Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:24
Static task
static1
Behavioral task
behavioral1
Sample
9923db0c82f007cd6eecd3f310bd98e11d6ba8ad727e498d08ecf5105734abbb.exe
Resource
win10v2004-20241007-en
General
-
Target
9923db0c82f007cd6eecd3f310bd98e11d6ba8ad727e498d08ecf5105734abbb.exe
-
Size
923KB
-
MD5
912ff31a81917c391b81a66b3c6661a2
-
SHA1
2ff9a6462dd760bec9b7ec60457e14763e159b0a
-
SHA256
9923db0c82f007cd6eecd3f310bd98e11d6ba8ad727e498d08ecf5105734abbb
-
SHA512
efb2a2027f73110cec70b22cd5564a651be28d3c497bff69d196fc90741ab64f08b04aa4c7b52c203804b980e4c9cbfa914d0fb64d69a6d8f3de7169e2d90f27
-
SSDEEP
24576:ly8DKXC/B3PFFH6voxsqwMW8DJNY+x6qHeUOXWTld:AeIIB3PFFH4ZYNNY+ESe7Ol
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it261705.exe healer behavioral1/memory/1592-22-0x0000000000310000-0x000000000031A000-memory.dmp healer -
Healer family
-
Processes:
it261705.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it261705.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it261705.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it261705.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it261705.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it261705.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it261705.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/1292-29-0x0000000002630000-0x000000000266C000-memory.dmp family_redline behavioral1/memory/1292-31-0x0000000005540000-0x000000000557A000-memory.dmp family_redline behavioral1/memory/1292-93-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-96-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-91-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-89-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-87-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-85-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-83-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-81-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-79-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-77-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-75-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-73-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-69-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-67-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-65-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-63-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-61-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-59-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-57-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-53-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-51-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-50-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-47-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-45-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-43-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-41-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-39-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-71-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-55-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-37-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-35-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-33-0x0000000005540000-0x0000000005575000-memory.dmp family_redline behavioral1/memory/1292-32-0x0000000005540000-0x0000000005575000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
Processes:
ziSS1579.exeziJI6538.exeit261705.exejr603786.exepid process 3620 ziSS1579.exe 4868 ziJI6538.exe 1592 it261705.exe 1292 jr603786.exe -
Processes:
it261705.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it261705.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
9923db0c82f007cd6eecd3f310bd98e11d6ba8ad727e498d08ecf5105734abbb.exeziSS1579.exeziJI6538.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9923db0c82f007cd6eecd3f310bd98e11d6ba8ad727e498d08ecf5105734abbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziSS1579.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ziJI6538.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9923db0c82f007cd6eecd3f310bd98e11d6ba8ad727e498d08ecf5105734abbb.exeziSS1579.exeziJI6538.exejr603786.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9923db0c82f007cd6eecd3f310bd98e11d6ba8ad727e498d08ecf5105734abbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziSS1579.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziJI6538.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jr603786.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
it261705.exepid process 1592 it261705.exe 1592 it261705.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
it261705.exejr603786.exedescription pid process Token: SeDebugPrivilege 1592 it261705.exe Token: SeDebugPrivilege 1292 jr603786.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
9923db0c82f007cd6eecd3f310bd98e11d6ba8ad727e498d08ecf5105734abbb.exeziSS1579.exeziJI6538.exedescription pid process target process PID 1852 wrote to memory of 3620 1852 9923db0c82f007cd6eecd3f310bd98e11d6ba8ad727e498d08ecf5105734abbb.exe ziSS1579.exe PID 1852 wrote to memory of 3620 1852 9923db0c82f007cd6eecd3f310bd98e11d6ba8ad727e498d08ecf5105734abbb.exe ziSS1579.exe PID 1852 wrote to memory of 3620 1852 9923db0c82f007cd6eecd3f310bd98e11d6ba8ad727e498d08ecf5105734abbb.exe ziSS1579.exe PID 3620 wrote to memory of 4868 3620 ziSS1579.exe ziJI6538.exe PID 3620 wrote to memory of 4868 3620 ziSS1579.exe ziJI6538.exe PID 3620 wrote to memory of 4868 3620 ziSS1579.exe ziJI6538.exe PID 4868 wrote to memory of 1592 4868 ziJI6538.exe it261705.exe PID 4868 wrote to memory of 1592 4868 ziJI6538.exe it261705.exe PID 4868 wrote to memory of 1292 4868 ziJI6538.exe jr603786.exe PID 4868 wrote to memory of 1292 4868 ziJI6538.exe jr603786.exe PID 4868 wrote to memory of 1292 4868 ziJI6538.exe jr603786.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9923db0c82f007cd6eecd3f310bd98e11d6ba8ad727e498d08ecf5105734abbb.exe"C:\Users\Admin\AppData\Local\Temp\9923db0c82f007cd6eecd3f310bd98e11d6ba8ad727e498d08ecf5105734abbb.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSS1579.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSS1579.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziJI6538.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziJI6538.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it261705.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it261705.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr603786.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr603786.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
617KB
MD5de84eabc10d97d56dfd7be56a1646b8c
SHA1c6bbe4d433558538b41bc857abf97419787d5536
SHA2561fba775efce673e4991940b00ff8b1d64084bb21809a2c47f8598fee775c0082
SHA512641368ee3708187215bcc1d686c3a9510373b1665ab090e2d1cd3fa53d9586c695cf1214ad3bd5636514926824b31b6c9d6110e6cb8bbb49f858c0b0010b6d11
-
Filesize
462KB
MD5685a19dad41fb7eddc0d2b693a16d18d
SHA1890d41e073599d3dbb804e905489eff1c8acde70
SHA2567bb6de5e390ca14f6b3c0e105d1345aa6685d9764de6ed10a97e783e8c1cb4cd
SHA5123ae38a5954d4253b3e65a09039c5758a3427d5fcc397a27b6b46fa40285e93d6a35d4aa5f5b54c796d341d426a0eec67df90ca411a9f4be58d80aa1ecd7ac8f2
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
474KB
MD5e4cba5300f5d9730d96f50f02aa73ef8
SHA1aab7fd0b3b635b941184e3903cfd2fb63274369d
SHA256d7b2263f02f8f63db68e884e6011b840ca891c484bafa89d52daac7fa6f20aba
SHA512eb92bdb0ed35d4b0e4fa0a1448bb3d03a75701c5a08b01881725af3eb0ebecb1e691e0487c1335a8aaaf752b20aeb80ee338d77332d7013a7bae283fb50eec32