Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:29
Static task
static1
Behavioral task
behavioral1
Sample
32ea7b735163ddc910bcf4e6664216ab3511107f99088b3cb45f85f9ee8f7d03.exe
Resource
win10v2004-20241007-en
General
-
Target
32ea7b735163ddc910bcf4e6664216ab3511107f99088b3cb45f85f9ee8f7d03.exe
-
Size
479KB
-
MD5
e42d310cd19add899caeb5549633154c
-
SHA1
b52f2f0e9ef3a00203fe5ef1565400a55b8e3479
-
SHA256
32ea7b735163ddc910bcf4e6664216ab3511107f99088b3cb45f85f9ee8f7d03
-
SHA512
d4dcda8f3914fbce2f8e195d754f829c075b6aae161d2eb0bd2372c81bb1c5fb9cdf1f32a2a85cd64eeb388a2872acd04544b78edc5f4af3ced531bd8cf20159
-
SSDEEP
12288:TMrHy90N025xTxnPo79smsF8cqR7Ms62SRPOSp3NU:Eygb5xTh0EZqR7FS/pa
Malware Config
Extracted
redline
maxud
217.196.96.101:4132
-
auth_value
f1403d964c52b6641ba1ef14803e6e74
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/4452-15-0x0000000004A00000-0x0000000004A1A000-memory.dmp healer behavioral1/memory/4452-19-0x0000000004AC0000-0x0000000004AD8000-memory.dmp healer behavioral1/memory/4452-20-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4452-47-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4452-44-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4452-41-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4452-39-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4452-37-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4452-35-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4452-33-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4452-31-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4452-29-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4452-27-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4452-25-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4452-23-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4452-21-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4452-45-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer -
Healer family
-
Processes:
a5613326.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a5613326.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a5613326.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a5613326.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a5613326.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a5613326.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a5613326.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1400473.exe family_redline behavioral1/memory/2056-55-0x0000000000D50000-0x0000000000D7E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
v4792067.exea5613326.exeb1400473.exepid process 2212 v4792067.exe 4452 a5613326.exe 2056 b1400473.exe -
Processes:
a5613326.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a5613326.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a5613326.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
32ea7b735163ddc910bcf4e6664216ab3511107f99088b3cb45f85f9ee8f7d03.exev4792067.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 32ea7b735163ddc910bcf4e6664216ab3511107f99088b3cb45f85f9ee8f7d03.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v4792067.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 2996 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
32ea7b735163ddc910bcf4e6664216ab3511107f99088b3cb45f85f9ee8f7d03.exev4792067.exea5613326.exeb1400473.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 32ea7b735163ddc910bcf4e6664216ab3511107f99088b3cb45f85f9ee8f7d03.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v4792067.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5613326.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1400473.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a5613326.exepid process 4452 a5613326.exe 4452 a5613326.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a5613326.exedescription pid process Token: SeDebugPrivilege 4452 a5613326.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
32ea7b735163ddc910bcf4e6664216ab3511107f99088b3cb45f85f9ee8f7d03.exev4792067.exedescription pid process target process PID 4788 wrote to memory of 2212 4788 32ea7b735163ddc910bcf4e6664216ab3511107f99088b3cb45f85f9ee8f7d03.exe v4792067.exe PID 4788 wrote to memory of 2212 4788 32ea7b735163ddc910bcf4e6664216ab3511107f99088b3cb45f85f9ee8f7d03.exe v4792067.exe PID 4788 wrote to memory of 2212 4788 32ea7b735163ddc910bcf4e6664216ab3511107f99088b3cb45f85f9ee8f7d03.exe v4792067.exe PID 2212 wrote to memory of 4452 2212 v4792067.exe a5613326.exe PID 2212 wrote to memory of 4452 2212 v4792067.exe a5613326.exe PID 2212 wrote to memory of 4452 2212 v4792067.exe a5613326.exe PID 2212 wrote to memory of 2056 2212 v4792067.exe b1400473.exe PID 2212 wrote to memory of 2056 2212 v4792067.exe b1400473.exe PID 2212 wrote to memory of 2056 2212 v4792067.exe b1400473.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\32ea7b735163ddc910bcf4e6664216ab3511107f99088b3cb45f85f9ee8f7d03.exe"C:\Users\Admin\AppData\Local\Temp\32ea7b735163ddc910bcf4e6664216ab3511107f99088b3cb45f85f9ee8f7d03.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4792067.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4792067.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5613326.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5613326.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1400473.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1400473.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2056
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2996
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5bfd3f5fa9d1a92256c6d77126d8aa566
SHA124d0b9311a6b4a0992142b129eeccf12bebe128c
SHA256485383a552a9f401a382ce572818bf1e3f8b86948a44ad40b23ec1d33a2356bd
SHA512787f26394abba68aa4fb0700bcd0bf6ac584998711d516e45dd2ec3088c8b8196a08c17a893ef4f27e15d5853230356db1fb1bb965a09c45437a11dd890ee196
-
Filesize
176KB
MD54b7cab7b0d67a56752e9a8b1a2d0e336
SHA13f6477008395beac68397acd6a907ffc1d232014
SHA2565c0527ac11d22746108becab2f372a73a205c73e5f3a8247f56d4141080a6b63
SHA5124cc228e74f62b2a97d1bf3ca0b9b2f73f5a8fc87fc700687565b3cd62bfdbb18005aa0d56e385cce453bab4f65b6d09beddaec65373c7515ab74564eb8a4b7f0
-
Filesize
168KB
MD5becceae5283724466405b9ee9cebfa40
SHA16fa2ca2f034f647ed2d64dbc24447da1aaa1bcdd
SHA256f7d8618e35030c1fd9733dd7da786df18354f9fe054ab132b27eaed299d0d1b4
SHA5121e6af2ca5faaa7150501dfede0a665515218abce2d620b70bc7066106990f4b8dc60e5e6d1eaf12a27279c9bd7a0c6ef0ac49d99ff56aa2b291a84fb1493c2fd