Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:00
Static task
static1
Behavioral task
behavioral1
Sample
1d755a6a58a0f96c353797922fd809065fad10c55d0e9036e4e942f1662a1b34N.exe
Resource
win10v2004-20241007-en
General
-
Target
1d755a6a58a0f96c353797922fd809065fad10c55d0e9036e4e942f1662a1b34N.exe
-
Size
642KB
-
MD5
955356b398feec5d7dab13bd2790fa40
-
SHA1
efab8b102454e5121329bd9816e338c9f3740911
-
SHA256
1d755a6a58a0f96c353797922fd809065fad10c55d0e9036e4e942f1662a1b34
-
SHA512
19161965fad79b31eee2ec614a1cf01cbfae0e4a8ef029cd28d4ba1504eea8d80bd35e75ac27f3e38a2abdd96313125af1d6ac1851fa6ed6f66c9ed9b1155b07
-
SSDEEP
12288:Uy90DlGK9Ada9x1tn17OrvVy/WW6tq1qbPKyA+rPV05DU:UyClGKadaP17Wvcl6tq1qbPN1N05DU
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4752-15-0x0000000002310000-0x000000000232A000-memory.dmp healer behavioral1/memory/4752-19-0x0000000004900000-0x0000000004918000-memory.dmp healer behavioral1/memory/4752-25-0x0000000004900000-0x0000000004913000-memory.dmp healer behavioral1/memory/4752-21-0x0000000004900000-0x0000000004913000-memory.dmp healer behavioral1/memory/4752-20-0x0000000004900000-0x0000000004913000-memory.dmp healer behavioral1/memory/4752-27-0x0000000004900000-0x0000000004913000-memory.dmp healer behavioral1/memory/4752-23-0x0000000004900000-0x0000000004913000-memory.dmp healer behavioral1/memory/4752-47-0x0000000004900000-0x0000000004913000-memory.dmp healer behavioral1/memory/4752-45-0x0000000004900000-0x0000000004913000-memory.dmp healer behavioral1/memory/4752-43-0x0000000004900000-0x0000000004913000-memory.dmp healer behavioral1/memory/4752-41-0x0000000004900000-0x0000000004913000-memory.dmp healer behavioral1/memory/4752-39-0x0000000004900000-0x0000000004913000-memory.dmp healer behavioral1/memory/4752-37-0x0000000004900000-0x0000000004913000-memory.dmp healer behavioral1/memory/4752-35-0x0000000004900000-0x0000000004913000-memory.dmp healer behavioral1/memory/4752-33-0x0000000004900000-0x0000000004913000-memory.dmp healer behavioral1/memory/4752-31-0x0000000004900000-0x0000000004913000-memory.dmp healer behavioral1/memory/4752-29-0x0000000004900000-0x0000000004913000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 09517656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 09517656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 09517656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 09517656.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 09517656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 09517656.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 21 IoCs
resource yara_rule behavioral1/memory/2768-56-0x0000000007170000-0x00000000071AC000-memory.dmp family_redline behavioral1/memory/2768-57-0x00000000071F0000-0x000000000722A000-memory.dmp family_redline behavioral1/memory/2768-73-0x00000000071F0000-0x0000000007225000-memory.dmp family_redline behavioral1/memory/2768-93-0x00000000071F0000-0x0000000007225000-memory.dmp family_redline behavioral1/memory/2768-91-0x00000000071F0000-0x0000000007225000-memory.dmp family_redline behavioral1/memory/2768-89-0x00000000071F0000-0x0000000007225000-memory.dmp family_redline behavioral1/memory/2768-87-0x00000000071F0000-0x0000000007225000-memory.dmp family_redline behavioral1/memory/2768-85-0x00000000071F0000-0x0000000007225000-memory.dmp family_redline behavioral1/memory/2768-83-0x00000000071F0000-0x0000000007225000-memory.dmp family_redline behavioral1/memory/2768-81-0x00000000071F0000-0x0000000007225000-memory.dmp family_redline behavioral1/memory/2768-79-0x00000000071F0000-0x0000000007225000-memory.dmp family_redline behavioral1/memory/2768-77-0x00000000071F0000-0x0000000007225000-memory.dmp family_redline behavioral1/memory/2768-75-0x00000000071F0000-0x0000000007225000-memory.dmp family_redline behavioral1/memory/2768-71-0x00000000071F0000-0x0000000007225000-memory.dmp family_redline behavioral1/memory/2768-69-0x00000000071F0000-0x0000000007225000-memory.dmp family_redline behavioral1/memory/2768-67-0x00000000071F0000-0x0000000007225000-memory.dmp family_redline behavioral1/memory/2768-65-0x00000000071F0000-0x0000000007225000-memory.dmp family_redline behavioral1/memory/2768-63-0x00000000071F0000-0x0000000007225000-memory.dmp family_redline behavioral1/memory/2768-61-0x00000000071F0000-0x0000000007225000-memory.dmp family_redline behavioral1/memory/2768-59-0x00000000071F0000-0x0000000007225000-memory.dmp family_redline behavioral1/memory/2768-58-0x00000000071F0000-0x0000000007225000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3652 st805462.exe 4752 09517656.exe 2768 kp613473.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 09517656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 09517656.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1d755a6a58a0f96c353797922fd809065fad10c55d0e9036e4e942f1662a1b34N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" st805462.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1d755a6a58a0f96c353797922fd809065fad10c55d0e9036e4e942f1662a1b34N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language st805462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 09517656.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp613473.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4752 09517656.exe 4752 09517656.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4752 09517656.exe Token: SeDebugPrivilege 2768 kp613473.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2160 wrote to memory of 3652 2160 1d755a6a58a0f96c353797922fd809065fad10c55d0e9036e4e942f1662a1b34N.exe 84 PID 2160 wrote to memory of 3652 2160 1d755a6a58a0f96c353797922fd809065fad10c55d0e9036e4e942f1662a1b34N.exe 84 PID 2160 wrote to memory of 3652 2160 1d755a6a58a0f96c353797922fd809065fad10c55d0e9036e4e942f1662a1b34N.exe 84 PID 3652 wrote to memory of 4752 3652 st805462.exe 86 PID 3652 wrote to memory of 4752 3652 st805462.exe 86 PID 3652 wrote to memory of 4752 3652 st805462.exe 86 PID 3652 wrote to memory of 2768 3652 st805462.exe 95 PID 3652 wrote to memory of 2768 3652 st805462.exe 95 PID 3652 wrote to memory of 2768 3652 st805462.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d755a6a58a0f96c353797922fd809065fad10c55d0e9036e4e942f1662a1b34N.exe"C:\Users\Admin\AppData\Local\Temp\1d755a6a58a0f96c353797922fd809065fad10c55d0e9036e4e942f1662a1b34N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st805462.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st805462.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\09517656.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\09517656.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp613473.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp613473.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
488KB
MD56c83e846eb640c1670562b5e85ebbb34
SHA127c5efba96323ac3c78ee35301a0bbd0976cf8ba
SHA25680da0f11cdea6cf1221ce2c9703559d2a3aa1e3baa218ab8e9e28ed74c7de96f
SHA512f0257ddd98d33a6233b143bc2903e88765a605c6d4c4928b38a9acaadee597620d0165f288561a4227d5f415f2f8c459dca3d0f19925038f63f227b26b956047
-
Filesize
176KB
MD52b71f4b18ac8214a2bff547b6ce2f64f
SHA1b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA51233518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177
-
Filesize
340KB
MD5ea4b0b66c871bbe4d689be4e6df74da8
SHA1a1d841f99a42cadca6f0fe766ff200f5155d56a7
SHA25683a94190296682c061894792e0a9a596a3f74514c4346a9c36d123f544312994
SHA5122fa040d19684e51dc5eee3b831213087c9653a8c56146fc25723b88596ce84f29911c8a7fca8bef66aebb056e13a1033368fb63682cb5e7e53a53c9e80e96b63