Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:28
Static task
static1
Behavioral task
behavioral1
Sample
a2e66cc2d5c92ab777c06622852e94d418c0c9e41489b4462239d0a2b55dcb9d.exe
Resource
win10v2004-20241007-en
General
-
Target
a2e66cc2d5c92ab777c06622852e94d418c0c9e41489b4462239d0a2b55dcb9d.exe
-
Size
481KB
-
MD5
bc89a1967a9238c293f6c5c8db76ef0d
-
SHA1
843abbfb7a680ae93faf8cb875d237b06cd8d78f
-
SHA256
a2e66cc2d5c92ab777c06622852e94d418c0c9e41489b4462239d0a2b55dcb9d
-
SHA512
95393fe15b9b61756bd0ffa952789a14534b83999605c5adec952838da224a4f422050032dc5805ae23dcce0f9daaeb70d96720c6f0f8e5486113ecddb459079
-
SSDEEP
12288:SMrJy90VE/wy5+gM2Fs9hJ1ClekXKI9YhK+P:7yz4y5s20WWI9atP
Malware Config
Extracted
redline
misfa
217.196.96.101:4132
-
auth_value
be2e6d9f1a5e54a81340947b20e561c1
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1788-15-0x00000000021A0000-0x00000000021BA000-memory.dmp healer behavioral1/memory/1788-18-0x0000000002250000-0x0000000002268000-memory.dmp healer behavioral1/memory/1788-46-0x0000000002250000-0x0000000002262000-memory.dmp healer behavioral1/memory/1788-44-0x0000000002250000-0x0000000002262000-memory.dmp healer behavioral1/memory/1788-42-0x0000000002250000-0x0000000002262000-memory.dmp healer behavioral1/memory/1788-40-0x0000000002250000-0x0000000002262000-memory.dmp healer behavioral1/memory/1788-38-0x0000000002250000-0x0000000002262000-memory.dmp healer behavioral1/memory/1788-36-0x0000000002250000-0x0000000002262000-memory.dmp healer behavioral1/memory/1788-34-0x0000000002250000-0x0000000002262000-memory.dmp healer behavioral1/memory/1788-32-0x0000000002250000-0x0000000002262000-memory.dmp healer behavioral1/memory/1788-30-0x0000000002250000-0x0000000002262000-memory.dmp healer behavioral1/memory/1788-28-0x0000000002250000-0x0000000002262000-memory.dmp healer behavioral1/memory/1788-26-0x0000000002250000-0x0000000002262000-memory.dmp healer behavioral1/memory/1788-24-0x0000000002250000-0x0000000002262000-memory.dmp healer behavioral1/memory/1788-22-0x0000000002250000-0x0000000002262000-memory.dmp healer behavioral1/memory/1788-20-0x0000000002250000-0x0000000002262000-memory.dmp healer behavioral1/memory/1788-19-0x0000000002250000-0x0000000002262000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a4095694.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a4095694.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a4095694.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a4095694.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a4095694.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a4095694.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023c75-54.dat family_redline behavioral1/memory/1064-56-0x0000000000D70000-0x0000000000D9E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 444 v0593799.exe 1788 a4095694.exe 1064 b4076102.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a4095694.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a4095694.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a2e66cc2d5c92ab777c06622852e94d418c0c9e41489b4462239d0a2b55dcb9d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v0593799.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b4076102.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2e66cc2d5c92ab777c06622852e94d418c0c9e41489b4462239d0a2b55dcb9d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v0593799.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4095694.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1788 a4095694.exe 1788 a4095694.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1788 a4095694.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4808 wrote to memory of 444 4808 a2e66cc2d5c92ab777c06622852e94d418c0c9e41489b4462239d0a2b55dcb9d.exe 83 PID 4808 wrote to memory of 444 4808 a2e66cc2d5c92ab777c06622852e94d418c0c9e41489b4462239d0a2b55dcb9d.exe 83 PID 4808 wrote to memory of 444 4808 a2e66cc2d5c92ab777c06622852e94d418c0c9e41489b4462239d0a2b55dcb9d.exe 83 PID 444 wrote to memory of 1788 444 v0593799.exe 84 PID 444 wrote to memory of 1788 444 v0593799.exe 84 PID 444 wrote to memory of 1788 444 v0593799.exe 84 PID 444 wrote to memory of 1064 444 v0593799.exe 97 PID 444 wrote to memory of 1064 444 v0593799.exe 97 PID 444 wrote to memory of 1064 444 v0593799.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2e66cc2d5c92ab777c06622852e94d418c0c9e41489b4462239d0a2b55dcb9d.exe"C:\Users\Admin\AppData\Local\Temp\a2e66cc2d5c92ab777c06622852e94d418c0c9e41489b4462239d0a2b55dcb9d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0593799.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0593799.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4095694.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4095694.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b4076102.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b4076102.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1064
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
309KB
MD50652c3e0c4c2f580fdbb05de3e7056d1
SHA1dc027a880852c3cfa63162e21e02ce2ac1699586
SHA256f27b475797b21329229a273327a2ddaf51d9557bf3a8dc6325a8a05e96d18f0b
SHA512df49d350a4e7460c487ffc6381c2187f6a420f99367b32656b7315048154fb6bd0a0ba21ca4beb2387e6e509f2e7f63158a839234f89f70683d8ffd31d33d307
-
Filesize
178KB
MD507c0a9ddb11da1bf30504c1d954baffe
SHA1e5401bb493ebac9ea1629a54ffb66f5de64c6b10
SHA256ed556cfd35ba31b586bf993a0b67ef3a1bace0e23551e8f84a15815bcaf6b3a8
SHA512b6113451be73e8ff111f6867bad3e6d5692bdc139506d2e21596935e8fc6bb46d07096c96c9d248ede8e478b6161e9e8b1743b6c1a56340845af384125242062
-
Filesize
168KB
MD5d76e2b210c8128912d7a556007eaeb29
SHA14cb107cf201ff74e505fa5147b8522b4e0d24315
SHA256265f95f6f4c28a859312a2d1db88adda8ad16857ca6f69a4460902d54d1268c0
SHA512905a89ecc65948981c6386fcc3e088ce66f126ff07b089f3797f3abac0e92fe35fecee2083ae95b00abe15e664ac11fdaedb46e6436997ca8efcc2acb06f7a44