Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:42
Static task
static1
Behavioral task
behavioral1
Sample
b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb.exe
Resource
win10v2004-20241007-en
General
-
Target
b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb.exe
-
Size
479KB
-
MD5
d1e3b8bb9acfe5180c9ff41fe3db2bda
-
SHA1
d74aa9fd8d0b4ad7483c9330146495536b05ebca
-
SHA256
b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb
-
SHA512
4f36bbf197af7e9a48b9074f702d868b5e02287c56918125de4e1c0e3985813c8d4f65fcbb89de84f6d8a86da733526fc8a62969bfb31ff2cc32c88047a89a9f
-
SSDEEP
12288:8Mray90KWksOVFErwCw4cL4uRbe3TeyBr:eylWkGdI63TBr
Malware Config
Extracted
redline
dumud
217.196.96.101:4132
-
auth_value
3e18d4b90418aa3e78d8822e87c62f5c
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4172-15-0x0000000002020000-0x000000000203A000-memory.dmp healer behavioral1/memory/4172-18-0x0000000002540000-0x0000000002558000-memory.dmp healer behavioral1/memory/4172-47-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/4172-45-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/4172-43-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/4172-41-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/4172-39-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/4172-37-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/4172-35-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/4172-33-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/4172-31-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/4172-29-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/4172-27-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/4172-25-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/4172-23-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/4172-21-0x0000000002540000-0x0000000002552000-memory.dmp healer behavioral1/memory/4172-20-0x0000000002540000-0x0000000002552000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k7967811.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k7967811.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k7967811.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k7967811.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k7967811.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k7967811.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b5b-55.dat family_redline behavioral1/memory/3436-56-0x0000000000470000-0x00000000004A0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4880 y9714322.exe 4172 k7967811.exe 3436 l7725239.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k7967811.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k7967811.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y9714322.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k7967811.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l7725239.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y9714322.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4172 k7967811.exe 4172 k7967811.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4172 k7967811.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2308 wrote to memory of 4880 2308 b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb.exe 83 PID 2308 wrote to memory of 4880 2308 b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb.exe 83 PID 2308 wrote to memory of 4880 2308 b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb.exe 83 PID 4880 wrote to memory of 4172 4880 y9714322.exe 85 PID 4880 wrote to memory of 4172 4880 y9714322.exe 85 PID 4880 wrote to memory of 4172 4880 y9714322.exe 85 PID 4880 wrote to memory of 3436 4880 y9714322.exe 95 PID 4880 wrote to memory of 3436 4880 y9714322.exe 95 PID 4880 wrote to memory of 3436 4880 y9714322.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb.exe"C:\Users\Admin\AppData\Local\Temp\b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9714322.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9714322.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7967811.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7967811.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4172
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7725239.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7725239.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3436
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD535b2bc877ae55e3f5f7067bb5b2630ae
SHA19c6ca8e4b50de8ddee2428c5ccd645429fff4c84
SHA256d84972dff03da9d2d8fd9e3dc5f84a40fdd8f899a2492433be2dc3677b30f823
SHA512404706968da3dbdddecd49b92744cb6b9ac9d5919f7c2ca2ff332a2565a289cb558061db99e675cf4cfea939a483eed69253c2e43b152fd2d6b6e6d370fc1515
-
Filesize
180KB
MD5fbd3ef92cfaaf7eec314dea971095d5e
SHA116f9defe16511fa73732b1e431eb0dc9b73c457b
SHA2567c817ddadf209c0b0385ecb0340f5331a6681a0684fa034037c8f426a2d8fb77
SHA5124d2201724f500a6933cdb7b7e01032c55a76be7dcabc66e23d65c4b7a0ccaa6b614b77b1c0a4e69425ccbe152ae848983c9aae1059f8abbd7786788f3c97ebdc
-
Filesize
168KB
MD5a27f4e37a4539ff0f8ab648f5a1700a6
SHA132a51599313569b0fc9a400c64c47776e55bb782
SHA256fd5783bb8c45a48a8e4bb2a764e69213afcfb7266b50d0ca5477512495a4f691
SHA512153b761f71944d8ffda33aeadefb592ad3d2e2f8fab5aa037bfc3fc5b5fec6cf96e012ea633d84c89d144f9edebd84c8bdf4cb8329c787aa92217ea3dd59c14e