Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:30
Static task
static1
Behavioral task
behavioral1
Sample
d83b84b8e2de4dc4f754ee5f208c10361082a044bd3835aff368794280cc649a.exe
Resource
win10v2004-20241007-en
General
-
Target
d83b84b8e2de4dc4f754ee5f208c10361082a044bd3835aff368794280cc649a.exe
-
Size
807KB
-
MD5
0efe72f8fb6b726305a4e098eac6ad34
-
SHA1
92f77734a401813fc9ff0a986294e5f99ed73184
-
SHA256
d83b84b8e2de4dc4f754ee5f208c10361082a044bd3835aff368794280cc649a
-
SHA512
c825cac44cc3d4baf85869da0f67f9dbe7aedb8df6c95f0e9627e9f961f4bfd536166195e4a94b14b451dbe1cd3fb5c439c3aa1caed4fdcbf0af62aa01938096
-
SSDEEP
12288:Wy90Zns1Q8dv6RQvRbpH1/2DLuHixPBwp8Bv5Sucl4cTAlzen4Wcih:WyR1QKAPDli6BHcZTEK4mh
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b7d-19.dat healer behavioral1/memory/432-22-0x0000000000420000-0x000000000042A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it444758.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it444758.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it444758.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it444758.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it444758.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it444758.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2436-29-0x0000000007240000-0x000000000727C000-memory.dmp family_redline behavioral1/memory/2436-31-0x00000000072D0000-0x000000000730A000-memory.dmp family_redline behavioral1/memory/2436-41-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-37-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-35-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-33-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-32-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-51-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-96-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-93-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-91-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-87-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-85-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-83-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-81-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-79-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-78-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-73-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-71-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-69-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-67-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-63-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-61-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-59-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-57-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-53-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-49-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-47-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-45-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-43-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-39-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-89-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-75-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-65-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline behavioral1/memory/2436-55-0x00000000072D0000-0x0000000007305000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 4144 ziuQ9429.exe 3740 zibJ9869.exe 432 it444758.exe 2436 jr436249.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it444758.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d83b84b8e2de4dc4f754ee5f208c10361082a044bd3835aff368794280cc649a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziuQ9429.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" zibJ9869.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zibJ9869.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jr436249.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d83b84b8e2de4dc4f754ee5f208c10361082a044bd3835aff368794280cc649a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziuQ9429.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 432 it444758.exe 432 it444758.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 432 it444758.exe Token: SeDebugPrivilege 2436 jr436249.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3652 wrote to memory of 4144 3652 d83b84b8e2de4dc4f754ee5f208c10361082a044bd3835aff368794280cc649a.exe 83 PID 3652 wrote to memory of 4144 3652 d83b84b8e2de4dc4f754ee5f208c10361082a044bd3835aff368794280cc649a.exe 83 PID 3652 wrote to memory of 4144 3652 d83b84b8e2de4dc4f754ee5f208c10361082a044bd3835aff368794280cc649a.exe 83 PID 4144 wrote to memory of 3740 4144 ziuQ9429.exe 84 PID 4144 wrote to memory of 3740 4144 ziuQ9429.exe 84 PID 4144 wrote to memory of 3740 4144 ziuQ9429.exe 84 PID 3740 wrote to memory of 432 3740 zibJ9869.exe 86 PID 3740 wrote to memory of 432 3740 zibJ9869.exe 86 PID 3740 wrote to memory of 2436 3740 zibJ9869.exe 97 PID 3740 wrote to memory of 2436 3740 zibJ9869.exe 97 PID 3740 wrote to memory of 2436 3740 zibJ9869.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\d83b84b8e2de4dc4f754ee5f208c10361082a044bd3835aff368794280cc649a.exe"C:\Users\Admin\AppData\Local\Temp\d83b84b8e2de4dc4f754ee5f208c10361082a044bd3835aff368794280cc649a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziuQ9429.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziuQ9429.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zibJ9869.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zibJ9869.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it444758.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it444758.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr436249.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr436249.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
558KB
MD576138f33ee3cb410f174f687172e5c59
SHA1c89e49f5a19f9bb2cb587bb00d7d8b9c01b18c84
SHA256f9683e9f2931560e9935e54988a30c709ecf0d92809b9f8df6120335bed587f3
SHA512824eb9e72ebd30f8abe5e359b745f1bc654120867b1610f73952b25aaa780dd83ea424e282d52d71ebf7b16719688afcebba468e00792fd470d7a3ec126cb2ef
-
Filesize
404KB
MD53aa531cd17f2e1b2f4556b2c38230557
SHA1f282f98f7abc8431e701246a158798502e9e6d49
SHA256a70d5d989b22fe57348514dcf12733b0d9ffc2476759a5558cd9d2d2bc92d99e
SHA5123ed0e04e3234beb3241ce2b19ead86a58e2130ef0a8e4c38febe6c5fe44cafd75332ec03dd980135f5877ecb3389201a6832bec295ee003269f18584ff56330c
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
361KB
MD589af51aff5823c35a8860631606347c6
SHA1e29eaa739478eb59c74706849237b5491f4c27ab
SHA2566220f47829e4c6bb99b24660d06239ea86c77c16d7a471b20ea76ac6bcc5d212
SHA5124f68df862cff9c60e92bf71711bcbc401c2ff1f73dc37dcf70e6848e0957b21b7b59dd5b768b16ca17291170afee66e6b1f1674ca3c167a1cc9e05f634f65647