Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:17
Static task
static1
Behavioral task
behavioral1
Sample
0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe
Resource
win10v2004-20241007-en
General
-
Target
0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe
-
Size
479KB
-
MD5
f74148aac14e9d00ca9f46e58a9ce263
-
SHA1
3f389468cb29ff54c4db06566d521660a6c391e5
-
SHA256
0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e
-
SHA512
aa75a2476bf5f04bc220c1e3a8be7d2e4c5cf394e1d9bcdb3b56c1aa521870596e2a7f8748f3ce450987f0d7ebb76ee3949a25fa179bb62dffc289166329806b
-
SSDEEP
12288:YMrLy90vL5eHFaz5c1u31/T23MpraIX+mM9LydYUVBxD:TyoLMadXZTTr55RdnTR
Malware Config
Extracted
redline
morty
217.196.96.101:4132
-
auth_value
fe1a24c211cc8e5bf9ff11c737ce0e97
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4372-15-0x0000000000670000-0x000000000068A000-memory.dmp healer behavioral1/memory/4372-19-0x00000000021C0000-0x00000000021D8000-memory.dmp healer behavioral1/memory/4372-41-0x00000000021C0000-0x00000000021D2000-memory.dmp healer behavioral1/memory/4372-47-0x00000000021C0000-0x00000000021D2000-memory.dmp healer behavioral1/memory/4372-45-0x00000000021C0000-0x00000000021D2000-memory.dmp healer behavioral1/memory/4372-43-0x00000000021C0000-0x00000000021D2000-memory.dmp healer behavioral1/memory/4372-39-0x00000000021C0000-0x00000000021D2000-memory.dmp healer behavioral1/memory/4372-37-0x00000000021C0000-0x00000000021D2000-memory.dmp healer behavioral1/memory/4372-35-0x00000000021C0000-0x00000000021D2000-memory.dmp healer behavioral1/memory/4372-33-0x00000000021C0000-0x00000000021D2000-memory.dmp healer behavioral1/memory/4372-31-0x00000000021C0000-0x00000000021D2000-memory.dmp healer behavioral1/memory/4372-29-0x00000000021C0000-0x00000000021D2000-memory.dmp healer behavioral1/memory/4372-27-0x00000000021C0000-0x00000000021D2000-memory.dmp healer behavioral1/memory/4372-25-0x00000000021C0000-0x00000000021D2000-memory.dmp healer behavioral1/memory/4372-23-0x00000000021C0000-0x00000000021D2000-memory.dmp healer behavioral1/memory/4372-21-0x00000000021C0000-0x00000000021D2000-memory.dmp healer behavioral1/memory/4372-20-0x00000000021C0000-0x00000000021D2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a7383723.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a7383723.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a7383723.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a7383723.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a7383723.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a7383723.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b96-54.dat family_redline behavioral1/memory/4672-56-0x0000000000B70000-0x0000000000B9E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3112 v9639336.exe 4372 a7383723.exe 4672 b8152210.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a7383723.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a7383723.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v9639336.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 808 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v9639336.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a7383723.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8152210.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4372 a7383723.exe 4372 a7383723.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4372 a7383723.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3412 wrote to memory of 3112 3412 0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe 85 PID 3412 wrote to memory of 3112 3412 0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe 85 PID 3412 wrote to memory of 3112 3412 0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe 85 PID 3112 wrote to memory of 4372 3112 v9639336.exe 87 PID 3112 wrote to memory of 4372 3112 v9639336.exe 87 PID 3112 wrote to memory of 4372 3112 v9639336.exe 87 PID 3112 wrote to memory of 4672 3112 v9639336.exe 94 PID 3112 wrote to memory of 4672 3112 v9639336.exe 94 PID 3112 wrote to memory of 4672 3112 v9639336.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe"C:\Users\Admin\AppData\Local\Temp\0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8152210.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8152210.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4672
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:808
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5e1ea8227deff3d431e9af22c642a6011
SHA12f4b73de7db5c8c6b8a9047a6f2da48fec68ad16
SHA2568dd76c6b2f719886552f75cd22912274c14b05766bea8b4ee61f8470f1f4cb7b
SHA51261c84424f5a270bc2534f07f06d8089ed58dfce8fd84c549c0e6a19be2253cf60df3d14563f508e0a3063fe7924cac3874ac92901b7bcfc37be4d0ed0d228cbc
-
Filesize
178KB
MD545cf0dc03b5352571138c8c2698c8cfe
SHA1601d40add54ce3a816e6d1de99b33ff00c723423
SHA256c24b33cd7d5c257b50a4a3ec5e75d18abcc2a2d04c6229b9968b22f9c44b6986
SHA51236b056d0568a96b31b38f45b94447da7ecc7db5efac83ef384e27617ce8fd9a445a4cb26744a1d585aa270bf5612a4a748e7a5748c1094dd84cc9c97d0c2cdf3
-
Filesize
168KB
MD54136481881f343d02ffbef27ca9ec717
SHA17fad11267c6e3fc8d869df68a396c925f73ad276
SHA25693565fe60bbd30ca86d91be39af3eef493da40d0de5462719c8ff1349d906017
SHA51288a6e3752c1d552c3465a5331a3f98a0dcbd5524004183fcfe85ce8e6b155bd1ac255beca68835ad2b2e09a4087c9bf84c562596c68fe23945a0dcb136d4cde9