Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:39
Static task
static1
Behavioral task
behavioral1
Sample
0d3ce779106e8d9412c7ad78f30bae0a4c0a2163c175e67ccea8140be6f488e2.exe
Resource
win10v2004-20241007-en
General
-
Target
0d3ce779106e8d9412c7ad78f30bae0a4c0a2163c175e67ccea8140be6f488e2.exe
-
Size
560KB
-
MD5
eaef0f69e2d4fa67609e172dd943f38b
-
SHA1
62444b0bd653053ef0f982de5b37426158d6b9fa
-
SHA256
0d3ce779106e8d9412c7ad78f30bae0a4c0a2163c175e67ccea8140be6f488e2
-
SHA512
689f36c8445f14dcef18bf0e0ef153efa6f41ca0896f784cb408b13a71598ff9f08b9fd924d98d641991086d60248932baccf16c98eef5d2673a3e8e30016c1c
-
SSDEEP
12288:3y90DzzUbo005lnca/+b72SkGO6A3h3R09SIFTo91fcEW:3ymaoZlca/+PrNOR3R07Fs96V
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c89-12.dat healer behavioral1/memory/2984-15-0x0000000000D50000-0x0000000000D5A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it314276.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it314276.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it314276.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it314276.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it314276.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it314276.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3976-22-0x00000000049E0000-0x0000000004A1C000-memory.dmp family_redline behavioral1/memory/3976-24-0x0000000004A60000-0x0000000004A9A000-memory.dmp family_redline behavioral1/memory/3976-30-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-40-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-88-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-86-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-84-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-82-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-80-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-78-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-74-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-72-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-70-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-68-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-66-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-64-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-62-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-58-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-56-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-54-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-52-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-50-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-48-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-46-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-42-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-38-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-36-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-34-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-32-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-76-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-60-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-44-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-28-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-26-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline behavioral1/memory/3976-25-0x0000000004A60000-0x0000000004A95000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3184 ziXR6456.exe 2984 it314276.exe 3976 kp274771.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it314276.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0d3ce779106e8d9412c7ad78f30bae0a4c0a2163c175e67ccea8140be6f488e2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziXR6456.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0d3ce779106e8d9412c7ad78f30bae0a4c0a2163c175e67ccea8140be6f488e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziXR6456.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp274771.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2984 it314276.exe 2984 it314276.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2984 it314276.exe Token: SeDebugPrivilege 3976 kp274771.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2460 wrote to memory of 3184 2460 0d3ce779106e8d9412c7ad78f30bae0a4c0a2163c175e67ccea8140be6f488e2.exe 83 PID 2460 wrote to memory of 3184 2460 0d3ce779106e8d9412c7ad78f30bae0a4c0a2163c175e67ccea8140be6f488e2.exe 83 PID 2460 wrote to memory of 3184 2460 0d3ce779106e8d9412c7ad78f30bae0a4c0a2163c175e67ccea8140be6f488e2.exe 83 PID 3184 wrote to memory of 2984 3184 ziXR6456.exe 85 PID 3184 wrote to memory of 2984 3184 ziXR6456.exe 85 PID 3184 wrote to memory of 3976 3184 ziXR6456.exe 93 PID 3184 wrote to memory of 3976 3184 ziXR6456.exe 93 PID 3184 wrote to memory of 3976 3184 ziXR6456.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d3ce779106e8d9412c7ad78f30bae0a4c0a2163c175e67ccea8140be6f488e2.exe"C:\Users\Admin\AppData\Local\Temp\0d3ce779106e8d9412c7ad78f30bae0a4c0a2163c175e67ccea8140be6f488e2.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXR6456.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXR6456.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it314276.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it314276.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp274771.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp274771.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
406KB
MD52804654a25ef4411c816bd50a90dc243
SHA193b0d20ad68c7ec3fe7f835de933541ea357ecef
SHA2561ae4761d21691314351d89196e14e22c8390850766dfe208657faae3a4403996
SHA51255f9db1536424bfde30f05e2d61e86060ae7e03f1fa8d2cecf0d8b80718812efb3600d216a5cac8a046b5d22710eb49acbc3482172a8d0b845f09b80c5732f63
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
352KB
MD572226f1207f85fa28226ae6f1b02be68
SHA128aa88f313ea5f1d39d9b55ee43e50a6f1138324
SHA256c1d884265ba0a4fc82b90a59d114e6a4042f972e4c4b1198192118d2e3b62f4f
SHA5126b0a0bf857ed5832c694518de03c93eb0533fa46b9a003f6d0646618ed773027bdbfa4e1b1a65449d3a4941254eaf040f026fa844348f36236ea878638b7d2c8