Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:43
Static task
static1
Behavioral task
behavioral1
Sample
c60e01f16401b2a5e0cf70ec5f201dbac228abbd5e80506bb340f9cac869c8dd.exe
Resource
win10v2004-20241007-en
General
-
Target
c60e01f16401b2a5e0cf70ec5f201dbac228abbd5e80506bb340f9cac869c8dd.exe
-
Size
480KB
-
MD5
c5c4f3054e75f5a2ef65f86f9597f4d2
-
SHA1
ac1409a2b709de3aea8e89f3b8ab14a092ec69a6
-
SHA256
c60e01f16401b2a5e0cf70ec5f201dbac228abbd5e80506bb340f9cac869c8dd
-
SHA512
693a1eef93cbe3237d43696243cc6b57f8f9a3b4192dd85417a899e0f9dddf65aa0e50176faf6b81b8c5f56ea5bfe775c366c08fc1608158530ddcb6ff074bb2
-
SSDEEP
12288:hMrCy90mqhZHB/gv1oMENpT0yB+NqPg1buo7Yjp:byIBgvEQ8+Qgc/
Malware Config
Extracted
redline
dease
217.196.96.101:4132
-
auth_value
82e4d5f9abc21848e0345118814a4e6c
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3476-15-0x00000000020A0000-0x00000000020BA000-memory.dmp healer behavioral1/memory/3476-19-0x00000000025F0000-0x0000000002608000-memory.dmp healer behavioral1/memory/3476-48-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3476-46-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3476-44-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3476-42-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3476-40-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3476-38-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3476-36-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3476-34-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3476-32-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3476-30-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3476-28-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3476-26-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3476-24-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3476-22-0x00000000025F0000-0x0000000002602000-memory.dmp healer behavioral1/memory/3476-21-0x00000000025F0000-0x0000000002602000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k6586375.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k6586375.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k6586375.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k6586375.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k6586375.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k6586375.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023c8c-54.dat family_redline behavioral1/memory/4076-56-0x00000000003A0000-0x00000000003CE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3180 y2741035.exe 3476 k6586375.exe 4076 l7510143.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k6586375.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k6586375.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c60e01f16401b2a5e0cf70ec5f201dbac228abbd5e80506bb340f9cac869c8dd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y2741035.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4900 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k6586375.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l7510143.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c60e01f16401b2a5e0cf70ec5f201dbac228abbd5e80506bb340f9cac869c8dd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y2741035.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3476 k6586375.exe 3476 k6586375.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3476 k6586375.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1536 wrote to memory of 3180 1536 c60e01f16401b2a5e0cf70ec5f201dbac228abbd5e80506bb340f9cac869c8dd.exe 86 PID 1536 wrote to memory of 3180 1536 c60e01f16401b2a5e0cf70ec5f201dbac228abbd5e80506bb340f9cac869c8dd.exe 86 PID 1536 wrote to memory of 3180 1536 c60e01f16401b2a5e0cf70ec5f201dbac228abbd5e80506bb340f9cac869c8dd.exe 86 PID 3180 wrote to memory of 3476 3180 y2741035.exe 87 PID 3180 wrote to memory of 3476 3180 y2741035.exe 87 PID 3180 wrote to memory of 3476 3180 y2741035.exe 87 PID 3180 wrote to memory of 4076 3180 y2741035.exe 96 PID 3180 wrote to memory of 4076 3180 y2741035.exe 96 PID 3180 wrote to memory of 4076 3180 y2741035.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\c60e01f16401b2a5e0cf70ec5f201dbac228abbd5e80506bb340f9cac869c8dd.exe"C:\Users\Admin\AppData\Local\Temp\c60e01f16401b2a5e0cf70ec5f201dbac228abbd5e80506bb340f9cac869c8dd.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2741035.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2741035.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6586375.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6586375.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3476
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7510143.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7510143.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4076
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4900
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
309KB
MD5af4fdc28af0a18b00ecbb4e7d56f959e
SHA1514558be9bbbb533a3aa8d80670a6ef1c815c5c2
SHA2561868a0400732879f176c747739a61ddd4fccf9d6032c564749aef1eec30a47dd
SHA512777976a8b3ee5885f8a301b336de09e696f730a4859474288d8ab632e07c0d350cc49682306079fa5a99ed9f0cf5af7764997e8a30b6f9b38eb8f7122946ca9a
-
Filesize
181KB
MD503ba7bbcd65b60bb34fba49ec844f68a
SHA1a3d529e2797a7e0015490ffea27d404010fdc528
SHA2560be7df2c54125aff28a64db0ed537935d94915b00ce698c29fa0fc5987ead9a3
SHA51238be90daffae89654f89d2e0961ccff2acaae31cd6d963105017290ec763a6263de49c1535e76c4f3e702633e54bdba9bb81d64c710d8d7dbda38c3211a6ddda
-
Filesize
168KB
MD50ae3d1b41524cee77fe4e15922e0f0fb
SHA1875843adf24ce99ef3fe9aeceb31bac9addd202f
SHA256fffaa4697525fc9db811f243cad76d59b88c42a662e45be52f20a8d763485555
SHA512fca98efed890700427e600ba69c329e095fee7f835e7d0e8e624e93d957c6878ede51ec25006431fc42fa45d2a0d0d9e03a5e070d2a460e41f8bd2b62b4ad9c6