Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:16
Static task
static1
Behavioral task
behavioral1
Sample
27cf3cf0d1d34cc9df5c5dd63eb8a0e4dd48b60f39b9ba33b4cb4a0c6fb9d0ca.exe
Resource
win10v2004-20241007-en
General
-
Target
27cf3cf0d1d34cc9df5c5dd63eb8a0e4dd48b60f39b9ba33b4cb4a0c6fb9d0ca.exe
-
Size
479KB
-
MD5
1a9546516eac421b88e4e157540eee9e
-
SHA1
bf271a750e9fc7a3ca1223a2ad302facb160016b
-
SHA256
27cf3cf0d1d34cc9df5c5dd63eb8a0e4dd48b60f39b9ba33b4cb4a0c6fb9d0ca
-
SHA512
82577e9daab5cd724e0657d0dd58ce2ae594fcc5764fd8944b572dd5de92a3f0e7f54e9dedd29b131292541a1eaa809ff84c1578f2cbd3c68ff260ac2b1cc333
-
SSDEEP
12288:tMrXy90p6BRv3hIG+THTWRy8/1bTZJqXD8:eyu6zhBoGQD8
Malware Config
Extracted
redline
murka
217.196.96.101:4132
-
auth_value
878a0681ac6ad0e4eb10ef9db07abdd9
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2948-15-0x00000000022B0000-0x00000000022CA000-memory.dmp healer behavioral1/memory/2948-18-0x00000000024B0000-0x00000000024C8000-memory.dmp healer behavioral1/memory/2948-30-0x00000000024B0000-0x00000000024C2000-memory.dmp healer behavioral1/memory/2948-38-0x00000000024B0000-0x00000000024C2000-memory.dmp healer behavioral1/memory/2948-48-0x00000000024B0000-0x00000000024C2000-memory.dmp healer behavioral1/memory/2948-46-0x00000000024B0000-0x00000000024C2000-memory.dmp healer behavioral1/memory/2948-44-0x00000000024B0000-0x00000000024C2000-memory.dmp healer behavioral1/memory/2948-42-0x00000000024B0000-0x00000000024C2000-memory.dmp healer behavioral1/memory/2948-40-0x00000000024B0000-0x00000000024C2000-memory.dmp healer behavioral1/memory/2948-36-0x00000000024B0000-0x00000000024C2000-memory.dmp healer behavioral1/memory/2948-34-0x00000000024B0000-0x00000000024C2000-memory.dmp healer behavioral1/memory/2948-32-0x00000000024B0000-0x00000000024C2000-memory.dmp healer behavioral1/memory/2948-28-0x00000000024B0000-0x00000000024C2000-memory.dmp healer behavioral1/memory/2948-26-0x00000000024B0000-0x00000000024C2000-memory.dmp healer behavioral1/memory/2948-24-0x00000000024B0000-0x00000000024C2000-memory.dmp healer behavioral1/memory/2948-21-0x00000000024B0000-0x00000000024C2000-memory.dmp healer behavioral1/memory/2948-22-0x00000000024B0000-0x00000000024C2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a7464081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a7464081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a7464081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a7464081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a7464081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a7464081.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023bbd-54.dat family_redline behavioral1/memory/2876-56-0x00000000002D0000-0x0000000000300000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4712 v9829224.exe 2948 a7464081.exe 2876 b7349453.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a7464081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a7464081.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 27cf3cf0d1d34cc9df5c5dd63eb8a0e4dd48b60f39b9ba33b4cb4a0c6fb9d0ca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v9829224.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27cf3cf0d1d34cc9df5c5dd63eb8a0e4dd48b60f39b9ba33b4cb4a0c6fb9d0ca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v9829224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a7464081.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b7349453.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2948 a7464081.exe 2948 a7464081.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2948 a7464081.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2920 wrote to memory of 4712 2920 27cf3cf0d1d34cc9df5c5dd63eb8a0e4dd48b60f39b9ba33b4cb4a0c6fb9d0ca.exe 83 PID 2920 wrote to memory of 4712 2920 27cf3cf0d1d34cc9df5c5dd63eb8a0e4dd48b60f39b9ba33b4cb4a0c6fb9d0ca.exe 83 PID 2920 wrote to memory of 4712 2920 27cf3cf0d1d34cc9df5c5dd63eb8a0e4dd48b60f39b9ba33b4cb4a0c6fb9d0ca.exe 83 PID 4712 wrote to memory of 2948 4712 v9829224.exe 84 PID 4712 wrote to memory of 2948 4712 v9829224.exe 84 PID 4712 wrote to memory of 2948 4712 v9829224.exe 84 PID 4712 wrote to memory of 2876 4712 v9829224.exe 94 PID 4712 wrote to memory of 2876 4712 v9829224.exe 94 PID 4712 wrote to memory of 2876 4712 v9829224.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\27cf3cf0d1d34cc9df5c5dd63eb8a0e4dd48b60f39b9ba33b4cb4a0c6fb9d0ca.exe"C:\Users\Admin\AppData\Local\Temp\27cf3cf0d1d34cc9df5c5dd63eb8a0e4dd48b60f39b9ba33b4cb4a0c6fb9d0ca.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9829224.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9829224.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7464081.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7464081.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7349453.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7349453.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2876
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5fee75afe7ae5e52c69896233b4253eef
SHA1f9c74f84ceef0b467d91018db4261dd0f35a98a7
SHA25686a2465e3b850731242d53feeadfbf775a16daa46d5d1b59ad86c452dfa4295a
SHA512155e899e579676e9ac4ed70f048cf61caf042ddd409fa11d14141c982b12a4a6a1b2a91b5469fa838b9093c70edb93a2c97dda6d8adb2de42c50f6e9975a9e9c
-
Filesize
181KB
MD585fce7e808f9f4d0cace7537f3990d8a
SHA15c0a66e370e473beca270a60fcb4a64e7c7af483
SHA256c53c6d6b01452a36410b0b5a65419c03700898fb0076981656a7934c0c167ac6
SHA5120dd8457ff53e99be5deaba6d75f8601595e8fc6f42ca08055daf8bf152c13d9e75328cd676490678bf995f164a7693996e6f12871511e1ffddab686e2a8f8b95
-
Filesize
168KB
MD591f424ee7e05e87d57a7dcd83e1a9358
SHA1e45b6e0fc5b51020fb1ddf14121e11c643478b4e
SHA256d0fb1780f8072834a6d223e44b84c683c7543642bf1ba47cde4c5e9f1690438b
SHA512d11e231e4a25edc1889e3662cf66651e018424cb30bb37fc5db1b8ed457a4150d5108d38160d4c6b544964232e9f4fd8c9c30fba7281cdc0ebb175fba008f628