Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:37
Static task
static1
Behavioral task
behavioral1
Sample
74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe
Resource
win10v2004-20241007-en
General
-
Target
74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe
-
Size
480KB
-
MD5
0a692d4581365ccded67dfc64fe26d91
-
SHA1
8862bc3af1da40110eb628e0e3f935cfa615dc8a
-
SHA256
74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5
-
SHA512
b11bb1e468f8a762e70d3d238e604b28cc88b70c4d2da09546cb51fc3b4df0c15ea3addd3cbc76af92b91ec701197a8ae29978d714a56657e3f0e1c117ac46fd
-
SSDEEP
12288:8Mrvy90HpnFEENQZuTmGruaCcer/qYFPANF2Qnaj:byMuZuMUeWYu8o8
Malware Config
Extracted
redline
mihan
217.196.96.101:4132
-
auth_value
9a6a8fdae02ed7caa0a49a6ddc6d4520
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/2728-15-0x00000000023F0000-0x000000000240A000-memory.dmp healer behavioral1/memory/2728-18-0x0000000004AC0000-0x0000000004AD8000-memory.dmp healer behavioral1/memory/2728-21-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2728-48-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2728-46-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2728-44-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2728-42-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2728-40-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2728-38-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2728-36-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2728-34-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2728-32-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2728-30-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2728-28-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2728-26-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2728-24-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2728-22-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer -
Healer family
-
Processes:
a8949411.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a8949411.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a8949411.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a8949411.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a8949411.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a8949411.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a8949411.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7600297.exe family_redline behavioral1/memory/2036-56-0x0000000000B70000-0x0000000000BA0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
v3836213.exea8949411.exeb7600297.exepid process 3716 v3836213.exe 2728 a8949411.exe 2036 b7600297.exe -
Processes:
a8949411.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a8949411.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a8949411.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exev3836213.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3836213.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
v3836213.exea8949411.exeb7600297.exe74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v3836213.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8949411.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b7600297.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a8949411.exepid process 2728 a8949411.exe 2728 a8949411.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a8949411.exedescription pid process Token: SeDebugPrivilege 2728 a8949411.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exev3836213.exedescription pid process target process PID 4236 wrote to memory of 3716 4236 74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe v3836213.exe PID 4236 wrote to memory of 3716 4236 74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe v3836213.exe PID 4236 wrote to memory of 3716 4236 74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe v3836213.exe PID 3716 wrote to memory of 2728 3716 v3836213.exe a8949411.exe PID 3716 wrote to memory of 2728 3716 v3836213.exe a8949411.exe PID 3716 wrote to memory of 2728 3716 v3836213.exe a8949411.exe PID 3716 wrote to memory of 2036 3716 v3836213.exe b7600297.exe PID 3716 wrote to memory of 2036 3716 v3836213.exe b7600297.exe PID 3716 wrote to memory of 2036 3716 v3836213.exe b7600297.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe"C:\Users\Admin\AppData\Local\Temp\74bb323d4706c651e15ff471bd498849150c0b0d255e7590cba3021e267ec6c5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3836213.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8949411.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7600297.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7600297.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2036
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
309KB
MD53ea9e092549bc55c729a39b7a88d97e0
SHA1daee7689438bbdbe5404d979f6fae2fecce41959
SHA256c99f5a2e621361ff3b67e9ba29e7706fca1f9d3d29569bd0e4a699273bf17efd
SHA512c682d37336196e71b730865e4225bcef218edb32aaca4e50add2aa8f13095991da5ff7a06806241cea41c170b5877d0d4daa12383ac5b571fbbb2b6da3981e20
-
Filesize
179KB
MD5deb2c3a482574cedcc41b776d2b957b6
SHA1f4f0b36a3672b04653bf2c8ada2a5f8a3e00daca
SHA256e9b7baf529e1edb5b690e620b79fe24656b9cb6a8a0f9e20d01d474670747dd4
SHA512e5219bc64bb2c51d1dc3f05224329579c92bdecb5057c8ab7afcb5d4974d9012d8e83e9e8d5ba6729b16f497e81248b6423adb0c0867a0f26379503872976d05
-
Filesize
168KB
MD5ef8e3cf6fabb7197c369733f7f221721
SHA109d143935b7b87f49245ce8cb64c1c6de6aaf2a7
SHA256f9fc79626e70d247c7569b6021dbd49aca810118f36180ce81672a8bfa37d567
SHA5123617314081872b45aa1181cfb6fd411d67a7389138a1df385df8327d46b2a5076d84f5e75f087f3a2d33c5c0692648ae92f19b035bfb01079f972f679186da2b