Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:42
Static task
static1
Behavioral task
behavioral1
Sample
bc3737f0a31054c55cf897cf6f283ab636e12575ba809801a5b152b3134b5a38.exe
Resource
win10v2004-20241007-en
General
-
Target
bc3737f0a31054c55cf897cf6f283ab636e12575ba809801a5b152b3134b5a38.exe
-
Size
480KB
-
MD5
94459edd58c89c4f25b238e2a83778be
-
SHA1
e9588c9ac7d05a6f2f52cf54b46ae54a15efade9
-
SHA256
bc3737f0a31054c55cf897cf6f283ab636e12575ba809801a5b152b3134b5a38
-
SHA512
c0f8b0d6df532a9ab74db9cdf6b11d7e72712d7a92df2235aa9d625ecb1dac5cb593913f4d5e3d51da08e699ef017fc6f34f448d8738597878a6a3206f5cee54
-
SSDEEP
6144:Koy+bnr+Np0yN90QEty6zXzyvQP9synWeIGsfhSmkRSY0f/Zro96sLcht8pMUOs5:QMr1y90bRbzyDeIGsw3RZSFg5wwBX5
Malware Config
Extracted
redline
mofun
217.196.96.101:4132
-
auth_value
da5d4987d25c2de43d34fcc99b29fff3
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2560-15-0x0000000002110000-0x000000000212A000-memory.dmp healer behavioral1/memory/2560-18-0x00000000049A0000-0x00000000049B8000-memory.dmp healer behavioral1/memory/2560-48-0x00000000049A0000-0x00000000049B2000-memory.dmp healer behavioral1/memory/2560-46-0x00000000049A0000-0x00000000049B2000-memory.dmp healer behavioral1/memory/2560-44-0x00000000049A0000-0x00000000049B2000-memory.dmp healer behavioral1/memory/2560-42-0x00000000049A0000-0x00000000049B2000-memory.dmp healer behavioral1/memory/2560-40-0x00000000049A0000-0x00000000049B2000-memory.dmp healer behavioral1/memory/2560-38-0x00000000049A0000-0x00000000049B2000-memory.dmp healer behavioral1/memory/2560-36-0x00000000049A0000-0x00000000049B2000-memory.dmp healer behavioral1/memory/2560-34-0x00000000049A0000-0x00000000049B2000-memory.dmp healer behavioral1/memory/2560-32-0x00000000049A0000-0x00000000049B2000-memory.dmp healer behavioral1/memory/2560-30-0x00000000049A0000-0x00000000049B2000-memory.dmp healer behavioral1/memory/2560-28-0x00000000049A0000-0x00000000049B2000-memory.dmp healer behavioral1/memory/2560-26-0x00000000049A0000-0x00000000049B2000-memory.dmp healer behavioral1/memory/2560-24-0x00000000049A0000-0x00000000049B2000-memory.dmp healer behavioral1/memory/2560-22-0x00000000049A0000-0x00000000049B2000-memory.dmp healer behavioral1/memory/2560-21-0x00000000049A0000-0x00000000049B2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a7905071.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a7905071.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a7905071.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a7905071.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a7905071.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a7905071.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023c97-54.dat family_redline behavioral1/memory/540-56-0x0000000000CD0000-0x0000000000D00000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 5000 v3346885.exe 2560 a7905071.exe 540 b2544887.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a7905071.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a7905071.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bc3737f0a31054c55cf897cf6f283ab636e12575ba809801a5b152b3134b5a38.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3346885.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc3737f0a31054c55cf897cf6f283ab636e12575ba809801a5b152b3134b5a38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v3346885.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a7905071.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2544887.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2560 a7905071.exe 2560 a7905071.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2560 a7905071.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1148 wrote to memory of 5000 1148 bc3737f0a31054c55cf897cf6f283ab636e12575ba809801a5b152b3134b5a38.exe 84 PID 1148 wrote to memory of 5000 1148 bc3737f0a31054c55cf897cf6f283ab636e12575ba809801a5b152b3134b5a38.exe 84 PID 1148 wrote to memory of 5000 1148 bc3737f0a31054c55cf897cf6f283ab636e12575ba809801a5b152b3134b5a38.exe 84 PID 5000 wrote to memory of 2560 5000 v3346885.exe 85 PID 5000 wrote to memory of 2560 5000 v3346885.exe 85 PID 5000 wrote to memory of 2560 5000 v3346885.exe 85 PID 5000 wrote to memory of 540 5000 v3346885.exe 92 PID 5000 wrote to memory of 540 5000 v3346885.exe 92 PID 5000 wrote to memory of 540 5000 v3346885.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc3737f0a31054c55cf897cf6f283ab636e12575ba809801a5b152b3134b5a38.exe"C:\Users\Admin\AppData\Local\Temp\bc3737f0a31054c55cf897cf6f283ab636e12575ba809801a5b152b3134b5a38.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3346885.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3346885.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7905071.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7905071.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2544887.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2544887.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:540
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
309KB
MD5a30c313cd63f87ec50ffa07062d3a543
SHA1c97f07c4b652ff85c439c9740703e8f6d576914f
SHA25632dd7e6a4aa2d3212925ba23eb5ef1dcf7222eb0887a9c1e6ce5fb27ccf49a85
SHA512225584b986a9845a20527082742025101679a7ae008685129682501edaf10eb2711d18e4fcbf6dc925c9798e1187fb24f14c97f45e1faf2754cf2d05fd5de414
-
Filesize
180KB
MD550e673484775811c017b61dfc6510141
SHA1738c1194694c4a6cb164f7e249251077ffe5e60a
SHA256561628502982615ee83eab36742ddaedf09759ba9fb8e4154f7778addab49ff7
SHA51290f7498ca6ba0d68bcbedfd55b785e04ed50a8ce0caebf46cbcb2ed298e7c46816c887466f0be2b635735963755007ecf1d8bfae018c60573e5b526408c51bf3
-
Filesize
168KB
MD5c2852f2047dd40da18bd5c06b4448841
SHA120eaf9df2f87caaa572b8821132be75cc88b35dd
SHA256d6fc9ab80a0578301c061b4ba8e88669f837666962f97437e10a798f58997fe6
SHA512dee98ffc160213494c249b4e554e6f28e6ee0d4d3e093ebdc28554250d761bd538761949ccd7d9c4bea587f81465c7263a7357875a2c003412551db8d70ce8cb