Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:42
Static task
static1
Behavioral task
behavioral1
Sample
7cafb923c1a41dfd66700823d474c28ec50aca4616f2f8a87f99bb1ff0d97b14.exe
Resource
win10v2004-20241007-en
General
-
Target
7cafb923c1a41dfd66700823d474c28ec50aca4616f2f8a87f99bb1ff0d97b14.exe
-
Size
936KB
-
MD5
ba17e2a72ce5c4d09972dbbb19c6606e
-
SHA1
5c8739b6a432e28fbf348a7b6d932abcfffd568e
-
SHA256
7cafb923c1a41dfd66700823d474c28ec50aca4616f2f8a87f99bb1ff0d97b14
-
SHA512
205ca961ce87dc6727817ae2eba8ee7ed876eca42246c6b21698397228e3b738565e8980dc3403d995e68ae1a4bea4430a87ac4bd1f134258f08b37ebeae55ed
-
SSDEEP
24576:Py8A/C8PDWOMBinAYUkh/T3/zNRyrqeU2EHIIIu3o:a5DWOMeUkh7gU2+IIf
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023ca0-19.dat healer behavioral1/memory/4384-22-0x00000000009F0000-0x00000000009FA000-memory.dmp healer -
Healer family
-
Processes:
it682903.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it682903.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it682903.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it682903.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it682903.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it682903.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it682903.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/4288-28-0x0000000002910000-0x000000000294C000-memory.dmp family_redline behavioral1/memory/4288-30-0x0000000004E70000-0x0000000004EAA000-memory.dmp family_redline behavioral1/memory/4288-66-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-80-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-94-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-92-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-90-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-88-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-86-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-82-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-79-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-76-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-75-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-72-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-70-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-68-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-64-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-62-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-60-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-59-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-56-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-55-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-52-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-50-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-48-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-46-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-44-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-42-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-32-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-84-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-40-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-38-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-36-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-34-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline behavioral1/memory/4288-31-0x0000000004E70000-0x0000000004EA5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
Processes:
ziXN3257.exeziJY4016.exeit682903.exejr267474.exepid Process 2320 ziXN3257.exe 4088 ziJY4016.exe 4384 it682903.exe 4288 jr267474.exe -
Processes:
it682903.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it682903.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
7cafb923c1a41dfd66700823d474c28ec50aca4616f2f8a87f99bb1ff0d97b14.exeziXN3257.exeziJY4016.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7cafb923c1a41dfd66700823d474c28ec50aca4616f2f8a87f99bb1ff0d97b14.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziXN3257.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ziJY4016.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7cafb923c1a41dfd66700823d474c28ec50aca4616f2f8a87f99bb1ff0d97b14.exeziXN3257.exeziJY4016.exejr267474.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7cafb923c1a41dfd66700823d474c28ec50aca4616f2f8a87f99bb1ff0d97b14.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziXN3257.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziJY4016.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jr267474.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
it682903.exepid Process 4384 it682903.exe 4384 it682903.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
it682903.exejr267474.exedescription pid Process Token: SeDebugPrivilege 4384 it682903.exe Token: SeDebugPrivilege 4288 jr267474.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
7cafb923c1a41dfd66700823d474c28ec50aca4616f2f8a87f99bb1ff0d97b14.exeziXN3257.exeziJY4016.exedescription pid Process procid_target PID 3788 wrote to memory of 2320 3788 7cafb923c1a41dfd66700823d474c28ec50aca4616f2f8a87f99bb1ff0d97b14.exe 83 PID 3788 wrote to memory of 2320 3788 7cafb923c1a41dfd66700823d474c28ec50aca4616f2f8a87f99bb1ff0d97b14.exe 83 PID 3788 wrote to memory of 2320 3788 7cafb923c1a41dfd66700823d474c28ec50aca4616f2f8a87f99bb1ff0d97b14.exe 83 PID 2320 wrote to memory of 4088 2320 ziXN3257.exe 84 PID 2320 wrote to memory of 4088 2320 ziXN3257.exe 84 PID 2320 wrote to memory of 4088 2320 ziXN3257.exe 84 PID 4088 wrote to memory of 4384 4088 ziJY4016.exe 85 PID 4088 wrote to memory of 4384 4088 ziJY4016.exe 85 PID 4088 wrote to memory of 4288 4088 ziJY4016.exe 97 PID 4088 wrote to memory of 4288 4088 ziJY4016.exe 97 PID 4088 wrote to memory of 4288 4088 ziJY4016.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cafb923c1a41dfd66700823d474c28ec50aca4616f2f8a87f99bb1ff0d97b14.exe"C:\Users\Admin\AppData\Local\Temp\7cafb923c1a41dfd66700823d474c28ec50aca4616f2f8a87f99bb1ff0d97b14.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXN3257.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXN3257.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziJY4016.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziJY4016.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it682903.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it682903.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr267474.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr267474.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
623KB
MD5521b5dc8187babeda1dd990bae682fcd
SHA17a0e712705a30f5b2329bd6b2560b7e87a33a9ac
SHA256824dec5d0a4f833b929c05d932f65cd3690397cd8a9ab8694ba02c1bf7016909
SHA51209ed55589ca167ea13e81b59b23c7afba7830fa2eb0bb47059c7a9ba44f85bbcf71f56f0f8a69e255ac9c7b1bae81b33fd51ae2e7a440509c0f97cfd767923d3
-
Filesize
468KB
MD5423b16e3b12a4721ae98af66c502c4c4
SHA1e2aeb83204b7f861bedfd844dba42cc8c50f8dc6
SHA256d28ec532dcdf2aa65f14d5c94bab558d1959073f974e2df47b347eca74d0856b
SHA51256578b20c04f957ebe84804c0d9b56811ce825b52f0c19bf6a36862096c030290208a4d49a51b1f1cea6664bbe03b7f99c6cd72aabd6bdc58233a00d47a7f20a
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
488KB
MD593fd2a5ff4a3567f4be70d304ff5ee45
SHA11baab67b60dac55ea4cf8318d8e0830563e8801b
SHA256bf1f896941f76b88b15d522bb981484ff2e828b77ededffd0a10e1387a928c97
SHA512f6bfab1bd207d7ded12dd0e0bac9b30e663e65504397324c8dc04746c31d23bf515c1755aea1d4108a4a02ef1ff01d0ef02943d054ee939f3d80607868d58440