Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:24
Static task
static1
Behavioral task
behavioral1
Sample
b89c4f31f148f386744359d817adab3a53661404853e12c0a49745af8790e53a.exe
Resource
win10v2004-20241007-en
General
-
Target
b89c4f31f148f386744359d817adab3a53661404853e12c0a49745af8790e53a.exe
-
Size
481KB
-
MD5
3ee04b4615722be6eb7adf82ae8bb79a
-
SHA1
18dd64f8aade617a07fd5149eb3abda4dd5a0bd5
-
SHA256
b89c4f31f148f386744359d817adab3a53661404853e12c0a49745af8790e53a
-
SHA512
a0e4af0be326a9525017569f5dbb7117b69a1970144950a1983a9495fb52242a2a246284af71150a51b628be3c8bc36836e0a66825046bbaa43f15e8f16d7be8
-
SSDEEP
12288:JMr7y906pn3rx5c1u31dTvwHP2GTi6kdR:iy7p3rfXnTWBxkdR
Malware Config
Extracted
redline
mihan
217.196.96.101:4132
-
auth_value
9a6a8fdae02ed7caa0a49a6ddc6d4520
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/892-15-0x0000000002050000-0x000000000206A000-memory.dmp healer behavioral1/memory/892-19-0x0000000004F60000-0x0000000004F78000-memory.dmp healer behavioral1/memory/892-47-0x0000000004F60000-0x0000000004F72000-memory.dmp healer behavioral1/memory/892-45-0x0000000004F60000-0x0000000004F72000-memory.dmp healer behavioral1/memory/892-43-0x0000000004F60000-0x0000000004F72000-memory.dmp healer behavioral1/memory/892-41-0x0000000004F60000-0x0000000004F72000-memory.dmp healer behavioral1/memory/892-39-0x0000000004F60000-0x0000000004F72000-memory.dmp healer behavioral1/memory/892-37-0x0000000004F60000-0x0000000004F72000-memory.dmp healer behavioral1/memory/892-35-0x0000000004F60000-0x0000000004F72000-memory.dmp healer behavioral1/memory/892-33-0x0000000004F60000-0x0000000004F72000-memory.dmp healer behavioral1/memory/892-31-0x0000000004F60000-0x0000000004F72000-memory.dmp healer behavioral1/memory/892-29-0x0000000004F60000-0x0000000004F72000-memory.dmp healer behavioral1/memory/892-27-0x0000000004F60000-0x0000000004F72000-memory.dmp healer behavioral1/memory/892-25-0x0000000004F60000-0x0000000004F72000-memory.dmp healer behavioral1/memory/892-23-0x0000000004F60000-0x0000000004F72000-memory.dmp healer behavioral1/memory/892-21-0x0000000004F60000-0x0000000004F72000-memory.dmp healer behavioral1/memory/892-20-0x0000000004F60000-0x0000000004F72000-memory.dmp healer -
Healer family
-
Processes:
a8849021.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a8849021.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a8849021.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a8849021.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a8849021.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a8849021.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a8849021.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9911750.exe family_redline behavioral1/memory/2372-55-0x0000000000F60000-0x0000000000F90000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
v7451797.exea8849021.exeb9911750.exepid process 4368 v7451797.exe 892 a8849021.exe 2372 b9911750.exe -
Processes:
a8849021.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a8849021.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a8849021.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b89c4f31f148f386744359d817adab3a53661404853e12c0a49745af8790e53a.exev7451797.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b89c4f31f148f386744359d817adab3a53661404853e12c0a49745af8790e53a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v7451797.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 3304 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b9911750.exeb89c4f31f148f386744359d817adab3a53661404853e12c0a49745af8790e53a.exev7451797.exea8849021.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b9911750.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b89c4f31f148f386744359d817adab3a53661404853e12c0a49745af8790e53a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v7451797.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8849021.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a8849021.exepid process 892 a8849021.exe 892 a8849021.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a8849021.exedescription pid process Token: SeDebugPrivilege 892 a8849021.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b89c4f31f148f386744359d817adab3a53661404853e12c0a49745af8790e53a.exev7451797.exedescription pid process target process PID 4044 wrote to memory of 4368 4044 b89c4f31f148f386744359d817adab3a53661404853e12c0a49745af8790e53a.exe v7451797.exe PID 4044 wrote to memory of 4368 4044 b89c4f31f148f386744359d817adab3a53661404853e12c0a49745af8790e53a.exe v7451797.exe PID 4044 wrote to memory of 4368 4044 b89c4f31f148f386744359d817adab3a53661404853e12c0a49745af8790e53a.exe v7451797.exe PID 4368 wrote to memory of 892 4368 v7451797.exe a8849021.exe PID 4368 wrote to memory of 892 4368 v7451797.exe a8849021.exe PID 4368 wrote to memory of 892 4368 v7451797.exe a8849021.exe PID 4368 wrote to memory of 2372 4368 v7451797.exe b9911750.exe PID 4368 wrote to memory of 2372 4368 v7451797.exe b9911750.exe PID 4368 wrote to memory of 2372 4368 v7451797.exe b9911750.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b89c4f31f148f386744359d817adab3a53661404853e12c0a49745af8790e53a.exe"C:\Users\Admin\AppData\Local\Temp\b89c4f31f148f386744359d817adab3a53661404853e12c0a49745af8790e53a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7451797.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7451797.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8849021.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8849021.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9911750.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9911750.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2372
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3304
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
309KB
MD5ea859e4faceefdf3c90e10c212867ec7
SHA1935bff41bb1145cf235ebfd35cf07650f5d0636f
SHA2567507f2a36610c03cfbf944669b95d4bbb025ab76bf208648c1ef1ec8a1078019
SHA5123200e4a17f751918109b1739402f75dc6e77cf7de1e8b395f023dacd4190d0476e78bb65317341edea8fb0851ad7de62b64cbe8cec2fa405bd344f281f073edc
-
Filesize
179KB
MD5052885d7057f8ee4e0c5295122cdfe62
SHA128dd065813fadd98d80b5e38dace6ecbeb7cb14d
SHA2563543a9ecd8b4b5fe1bc80fcdd5ebc7849acf120907a20beded09bb5ec52057ea
SHA5123221dcbd57c1f5ee30cea84fdc8320a48dc78c01b1328e93b2b6cbffa806bbcf340f1ca91797a15a25787aab406b981df9ee72c0e63d0242ab64311cf3dc2d53
-
Filesize
168KB
MD54f49d1f989b7903e0f86c4980ec84fa6
SHA1763c343620a6f3e45c7e2aad1b7cde01a7172b53
SHA256d36136cf8d08982280d1d6909be7afa57ac2d406fba7afd9bd45ee2a97ca6794
SHA512c5fe1e92f430fc09b8865ee63393bae12f5ec620d9eb28c06b0ea3dd6b8eeaf8ecf3349229b4e6d6b03d9814ff27755bd3e3f3b8528a42e4846111950617b7f8