Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:04
Static task
static1
Behavioral task
behavioral1
Sample
decbbd0245e29731cc21c0dac85bdf1c96869302556c670b7ad2a7c207288fc3.exe
Resource
win10v2004-20241007-en
General
-
Target
decbbd0245e29731cc21c0dac85bdf1c96869302556c670b7ad2a7c207288fc3.exe
-
Size
479KB
-
MD5
9b0d8d7748860fbdf1b61ca4a81d8b3e
-
SHA1
6e3de869e08a6533dc4c1a6b07eba4d7e01fb5e6
-
SHA256
decbbd0245e29731cc21c0dac85bdf1c96869302556c670b7ad2a7c207288fc3
-
SHA512
23da4b8f2034121c1a9b3eda3cf2112889c7ad9ac28dd3431d6463649b061de2657ed101bd27a730544aaa186e78104bad28d619d5963d317f877d3254c331b9
-
SSDEEP
12288:BMroy90N/Jip8Y2S1nUwHFuRJNtqZV6deX/:JyEJFxocLrcU+
Malware Config
Extracted
redline
divan
217.196.96.102:4132
-
auth_value
b414986bebd7f5a3ec9aee0341b8e769
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3756-15-0x00000000020B0000-0x00000000020CA000-memory.dmp healer behavioral1/memory/3756-19-0x0000000004990000-0x00000000049A8000-memory.dmp healer behavioral1/memory/3756-48-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral1/memory/3756-46-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral1/memory/3756-44-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral1/memory/3756-42-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral1/memory/3756-40-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral1/memory/3756-38-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral1/memory/3756-36-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral1/memory/3756-34-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral1/memory/3756-32-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral1/memory/3756-30-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral1/memory/3756-28-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral1/memory/3756-26-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral1/memory/3756-24-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral1/memory/3756-22-0x0000000004990000-0x00000000049A2000-memory.dmp healer behavioral1/memory/3756-21-0x0000000004990000-0x00000000049A2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k1027108.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k1027108.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k1027108.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k1027108.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k1027108.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k1027108.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b6e-54.dat family_redline behavioral1/memory/4804-56-0x00000000006D0000-0x00000000006FE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2732 y6805686.exe 3756 k1027108.exe 4804 l5006208.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k1027108.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k1027108.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" decbbd0245e29731cc21c0dac85bdf1c96869302556c670b7ad2a7c207288fc3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y6805686.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language decbbd0245e29731cc21c0dac85bdf1c96869302556c670b7ad2a7c207288fc3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y6805686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k1027108.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l5006208.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3756 k1027108.exe 3756 k1027108.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3756 k1027108.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3820 wrote to memory of 2732 3820 decbbd0245e29731cc21c0dac85bdf1c96869302556c670b7ad2a7c207288fc3.exe 83 PID 3820 wrote to memory of 2732 3820 decbbd0245e29731cc21c0dac85bdf1c96869302556c670b7ad2a7c207288fc3.exe 83 PID 3820 wrote to memory of 2732 3820 decbbd0245e29731cc21c0dac85bdf1c96869302556c670b7ad2a7c207288fc3.exe 83 PID 2732 wrote to memory of 3756 2732 y6805686.exe 84 PID 2732 wrote to memory of 3756 2732 y6805686.exe 84 PID 2732 wrote to memory of 3756 2732 y6805686.exe 84 PID 2732 wrote to memory of 4804 2732 y6805686.exe 95 PID 2732 wrote to memory of 4804 2732 y6805686.exe 95 PID 2732 wrote to memory of 4804 2732 y6805686.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\decbbd0245e29731cc21c0dac85bdf1c96869302556c670b7ad2a7c207288fc3.exe"C:\Users\Admin\AppData\Local\Temp\decbbd0245e29731cc21c0dac85bdf1c96869302556c670b7ad2a7c207288fc3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6805686.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6805686.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1027108.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1027108.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5006208.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5006208.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4804
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5a3d8254a11983ae2dbf2d3287d224049
SHA1f75557bc061f35b3cde62bb951d58f0aeefcdfd0
SHA2565e2af8711fb837395165052d9fbcfd82fbd341d84b5208abfaf66d22996e8a18
SHA51206449ef9f0bfad4b87b36f171eac88e07298c0a469193acf4e7c954f60643ee20c72f1fffc64abbb20c806ebf7ffc5a2bdef01d9d4d0850d3f063e507ee1e946
-
Filesize
182KB
MD5733bcd6f2d0a9ad25bc93b2e1111fcbb
SHA17bdaf0c827686e3ed65cdfd9d35e451c7a337dbe
SHA2566ca41f31549cf77e4add1c7df0cbc93ef240f1a86fcb34bf8ea1ddd9ee38a458
SHA51241fd7416da02aa17efa8e2acbe3d98b869c03589fab3b9af446330812e0e1d340a4c240dfcdd21d800ad1cdf89b6a230da40b415cd08ce90ae87617ccb8568e9
-
Filesize
168KB
MD56b43cf0c5ee9a5277e8e1df837f48f21
SHA164b11c80449c3f2d562a116c2ccc58b38746e413
SHA256e0c844f8ec568f144d0d52d48c4c763545d867a47b2be5a502f9cb2ac03bc94c
SHA5123f90bfe80cfe131d23b974a0a5587c0d8aa7471a8ee67a5197cad52647ebc657e0f6d32362328377bdf191b976dece78e1fc2f8eee2b145a56765b12c5f31048