Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:42
Static task
static1
Behavioral task
behavioral1
Sample
2b73b0a815ac7f639cf97d717a7cf47615e127f901b1afb306a0fe17d75cfbfa.exe
Resource
win10v2004-20241007-en
General
-
Target
2b73b0a815ac7f639cf97d717a7cf47615e127f901b1afb306a0fe17d75cfbfa.exe
-
Size
767KB
-
MD5
7f9edfe5ab375c8cf7b30ebc1e602be3
-
SHA1
ab6398e7e95a2a6deec86d8a9e04d1f2a016b5e9
-
SHA256
2b73b0a815ac7f639cf97d717a7cf47615e127f901b1afb306a0fe17d75cfbfa
-
SHA512
25d848ccec318730fb9702624a0c9deebb6edb36d5c965d22f13ec623c4d77f576fca552a9109fabe9a186abd8a34513b3f947f3d9a8dd8b06046d28d0217354
-
SSDEEP
12288:5Mrjy909CVQySnEDg4c0DpdpDYHjLIPs5Nnk838tfQ3P9BGuA9h+4fu7f2s:+ywBySnEDgLCpDDYHj00Dnkc8ts98f7g
Malware Config
Extracted
redline
dubna
193.233.20.11:4131
-
auth_value
f324b1269094b7462e56bab025f032f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023c93-19.dat healer behavioral1/memory/5092-22-0x0000000000140000-0x000000000014A000-memory.dmp healer -
Healer family
-
Processes:
aAO02.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" aAO02.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection aAO02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" aAO02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" aAO02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" aAO02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" aAO02.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0007000000023c94-26.dat family_redline behavioral1/memory/3432-28-0x0000000000B40000-0x0000000000B72000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
Processes:
dLs28.exeduE80.exeaAO02.exebhL62.exepid Process 384 dLs28.exe 5096 duE80.exe 5092 aAO02.exe 3432 bhL62.exe -
Processes:
aAO02.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" aAO02.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
duE80.exe2b73b0a815ac7f639cf97d717a7cf47615e127f901b1afb306a0fe17d75cfbfa.exedLs28.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" duE80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2b73b0a815ac7f639cf97d717a7cf47615e127f901b1afb306a0fe17d75cfbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" dLs28.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2b73b0a815ac7f639cf97d717a7cf47615e127f901b1afb306a0fe17d75cfbfa.exedLs28.exeduE80.exebhL62.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b73b0a815ac7f639cf97d717a7cf47615e127f901b1afb306a0fe17d75cfbfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dLs28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language duE80.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhL62.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
aAO02.exepid Process 5092 aAO02.exe 5092 aAO02.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
aAO02.exedescription pid Process Token: SeDebugPrivilege 5092 aAO02.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2b73b0a815ac7f639cf97d717a7cf47615e127f901b1afb306a0fe17d75cfbfa.exedLs28.exeduE80.exedescription pid Process procid_target PID 1728 wrote to memory of 384 1728 2b73b0a815ac7f639cf97d717a7cf47615e127f901b1afb306a0fe17d75cfbfa.exe 83 PID 1728 wrote to memory of 384 1728 2b73b0a815ac7f639cf97d717a7cf47615e127f901b1afb306a0fe17d75cfbfa.exe 83 PID 1728 wrote to memory of 384 1728 2b73b0a815ac7f639cf97d717a7cf47615e127f901b1afb306a0fe17d75cfbfa.exe 83 PID 384 wrote to memory of 5096 384 dLs28.exe 84 PID 384 wrote to memory of 5096 384 dLs28.exe 84 PID 384 wrote to memory of 5096 384 dLs28.exe 84 PID 5096 wrote to memory of 5092 5096 duE80.exe 85 PID 5096 wrote to memory of 5092 5096 duE80.exe 85 PID 5096 wrote to memory of 3432 5096 duE80.exe 94 PID 5096 wrote to memory of 3432 5096 duE80.exe 94 PID 5096 wrote to memory of 3432 5096 duE80.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b73b0a815ac7f639cf97d717a7cf47615e127f901b1afb306a0fe17d75cfbfa.exe"C:\Users\Admin\AppData\Local\Temp\2b73b0a815ac7f639cf97d717a7cf47615e127f901b1afb306a0fe17d75cfbfa.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dLs28.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dLs28.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\duE80.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\duE80.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aAO02.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aAO02.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bhL62.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bhL62.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3432
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
538KB
MD527bd2768361918f638e6b4882182f733
SHA17b32cf568b2f70bf1a7edda68b3981f4b3027684
SHA25680531f420994cedb31de89031ab0baffe1a3010883be15781659db108518fd87
SHA51263a69c0a59767bc940455fcc9e018363df9e4c15db83e80efc9fa3b05a18b09326abfb20d687337819165f3a1108181f634f0d3b97553c33154d34b00d038f6a
-
Filesize
202KB
MD5eab2093f193c4d66aae35186d08b2b19
SHA159a4e36c6911a2aa6480642df4fefcb0f91f6ce4
SHA256cef1d8e970401f8c75cf8bd40f8583838871b9aff584aa0a7a7047f165c68646
SHA5127ed0a0f5094fbef787281b271a0d324feb7b29366d84ae4d09cd5d30f733b8f995af15bd1ea37662e72536307eb20ef129c29d8d94dc4cf4000019c8564c1ad6
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
175KB
MD5ef8079cf160510d0da7162bc08f753d8
SHA1e786cc8bee83e4a37433ddccf9d3540e1f6533fe
SHA256a6416ca607f03e7d02dd9c8b546113c71f421c0ba8438dafb941d25f8cf2c9e6
SHA512959b08126358527b794a276f6e9f818250f888d9f108b46766f6c2e50186acc8f406acbeb94ca97b5f0e329b27f3851003446715d5d040b5c0fef4010011a2c3