20
-
Filesize
168KB
MD5f395a34d7da4c61be409291de99552a8
SHA17e947804e14434e5b59fb0bf55ec01a8d81b16c4
SHA25642711dd911cd49c226e687e2466c1741dbc250695e31788a4e8220d9d5a9f8f7
SHA512878fc40c09de53f421d6586549a2198b07d081a7b3b2f68939da10f45d7673ab18148127f19aa5f4be5ac4fc46045e0adda0cf97ecf665ddcc5a3515c3423226