Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:05
Static task
static1
Behavioral task
behavioral1
Sample
31605b07e3f7d9d7676dab41886df3d09c0d2b6d7492ad75aeaa4b612da9095f.exe
Resource
win10v2004-20241007-en
General
-
Target
31605b07e3f7d9d7676dab41886df3d09c0d2b6d7492ad75aeaa4b612da9095f.exe
-
Size
568KB
-
MD5
3522332158539cb6586713701b6069c0
-
SHA1
70248d716b6dfe3b5653b4c1e1746fc72eae2ad3
-
SHA256
31605b07e3f7d9d7676dab41886df3d09c0d2b6d7492ad75aeaa4b612da9095f
-
SHA512
46dc8ac2bb49d9393d1805953391d83d77a4f699f46d9d30e0231ea59dbfb1f9f89bfb70eea9ec5b57e52e66654d649d22d86807b3419b7b1096d5515b50481b
-
SSDEEP
12288:zy90LbjoC9OoR9uhFRwXZtRhv9HciMvZ9WHYl6M:zyGjF9OoR9LFhIvZ9W4sM
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b9d-12.dat healer behavioral1/memory/3768-15-0x0000000000460000-0x000000000046A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it053831.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it053831.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it053831.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it053831.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it053831.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it053831.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4352-22-0x0000000002480000-0x00000000024BC000-memory.dmp family_redline behavioral1/memory/4352-24-0x0000000004B00000-0x0000000004B3A000-memory.dmp family_redline behavioral1/memory/4352-76-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-88-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-86-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-84-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-82-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-80-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-78-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-74-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-72-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-71-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-68-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-66-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-64-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-62-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-60-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-58-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-56-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-52-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-50-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-48-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-46-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-44-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-43-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-40-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-38-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-34-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-32-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-30-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-54-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-36-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-28-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-26-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline behavioral1/memory/4352-25-0x0000000004B00000-0x0000000004B35000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4752 zici5686.exe 3768 it053831.exe 4352 kp630367.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it053831.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 31605b07e3f7d9d7676dab41886df3d09c0d2b6d7492ad75aeaa4b612da9095f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zici5686.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zici5686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp630367.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 31605b07e3f7d9d7676dab41886df3d09c0d2b6d7492ad75aeaa4b612da9095f.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3768 it053831.exe 3768 it053831.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3768 it053831.exe Token: SeDebugPrivilege 4352 kp630367.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1420 wrote to memory of 4752 1420 31605b07e3f7d9d7676dab41886df3d09c0d2b6d7492ad75aeaa4b612da9095f.exe 83 PID 1420 wrote to memory of 4752 1420 31605b07e3f7d9d7676dab41886df3d09c0d2b6d7492ad75aeaa4b612da9095f.exe 83 PID 1420 wrote to memory of 4752 1420 31605b07e3f7d9d7676dab41886df3d09c0d2b6d7492ad75aeaa4b612da9095f.exe 83 PID 4752 wrote to memory of 3768 4752 zici5686.exe 84 PID 4752 wrote to memory of 3768 4752 zici5686.exe 84 PID 4752 wrote to memory of 4352 4752 zici5686.exe 96 PID 4752 wrote to memory of 4352 4752 zici5686.exe 96 PID 4752 wrote to memory of 4352 4752 zici5686.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\31605b07e3f7d9d7676dab41886df3d09c0d2b6d7492ad75aeaa4b612da9095f.exe"C:\Users\Admin\AppData\Local\Temp\31605b07e3f7d9d7676dab41886df3d09c0d2b6d7492ad75aeaa4b612da9095f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zici5686.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zici5686.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it053831.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it053831.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp630367.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp630367.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
414KB
MD5373dbee8513b89fc6322bafc43704b05
SHA1fda37376b1ca54599f3957d41ec79e5996cefa4e
SHA256de70bd36bffe533c8bc44df4be8f85723df02b258c6c97c7a5ecaecb9bf71fd1
SHA5123cde1d6a459af20ef0589584c1f85703b97de3c6e84cd4974eaa85e73ab0960e4222d32461296a5f819811fe2ef04bd1f65dc493f2e38c1259dd7baa583b6d0f
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
343KB
MD5ef5ae4b7f1ef751e107a332bdba4797e
SHA12606e6b5a759c232e9cd3f439f5cdf38cd4b41e5
SHA2564337071228f96153b54b79246212e16b1f1350d96696306d1ffbc623af2cb1bd
SHA5123a9e41adc1bef2a0d16423def4024822c8e38b98416082f0ab0a6411fe2667735e713326704fb0a0d217718ada4f05ee1ad479830f4f0f1fd107fa5df6563c6e