Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:38
Static task
static1
Behavioral task
behavioral1
Sample
edb2f3de75052ffdac9578ebaeaca66f2e7537f3fc5642b73e658b0feb7217fe.exe
Resource
win10v2004-20241007-en
General
-
Target
edb2f3de75052ffdac9578ebaeaca66f2e7537f3fc5642b73e658b0feb7217fe.exe
-
Size
479KB
-
MD5
6bae01de1a58a8af27a31fce7a6dd75c
-
SHA1
9ce431aee55ae29f9825e69883c2235cffc0cbc4
-
SHA256
edb2f3de75052ffdac9578ebaeaca66f2e7537f3fc5642b73e658b0feb7217fe
-
SHA512
18293a44a7b398bd26803f057793ad9c5c603fe0ccc3e8ea90d92daf3d9cb3131fc5b89edf84a8da3960bc4cd1566943b93bed14314c99460752072c2838f2ca
-
SSDEEP
12288:hMrYy90rLM2IhVIvb77QBwu4VYWPbdhI/XYKp:xy3phMX7QBwu4VdPbcXYK
Malware Config
Extracted
redline
dona
217.196.96.101:4132
-
auth_value
9fbb198992bbc83a84ab1f21384813e3
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/2456-15-0x0000000002090000-0x00000000020AA000-memory.dmp healer behavioral1/memory/2456-18-0x0000000002420000-0x0000000002438000-memory.dmp healer behavioral1/memory/2456-20-0x0000000002420000-0x0000000002432000-memory.dmp healer behavioral1/memory/2456-46-0x0000000002420000-0x0000000002432000-memory.dmp healer behavioral1/memory/2456-45-0x0000000002420000-0x0000000002432000-memory.dmp healer behavioral1/memory/2456-42-0x0000000002420000-0x0000000002432000-memory.dmp healer behavioral1/memory/2456-40-0x0000000002420000-0x0000000002432000-memory.dmp healer behavioral1/memory/2456-38-0x0000000002420000-0x0000000002432000-memory.dmp healer behavioral1/memory/2456-36-0x0000000002420000-0x0000000002432000-memory.dmp healer behavioral1/memory/2456-34-0x0000000002420000-0x0000000002432000-memory.dmp healer behavioral1/memory/2456-32-0x0000000002420000-0x0000000002432000-memory.dmp healer behavioral1/memory/2456-30-0x0000000002420000-0x0000000002432000-memory.dmp healer behavioral1/memory/2456-28-0x0000000002420000-0x0000000002432000-memory.dmp healer behavioral1/memory/2456-26-0x0000000002420000-0x0000000002432000-memory.dmp healer behavioral1/memory/2456-24-0x0000000002420000-0x0000000002432000-memory.dmp healer behavioral1/memory/2456-22-0x0000000002420000-0x0000000002432000-memory.dmp healer behavioral1/memory/2456-19-0x0000000002420000-0x0000000002432000-memory.dmp healer -
Healer family
-
Processes:
k4530104.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k4530104.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k4530104.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k4530104.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k4530104.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k4530104.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k4530104.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000a000000023b74-54.dat family_redline behavioral1/memory/1340-56-0x0000000000A00000-0x0000000000A30000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
y1565214.exek4530104.exel9419649.exepid Process 4272 y1565214.exe 2456 k4530104.exe 1340 l9419649.exe -
Processes:
k4530104.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k4530104.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k4530104.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
y1565214.exeedb2f3de75052ffdac9578ebaeaca66f2e7537f3fc5642b73e658b0feb7217fe.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y1565214.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" edb2f3de75052ffdac9578ebaeaca66f2e7537f3fc5642b73e658b0feb7217fe.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
edb2f3de75052ffdac9578ebaeaca66f2e7537f3fc5642b73e658b0feb7217fe.exey1565214.exek4530104.exel9419649.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language edb2f3de75052ffdac9578ebaeaca66f2e7537f3fc5642b73e658b0feb7217fe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y1565214.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k4530104.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l9419649.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
k4530104.exepid Process 2456 k4530104.exe 2456 k4530104.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
k4530104.exedescription pid Process Token: SeDebugPrivilege 2456 k4530104.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
edb2f3de75052ffdac9578ebaeaca66f2e7537f3fc5642b73e658b0feb7217fe.exey1565214.exedescription pid Process procid_target PID 2532 wrote to memory of 4272 2532 edb2f3de75052ffdac9578ebaeaca66f2e7537f3fc5642b73e658b0feb7217fe.exe 84 PID 2532 wrote to memory of 4272 2532 edb2f3de75052ffdac9578ebaeaca66f2e7537f3fc5642b73e658b0feb7217fe.exe 84 PID 2532 wrote to memory of 4272 2532 edb2f3de75052ffdac9578ebaeaca66f2e7537f3fc5642b73e658b0feb7217fe.exe 84 PID 4272 wrote to memory of 2456 4272 y1565214.exe 85 PID 4272 wrote to memory of 2456 4272 y1565214.exe 85 PID 4272 wrote to memory of 2456 4272 y1565214.exe 85 PID 4272 wrote to memory of 1340 4272 y1565214.exe 96 PID 4272 wrote to memory of 1340 4272 y1565214.exe 96 PID 4272 wrote to memory of 1340 4272 y1565214.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\edb2f3de75052ffdac9578ebaeaca66f2e7537f3fc5642b73e658b0feb7217fe.exe"C:\Users\Admin\AppData\Local\Temp\edb2f3de75052ffdac9578ebaeaca66f2e7537f3fc5642b73e658b0feb7217fe.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1565214.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1565214.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4530104.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4530104.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9419649.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9419649.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1340
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD550cb385da0c18228d0c437fab967becf
SHA1efae796b3bec758ecc5f8b36b7c03bd87e559795
SHA256587f1589df6ea6534147bb137d104c99916e4aafd15c1554267caea0c13de883
SHA51204f2d7110d4e3e58454b011fc15f2b971c9b579bfb45470985559624b92b494ebcbb1d4edba90f3cc097819179f0eff778f150df08dc87eea9d038a731178487
-
Filesize
179KB
MD51eefdeedee9de5a3ffedcd7560a3ce99
SHA195dd831c5b68be97e7cf238d4f4a8f39c6a308ce
SHA256cfcc2ae431e01771e1d059539bc9f728c83f4ff690cbaf370eca8b2f33de9bfc
SHA512842a915fc062d70d633ddba7c7ac979219325b36591e5ebb9c40085fe84a6174534a17681227ccae5204aad0f09979cd2b587c803540c6865c046c3f1b0648c1
-
Filesize
168KB
MD5a7fa568c08bd0c204c9a5f320b5d77cb
SHA1de5d04b3eb09756f4f9da45a4e019cc819661a6a
SHA256eef7b28de4261dc2ba85c8f516969603df7d494c42ccc8e870e9742b43fcba4a
SHA512be86d5ca256c931ab771794fa5a67739ba18a0745266e00e4e72cef381e6bc6f98965d712dacdbf10a590bb4ec16343a4f131214e47a14b4b4a1e117783fab65