Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:34
Static task
static1
Behavioral task
behavioral1
Sample
0ad3fec3c07ad88a58d8a186cc5277a274f103cd0cf26589b6bac201ed4f22e5.exe
Resource
win10v2004-20241007-en
General
-
Target
0ad3fec3c07ad88a58d8a186cc5277a274f103cd0cf26589b6bac201ed4f22e5.exe
-
Size
491KB
-
MD5
d26298260a1d1d2a3ba85a19517f09b2
-
SHA1
30370bcd42231a8d9044891787133220c22a344b
-
SHA256
0ad3fec3c07ad88a58d8a186cc5277a274f103cd0cf26589b6bac201ed4f22e5
-
SHA512
f7ff68d68d1dad4067b9276908b2662c8a05e39004a497b445b782614da3b5176e8cec2c6569d4d4561a03a8df88bafd494668c1c4180f9bbb765360c47c79a4
-
SSDEEP
12288:OMrQy90w6xlf9u0baO8SJzHvJJnSQ8G4ALL2xCf3GWFM:ayA6OHzHvJJSQ8LALL2xCf3GWFM
Malware Config
Extracted
redline
lade
217.196.96.101:4132
-
auth_value
6e597bb53b7858f1eaca3f569cb16e1e
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/3764-15-0x00000000023D0000-0x00000000023EA000-memory.dmp healer behavioral1/memory/3764-18-0x0000000004980000-0x0000000004998000-memory.dmp healer behavioral1/memory/3764-48-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3764-46-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3764-44-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3764-42-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3764-40-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3764-38-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3764-36-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3764-34-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3764-32-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3764-30-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3764-28-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3764-26-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3764-24-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3764-22-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/3764-21-0x0000000004980000-0x0000000004992000-memory.dmp healer -
Healer family
-
Processes:
o4123143.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" o4123143.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" o4123143.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" o4123143.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection o4123143.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" o4123143.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" o4123143.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7453851.exe family_redline behavioral1/memory/4024-56-0x0000000000030000-0x000000000005E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
z6627754.exeo4123143.exer7453851.exepid process 3220 z6627754.exe 3764 o4123143.exe 4024 r7453851.exe -
Processes:
o4123143.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features o4123143.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" o4123143.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
0ad3fec3c07ad88a58d8a186cc5277a274f103cd0cf26589b6bac201ed4f22e5.exez6627754.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0ad3fec3c07ad88a58d8a186cc5277a274f103cd0cf26589b6bac201ed4f22e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z6627754.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 2352 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0ad3fec3c07ad88a58d8a186cc5277a274f103cd0cf26589b6bac201ed4f22e5.exez6627754.exeo4123143.exer7453851.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ad3fec3c07ad88a58d8a186cc5277a274f103cd0cf26589b6bac201ed4f22e5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language z6627754.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o4123143.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language r7453851.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
o4123143.exepid process 3764 o4123143.exe 3764 o4123143.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
o4123143.exedescription pid process Token: SeDebugPrivilege 3764 o4123143.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0ad3fec3c07ad88a58d8a186cc5277a274f103cd0cf26589b6bac201ed4f22e5.exez6627754.exedescription pid process target process PID 2992 wrote to memory of 3220 2992 0ad3fec3c07ad88a58d8a186cc5277a274f103cd0cf26589b6bac201ed4f22e5.exe z6627754.exe PID 2992 wrote to memory of 3220 2992 0ad3fec3c07ad88a58d8a186cc5277a274f103cd0cf26589b6bac201ed4f22e5.exe z6627754.exe PID 2992 wrote to memory of 3220 2992 0ad3fec3c07ad88a58d8a186cc5277a274f103cd0cf26589b6bac201ed4f22e5.exe z6627754.exe PID 3220 wrote to memory of 3764 3220 z6627754.exe o4123143.exe PID 3220 wrote to memory of 3764 3220 z6627754.exe o4123143.exe PID 3220 wrote to memory of 3764 3220 z6627754.exe o4123143.exe PID 3220 wrote to memory of 4024 3220 z6627754.exe r7453851.exe PID 3220 wrote to memory of 4024 3220 z6627754.exe r7453851.exe PID 3220 wrote to memory of 4024 3220 z6627754.exe r7453851.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ad3fec3c07ad88a58d8a186cc5277a274f103cd0cf26589b6bac201ed4f22e5.exe"C:\Users\Admin\AppData\Local\Temp\0ad3fec3c07ad88a58d8a186cc5277a274f103cd0cf26589b6bac201ed4f22e5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6627754.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6627754.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4123143.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4123143.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7453851.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7453851.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4024
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2352
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
309KB
MD51803887bcb905d7a232c206c4ac8e284
SHA1cc5bb7fcb40f7cb8a245ca76c1bfb84818384f5a
SHA2562bf68ba0f34e88e0348e41cd0febed19c8489bebb407b330e291122b513c1652
SHA5125693eef12c06859725eee5cc07954b4f86eb636b77a985b35c9f5b7df9f373ee2a10ab086d9ce480b624cda9df33d14146afbd686210e550704c7115ac89fac7
-
Filesize
177KB
MD565af9e3a9d6ec053d41490c47930eb99
SHA190d59fe616fcbc4b080bed5587b678749be6dbfd
SHA2564b605ae208dd73d85bf500fb4c34185cb7bfb789cb5f13854419738c109ee0cc
SHA512c196ce3031a24ff9f68def79d1777429555622f3a1fcb39ff123211ee737dc7a168cff70722f70c33852ceffece4815a9455f8ed17a15eb1aa7b4cb1fd9d3839
-
Filesize
168KB
MD5c452f4dbc1c995e853dc192b0c47be84
SHA124f4819dd9788e90fdef601107bb308189cca6da
SHA25696e97dbdf6d2d4af4f3c1e225f6d76b4ede42c3257a3ec5c1353d298aafeb6ba
SHA512697ac505b896b140563b1ac4125797a652fcdd5ec99ea7fe4158d6efb339631e38a1988cc5f554289fc5ef56a7198ea8b10ab14aead8b40a7d6babf2a00c77d6