Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:11
Static task
static1
Behavioral task
behavioral1
Sample
0af6f824b57e30be0b7ff705e60d9f11e6be0aa512d58a195c994091793b46b9.exe
Resource
win10v2004-20241007-en
General
-
Target
0af6f824b57e30be0b7ff705e60d9f11e6be0aa512d58a195c994091793b46b9.exe
-
Size
566KB
-
MD5
4151a6bcd80a1d2d0d297052c3ef8db8
-
SHA1
aed71278168192978a29fd03847443cf13d3540c
-
SHA256
0af6f824b57e30be0b7ff705e60d9f11e6be0aa512d58a195c994091793b46b9
-
SHA512
6dc9f510464eb2ed2abc1378e72a33c2fbfd20d80141b9545e049b6b8d82e16a9d5a96612e0fba4944c3207ad50c5211df58af4567716be9414ead7594405874
-
SSDEEP
12288:by909S0xBE7RUHGA+Rz+Kkq2vsFKsFc7ChvpkN:bymSzUmXz+Kkq20FKsFjs
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000e000000023aa4-12.dat healer behavioral1/memory/456-15-0x0000000000690000-0x000000000069A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it604161.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it604161.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it604161.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it604161.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it604161.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it604161.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4600-22-0x0000000004800000-0x000000000483C000-memory.dmp family_redline behavioral1/memory/4600-24-0x0000000004AE0000-0x0000000004B1A000-memory.dmp family_redline behavioral1/memory/4600-44-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-48-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-88-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-86-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-84-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-82-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-80-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-78-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-74-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-72-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-70-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-69-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-66-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-64-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-62-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-60-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-58-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-56-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-54-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-52-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-50-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-46-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-42-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-40-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-38-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-36-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-34-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-33-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-28-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-76-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-30-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-26-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline behavioral1/memory/4600-25-0x0000000004AE0000-0x0000000004B15000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 5088 ziEq6562.exe 456 it604161.exe 4600 kp191178.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it604161.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0af6f824b57e30be0b7ff705e60d9f11e6be0aa512d58a195c994091793b46b9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziEq6562.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4984 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0af6f824b57e30be0b7ff705e60d9f11e6be0aa512d58a195c994091793b46b9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziEq6562.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp191178.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 456 it604161.exe 456 it604161.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 456 it604161.exe Token: SeDebugPrivilege 4600 kp191178.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4664 wrote to memory of 5088 4664 0af6f824b57e30be0b7ff705e60d9f11e6be0aa512d58a195c994091793b46b9.exe 84 PID 4664 wrote to memory of 5088 4664 0af6f824b57e30be0b7ff705e60d9f11e6be0aa512d58a195c994091793b46b9.exe 84 PID 4664 wrote to memory of 5088 4664 0af6f824b57e30be0b7ff705e60d9f11e6be0aa512d58a195c994091793b46b9.exe 84 PID 5088 wrote to memory of 456 5088 ziEq6562.exe 85 PID 5088 wrote to memory of 456 5088 ziEq6562.exe 85 PID 5088 wrote to memory of 4600 5088 ziEq6562.exe 94 PID 5088 wrote to memory of 4600 5088 ziEq6562.exe 94 PID 5088 wrote to memory of 4600 5088 ziEq6562.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\0af6f824b57e30be0b7ff705e60d9f11e6be0aa512d58a195c994091793b46b9.exe"C:\Users\Admin\AppData\Local\Temp\0af6f824b57e30be0b7ff705e60d9f11e6be0aa512d58a195c994091793b46b9.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEq6562.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEq6562.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it604161.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it604161.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:456
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp191178.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp191178.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4600
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4984
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
412KB
MD5c44d029fdfd2376b10b67366c9b23d61
SHA1092e219bac3dd290dfbcaa54cc1368a1fa31c2e0
SHA256c0fdf41ec706011b9d69678e0ace78494ae74b153c25d268f9e2ef87dc44ac01
SHA51299feebb0fd096d39ff51c39ce1908369aec97d9c133e5b0e45cb8bcbb41e5df1eb701c8489ba130b5e09eb74ead66799096a499746977a21cf6660f900889fb1
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
368KB
MD5f6d5a439c2b4724c4cccedb39b2c3dcf
SHA1bf0d65b3d49afa51e97a704525d85460de306458
SHA256335b2bf5eda00c5da0484cf087f8aac2b76e4dc922c03ff21f925ab3b001c027
SHA51233372b6eba9296d534278f7cd347d7339c7aba1afecb9d4fc1524243561f1a3d3d7f1ef70826b15c2b5d11bea9f5929403d31652a46a6bd70a1edd17a4de9463