Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 02:07
Static task
static1
Behavioral task
behavioral1
Sample
37099751cb202021000b4f1d9dd24f9795a231d67a136937a0f21f660073ee9a.exe
Resource
win10v2004-20241007-en
General
-
Target
37099751cb202021000b4f1d9dd24f9795a231d67a136937a0f21f660073ee9a.exe
-
Size
682KB
-
MD5
fd500bb90601b400fd41b3e7d7c675e6
-
SHA1
d85cd8503bee7528aae8ed39f4bfda9c846d66c3
-
SHA256
37099751cb202021000b4f1d9dd24f9795a231d67a136937a0f21f660073ee9a
-
SHA512
51ff1b6bc12b043ce1428a1a70cd2e55ef678a87f30b8158e4b84041d512b3f28dbf3a75552b65b404c9fd879d7645615bac7c80714dc74ecb1c3994f7c3d24b
-
SSDEEP
12288:zMryy90TnW7nbn6JWQPoxk3BNZzXcflkQc0xUqqKZmq6h:dy0TPoxencNLc0xUqqKgh
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/540-17-0x0000000004720000-0x000000000473A000-memory.dmp healer behavioral1/memory/540-20-0x0000000004840000-0x0000000004858000-memory.dmp healer behavioral1/memory/540-36-0x0000000004840000-0x0000000004852000-memory.dmp healer behavioral1/memory/540-48-0x0000000004840000-0x0000000004852000-memory.dmp healer behavioral1/memory/540-46-0x0000000004840000-0x0000000004852000-memory.dmp healer behavioral1/memory/540-44-0x0000000004840000-0x0000000004852000-memory.dmp healer behavioral1/memory/540-42-0x0000000004840000-0x0000000004852000-memory.dmp healer behavioral1/memory/540-40-0x0000000004840000-0x0000000004852000-memory.dmp healer behavioral1/memory/540-38-0x0000000004840000-0x0000000004852000-memory.dmp healer behavioral1/memory/540-34-0x0000000004840000-0x0000000004852000-memory.dmp healer behavioral1/memory/540-32-0x0000000004840000-0x0000000004852000-memory.dmp healer behavioral1/memory/540-30-0x0000000004840000-0x0000000004852000-memory.dmp healer behavioral1/memory/540-28-0x0000000004840000-0x0000000004852000-memory.dmp healer behavioral1/memory/540-26-0x0000000004840000-0x0000000004852000-memory.dmp healer behavioral1/memory/540-24-0x0000000004840000-0x0000000004852000-memory.dmp healer behavioral1/memory/540-22-0x0000000004840000-0x0000000004852000-memory.dmp healer behavioral1/memory/540-21-0x0000000004840000-0x0000000004852000-memory.dmp healer -
Healer family
-
Processes:
pro9279.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro9279.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9279.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9279.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9279.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9279.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9279.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/4336-59-0x0000000004830000-0x0000000004876000-memory.dmp family_redline behavioral1/memory/4336-60-0x0000000004C50000-0x0000000004C94000-memory.dmp family_redline behavioral1/memory/4336-86-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/4336-94-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/4336-92-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/4336-90-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/4336-88-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/4336-84-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/4336-82-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/4336-80-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/4336-78-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/4336-76-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/4336-74-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/4336-72-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/4336-70-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/4336-68-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/4336-66-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/4336-64-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/4336-62-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/4336-61-0x0000000004C50000-0x0000000004C8E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
un612474.exepro9279.exequ5910.exepid Process 1820 un612474.exe 540 pro9279.exe 4336 qu5910.exe -
Processes:
pro9279.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9279.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9279.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
37099751cb202021000b4f1d9dd24f9795a231d67a136937a0f21f660073ee9a.exeun612474.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 37099751cb202021000b4f1d9dd24f9795a231d67a136937a0f21f660073ee9a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un612474.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
37099751cb202021000b4f1d9dd24f9795a231d67a136937a0f21f660073ee9a.exeun612474.exepro9279.exequ5910.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 37099751cb202021000b4f1d9dd24f9795a231d67a136937a0f21f660073ee9a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un612474.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro9279.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu5910.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pro9279.exepid Process 540 pro9279.exe 540 pro9279.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pro9279.exequ5910.exedescription pid Process Token: SeDebugPrivilege 540 pro9279.exe Token: SeDebugPrivilege 4336 qu5910.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
37099751cb202021000b4f1d9dd24f9795a231d67a136937a0f21f660073ee9a.exeun612474.exedescription pid Process procid_target PID 4360 wrote to memory of 1820 4360 37099751cb202021000b4f1d9dd24f9795a231d67a136937a0f21f660073ee9a.exe 85 PID 4360 wrote to memory of 1820 4360 37099751cb202021000b4f1d9dd24f9795a231d67a136937a0f21f660073ee9a.exe 85 PID 4360 wrote to memory of 1820 4360 37099751cb202021000b4f1d9dd24f9795a231d67a136937a0f21f660073ee9a.exe 85 PID 1820 wrote to memory of 540 1820 un612474.exe 86 PID 1820 wrote to memory of 540 1820 un612474.exe 86 PID 1820 wrote to memory of 540 1820 un612474.exe 86 PID 1820 wrote to memory of 4336 1820 un612474.exe 92 PID 1820 wrote to memory of 4336 1820 un612474.exe 92 PID 1820 wrote to memory of 4336 1820 un612474.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\37099751cb202021000b4f1d9dd24f9795a231d67a136937a0f21f660073ee9a.exe"C:\Users\Admin\AppData\Local\Temp\37099751cb202021000b4f1d9dd24f9795a231d67a136937a0f21f660073ee9a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un612474.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un612474.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9279.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9279.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5910.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5910.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
540KB
MD54019d08a9bedfa0fc487ce7d521cff49
SHA1820b85284d4472f44fc2a52bdeba530747d1658f
SHA2568f660dffe1577f7799cb1a5e52851ee34c080b91b505f9608ce24076261875e1
SHA51293be96363a5d4c4d7247ba61d2a86fc863de8cfc37e6b61a8639da971e366f297a6e65ed7196e9bed76aa55b3ddc4de2a3994196e9e63c716d9b9fb9245b5647
-
Filesize
322KB
MD574bdfe0122df7393815af107f505322d
SHA17d45bbdc98e3aab6078435ae65d0c0afa6c8afdb
SHA256073e7a0527c2bb9f5c2ef864615a057963f91f19af73a0561e524ce766ea2be8
SHA51292401036f7d6df09886d2bc5adec5ff417107b4f3c8d23405c25b96b38ffffa85ecb5427eda2ddaa76c69c0f747ff1f8b986a806105bcb8215c3a33ea57de61d
-
Filesize
379KB
MD58236d8e193d98e9eaf24799e12c7c5c2
SHA14dc9aab2620f11e2923cb6cc79eeaed5321604aa
SHA25659317e06385d8b588ec7b5d12d395a483c1a7fce35f4a0eb9a4a940e417b940f
SHA51257bc6bd943d69f75e4410cbf9cb339d8fde4d09972b550db5dfd4a45122cf38505066891af29f260f9f836aa6bf22b163d247306623964937cc13d093339e6f3