Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:14
Static task
static1
Behavioral task
behavioral1
Sample
3b8f1abb22243abd1e4217f19c0dca083ae046a843d091b147a07283cc2056eb.exe
Resource
win10v2004-20241007-en
General
-
Target
3b8f1abb22243abd1e4217f19c0dca083ae046a843d091b147a07283cc2056eb.exe
-
Size
1.5MB
-
MD5
8f7f9ae0b25c081845ce87ed4ea78528
-
SHA1
23e1e39136232056b672f7fbb18ba31622e6d18f
-
SHA256
3b8f1abb22243abd1e4217f19c0dca083ae046a843d091b147a07283cc2056eb
-
SHA512
33d90011bec26c0ae92cca8d494161a6e8d4f81ed19da180dff80d98936bb5f9773a868cf6234ed00be9253aa870e313e2e99f001fbe41cc01be805f251e459b
-
SSDEEP
49152:+dMm4Qm0UmtDI3kNugqVZd8I/IKX7bTYQ9cQJJJs6r:Pmnmc00Nug7iXJnJJJ
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023ca2-33.dat healer behavioral1/memory/2024-35-0x0000000000180000-0x000000000018A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection az595113.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" az595113.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" az595113.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" az595113.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" az595113.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" az595113.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1300-41-0x00000000027D0000-0x000000000280C000-memory.dmp family_redline behavioral1/memory/1300-43-0x00000000053E0000-0x000000000541A000-memory.dmp family_redline behavioral1/memory/1300-53-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-55-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-107-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-103-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-101-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-99-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-97-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-95-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-93-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-91-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-89-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-87-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-83-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-81-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-79-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-77-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-75-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-73-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-71-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-67-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-65-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-63-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-61-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-59-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-57-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-51-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-49-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-105-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-85-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-69-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-47-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-45-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline behavioral1/memory/1300-44-0x00000000053E0000-0x0000000005415000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 972 ki984746.exe 4644 ki451062.exe 4688 ki873907.exe 3144 ki081455.exe 2024 az595113.exe 1300 bu618859.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" az595113.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ki984746.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ki451062.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" ki873907.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" ki081455.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3b8f1abb22243abd1e4217f19c0dca083ae046a843d091b147a07283cc2056eb.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3b8f1abb22243abd1e4217f19c0dca083ae046a843d091b147a07283cc2056eb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ki984746.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ki451062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ki873907.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ki081455.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bu618859.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2024 az595113.exe 2024 az595113.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2024 az595113.exe Token: SeDebugPrivilege 1300 bu618859.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4980 wrote to memory of 972 4980 3b8f1abb22243abd1e4217f19c0dca083ae046a843d091b147a07283cc2056eb.exe 85 PID 4980 wrote to memory of 972 4980 3b8f1abb22243abd1e4217f19c0dca083ae046a843d091b147a07283cc2056eb.exe 85 PID 4980 wrote to memory of 972 4980 3b8f1abb22243abd1e4217f19c0dca083ae046a843d091b147a07283cc2056eb.exe 85 PID 972 wrote to memory of 4644 972 ki984746.exe 86 PID 972 wrote to memory of 4644 972 ki984746.exe 86 PID 972 wrote to memory of 4644 972 ki984746.exe 86 PID 4644 wrote to memory of 4688 4644 ki451062.exe 88 PID 4644 wrote to memory of 4688 4644 ki451062.exe 88 PID 4644 wrote to memory of 4688 4644 ki451062.exe 88 PID 4688 wrote to memory of 3144 4688 ki873907.exe 89 PID 4688 wrote to memory of 3144 4688 ki873907.exe 89 PID 4688 wrote to memory of 3144 4688 ki873907.exe 89 PID 3144 wrote to memory of 2024 3144 ki081455.exe 90 PID 3144 wrote to memory of 2024 3144 ki081455.exe 90 PID 3144 wrote to memory of 1300 3144 ki081455.exe 93 PID 3144 wrote to memory of 1300 3144 ki081455.exe 93 PID 3144 wrote to memory of 1300 3144 ki081455.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b8f1abb22243abd1e4217f19c0dca083ae046a843d091b147a07283cc2056eb.exe"C:\Users\Admin\AppData\Local\Temp\3b8f1abb22243abd1e4217f19c0dca083ae046a843d091b147a07283cc2056eb.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki984746.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki984746.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki451062.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki451062.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki873907.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki873907.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki081455.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki081455.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az595113.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az595113.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu618859.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu618859.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD508f8d8ebebe0679f915c66c54a8454a8
SHA1108ba0fd79c8046df338524069bf79829263869c
SHA256ab7083acb218447b5521a6086dbe990027a4a6db738679138404ad8d66a081b1
SHA5121e8c6d9ad38f237632a0bbf6c02dfc345624c5e49ddf5efdbcb69c66176d509e5204843e77cd4f2f88cb3373d4e5550589c09fd72e697ce53c2368c64fc12af5
-
Filesize
1.1MB
MD54ccb29fd057afe2dbe14f0ad50fceef3
SHA1323e3b71f9bd9e599a0f635f57855c592a32aebe
SHA2560b14f5edd11abd23ed195c97d8131800b532dc74001f3b2a866ebcf5518fc4bf
SHA512430d7a24f7e2f38d48dab2ad7ee45fe44a72107416ff6cb558d06ccf334f65263778ba73a5aefb196e97e171e0426b025198fc02b815956e78549135fdef1fd0
-
Filesize
804KB
MD5b04b055531b2a84157d6eb5403552ac9
SHA1887d649fa3924538ac18445cab5eecb57bcfe346
SHA256267f3a0a50f257a6c59c443a3c41fdcf37ac40cd21205e68d51d6d5834e9e252
SHA51204757edaf608e3ec0c03b287c5cda8f22548813adfee591efccae24a46312993508b7450a8e829ff9c9a4ba38bd2139cdcda19501b6d3e7e9d0ef6510f063869
-
Filesize
469KB
MD5baf59ef1575e3f8e39279ca81ee28b86
SHA1473d91b6e3f0113a6bb6f62746ce186628fe2b7e
SHA25680952276294e8294a12d04d674ed5b105d679cc7ef6c14dca8c5054c930989b1
SHA51202fe90ddd7546f85c201a35f6ab67f863400eaa4b641225680885bcd7d33199971559f24a803d9e352b8ae8998d6220b6a68351bab2b701c4c13edbe9c820bfa
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
485KB
MD54f17530ccb29750c2460c6457724560b
SHA1104ffc86dbcc25e5ab3dc581ee9a79025ac654e0
SHA256c79ac13ae344f424253bfae8b05c99641e14a8dd99989444409f3393dcb8c0f0
SHA5127761bf71512d8a5c303d758b6622e672d322de1f4365cad4a62a296806589910ad5cd917ddd958dfef72148aca503c8c5dae779f57dc90e0eaa8a5119b9837a1