Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:14
Static task
static1
Behavioral task
behavioral1
Sample
b31f272251be7e2317a2f0f0c9fecb80742e5eddc4ad5fdb9100528f04d1dc3c.exe
Resource
win10v2004-20241007-en
General
-
Target
b31f272251be7e2317a2f0f0c9fecb80742e5eddc4ad5fdb9100528f04d1dc3c.exe
-
Size
478KB
-
MD5
2a9d373dcda882e494f41d2e9aceb735
-
SHA1
a414c3b763c318915fa42b56848847a4ab2923a9
-
SHA256
b31f272251be7e2317a2f0f0c9fecb80742e5eddc4ad5fdb9100528f04d1dc3c
-
SHA512
5577463b0cfec0b82b4397089f3971332b4dcf1496e71853858f104f6e4c7e5dd61c0c75a50fcf51870de0f0e6687755cccf9b5893c5e1c979014cabe31cdb06
-
SSDEEP
12288:aMr6y904gUG0HKF5c1u31uTUNTjhqqpmZarlEb:EyBgUG0HKrXYTgMVar6
Malware Config
Extracted
redline
dumud
217.196.96.101:4132
-
auth_value
3e18d4b90418aa3e78d8822e87c62f5c
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1396-15-0x0000000002090000-0x00000000020AA000-memory.dmp healer behavioral1/memory/1396-18-0x0000000004980000-0x0000000004998000-memory.dmp healer behavioral1/memory/1396-48-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1396-46-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1396-44-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1396-42-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1396-40-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1396-38-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1396-36-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1396-34-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1396-32-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1396-30-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1396-28-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1396-26-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1396-24-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1396-22-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1396-21-0x0000000004980000-0x0000000004992000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k9136730.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k9136730.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k9136730.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k9136730.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k9136730.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k9136730.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cbb-55.dat family_redline behavioral1/memory/508-56-0x0000000000A50000-0x0000000000A80000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3100 y5263082.exe 1396 k9136730.exe 508 l0963230.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k9136730.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k9136730.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b31f272251be7e2317a2f0f0c9fecb80742e5eddc4ad5fdb9100528f04d1dc3c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y5263082.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y5263082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k9136730.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l0963230.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b31f272251be7e2317a2f0f0c9fecb80742e5eddc4ad5fdb9100528f04d1dc3c.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1396 k9136730.exe 1396 k9136730.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1396 k9136730.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4200 wrote to memory of 3100 4200 b31f272251be7e2317a2f0f0c9fecb80742e5eddc4ad5fdb9100528f04d1dc3c.exe 85 PID 4200 wrote to memory of 3100 4200 b31f272251be7e2317a2f0f0c9fecb80742e5eddc4ad5fdb9100528f04d1dc3c.exe 85 PID 4200 wrote to memory of 3100 4200 b31f272251be7e2317a2f0f0c9fecb80742e5eddc4ad5fdb9100528f04d1dc3c.exe 85 PID 3100 wrote to memory of 1396 3100 y5263082.exe 86 PID 3100 wrote to memory of 1396 3100 y5263082.exe 86 PID 3100 wrote to memory of 1396 3100 y5263082.exe 86 PID 3100 wrote to memory of 508 3100 y5263082.exe 93 PID 3100 wrote to memory of 508 3100 y5263082.exe 93 PID 3100 wrote to memory of 508 3100 y5263082.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\b31f272251be7e2317a2f0f0c9fecb80742e5eddc4ad5fdb9100528f04d1dc3c.exe"C:\Users\Admin\AppData\Local\Temp\b31f272251be7e2317a2f0f0c9fecb80742e5eddc4ad5fdb9100528f04d1dc3c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5263082.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5263082.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9136730.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9136730.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0963230.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0963230.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:508
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5a20356eca64cb20304110b5aa6799f93
SHA1f7d2a3378334505f7a4eae584f293f51d9f310d7
SHA2565ef4144749006cb6378b70f50bf3510c2c340961465f1ae2b0f1a6da37907002
SHA512ea8c57402e150e30a46862db30e3c8180ec19087d60d19b0140934c22ae275776cc0f6a71a2f5005f5f9e706ceb6f6f344a5f84d87f86d85a9f2cc08b024ff10
-
Filesize
180KB
MD5e66d8d0a3191f50f1a1a70be4618c17f
SHA16a5fb29bee4d0b8c1b13ccd3af6427cd7cbd2345
SHA25670f9372f8680e455ff30d78f73763a8b2f1b8de6ded510714632bbac561665d0
SHA5126da5d557f51340d58b6db03ce3603a274f27df3d75f0c2082cd4374c49dfb709c00d25e62626a51e43e05e026bfc9207cabc9f4c40829b317db5785e88188768
-
Filesize
168KB
MD56989601e0a822928f3d82bb268881755
SHA16ad85ef89d707715908455ff417675b36fca946b
SHA256aa1b77d2c3ac0f8cf15b81aa5e67966d79de07ede5dfad3f20d10dd75da2cd21
SHA5126878759ba3c851fc049dd6a38af46549521227e63139fb667104c754becc85dc33fd0248d933f48c9b0c00b3da13c6032945864864300f314a16b794276df57f