Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
24e6f6bd1f307e1dbeac106138f011ab3bbbb4203294e37804fdbe07f7162d58.exe
Resource
win10v2004-20241007-en
General
-
Target
24e6f6bd1f307e1dbeac106138f011ab3bbbb4203294e37804fdbe07f7162d58.exe
-
Size
681KB
-
MD5
4257cebb55870fbc9332f502b55c1f34
-
SHA1
e1571ceea85c50f60883c3a3925d233b2296387f
-
SHA256
24e6f6bd1f307e1dbeac106138f011ab3bbbb4203294e37804fdbe07f7162d58
-
SHA512
482d7179cb77dd64625898afdb64144e839879c4a1b23345fd5e1cc92f6dcd246ad15aa1e8900cbed058905f0f79791fe4dee1e484c43b3d5dd94a10805a9a44
-
SSDEEP
12288:hMrNy90gmWGA46Rlfb4kel0kgBTPxA1cq/8zkgoywr6ukpy:0ybmF6RZ0Jl0ZTPS1F/8zkgoywr65py
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/1188-18-0x0000000004760000-0x000000000477A000-memory.dmp healer behavioral1/memory/1188-20-0x0000000007110000-0x0000000007128000-memory.dmp healer behavioral1/memory/1188-26-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/1188-24-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/1188-48-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/1188-46-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/1188-44-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/1188-42-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/1188-40-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/1188-38-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/1188-36-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/1188-34-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/1188-33-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/1188-31-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/1188-28-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/1188-22-0x0000000007110000-0x0000000007122000-memory.dmp healer behavioral1/memory/1188-21-0x0000000007110000-0x0000000007122000-memory.dmp healer -
Healer family
-
Processes:
pro6781.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro6781.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro6781.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro6781.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro6781.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro6781.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro6781.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/412-60-0x0000000002EB0000-0x0000000002EF6000-memory.dmp family_redline behavioral1/memory/412-61-0x0000000004D10000-0x0000000004D54000-memory.dmp family_redline behavioral1/memory/412-65-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/412-75-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/412-95-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/412-93-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/412-91-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/412-89-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/412-87-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/412-85-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/412-81-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/412-79-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/412-78-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/412-73-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/412-71-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/412-69-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/412-67-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/412-83-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/412-63-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/412-62-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un996621.exepro6781.exequ0810.exepid process 4016 un996621.exe 1188 pro6781.exe 412 qu0810.exe -
Processes:
pro6781.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro6781.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro6781.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
24e6f6bd1f307e1dbeac106138f011ab3bbbb4203294e37804fdbe07f7162d58.exeun996621.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 24e6f6bd1f307e1dbeac106138f011ab3bbbb4203294e37804fdbe07f7162d58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un996621.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
pro6781.exequ0810.exe24e6f6bd1f307e1dbeac106138f011ab3bbbb4203294e37804fdbe07f7162d58.exeun996621.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro6781.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu0810.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24e6f6bd1f307e1dbeac106138f011ab3bbbb4203294e37804fdbe07f7162d58.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un996621.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro6781.exepid process 1188 pro6781.exe 1188 pro6781.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro6781.exequ0810.exedescription pid process Token: SeDebugPrivilege 1188 pro6781.exe Token: SeDebugPrivilege 412 qu0810.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
24e6f6bd1f307e1dbeac106138f011ab3bbbb4203294e37804fdbe07f7162d58.exeun996621.exedescription pid process target process PID 540 wrote to memory of 4016 540 24e6f6bd1f307e1dbeac106138f011ab3bbbb4203294e37804fdbe07f7162d58.exe un996621.exe PID 540 wrote to memory of 4016 540 24e6f6bd1f307e1dbeac106138f011ab3bbbb4203294e37804fdbe07f7162d58.exe un996621.exe PID 540 wrote to memory of 4016 540 24e6f6bd1f307e1dbeac106138f011ab3bbbb4203294e37804fdbe07f7162d58.exe un996621.exe PID 4016 wrote to memory of 1188 4016 un996621.exe pro6781.exe PID 4016 wrote to memory of 1188 4016 un996621.exe pro6781.exe PID 4016 wrote to memory of 1188 4016 un996621.exe pro6781.exe PID 4016 wrote to memory of 412 4016 un996621.exe qu0810.exe PID 4016 wrote to memory of 412 4016 un996621.exe qu0810.exe PID 4016 wrote to memory of 412 4016 un996621.exe qu0810.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24e6f6bd1f307e1dbeac106138f011ab3bbbb4203294e37804fdbe07f7162d58.exe"C:\Users\Admin\AppData\Local\Temp\24e6f6bd1f307e1dbeac106138f011ab3bbbb4203294e37804fdbe07f7162d58.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un996621.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un996621.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6781.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6781.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1188
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0810.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0810.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:412
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
540KB
MD5983c81c2c153cdeda01923d6189c1929
SHA1f11abc0f869b43b725c327e20ccf9098a0b38a4e
SHA2560d29e890638f0064505bbd0596dc9c7a90fa6c22fc6d9ed420586c0767b0f693
SHA512dd218875606a986193c812c291aa193daee86fcbfba0f5675ac5011f83e3f4e016b588bf949568c9f6674f6fbfef0ceef380ffc13c5951d0ed1ff94e6279f367
-
Filesize
322KB
MD539c82ebb4be4434e27e2241cf6fd41c6
SHA1a249d68c12b3e39a5fc1e735afaf2a7dca1311ff
SHA256b555a94ca60eb3e45acbd21deb192bb1f22db904da9bf9cb3440613c4141abb3
SHA5123ed5d0e3a25e888df5f76932358f7f1ae327fa21788e7b78a2171c839fdc7f5081ce4d80e18bf844470e6e7bc5316eb9717455db7d6b3cd17de076650da44c13
-
Filesize
379KB
MD54f2324f016204273eb8d6be4058383f5
SHA1e5b12203377bab5537fc8ff9556b087696f1d957
SHA256a5773a088d1eb271d5c6a97775bca37c942d78aecb25143fda09c98a16cdfb3b
SHA51224bfc53019823ce114ee103299d6a0586666e5aa8d33523db43e89606192352ce25c0352dd2f658e67b6e0348c37f445172f50e6843a228dd18382bfa1a8d669