Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:02
Static task
static1
Behavioral task
behavioral1
Sample
dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be.exe
Resource
win10v2004-20241007-en
General
-
Target
dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be.exe
-
Size
920KB
-
MD5
dbce3f9c7d5e42a12eacda776b1a49e5
-
SHA1
75e1b7da2fef79a56569ef71af1c3f9e2b9a04de
-
SHA256
dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be
-
SHA512
948436372d17c79a18d7c429d0ba7de7b2312a13dbeb0d48150f657543f1ac24058eb332c4dbb248eed56c81af618d6785bea3319c064801d41433e82c7fa8de
-
SSDEEP
24576:5ykDT/+6YwM96hRS+T75xsa3KLcfrhelXFWsYqtuGx6FCGU:skHozEvLD7telXFzK
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b7a-19.dat healer behavioral1/memory/1560-22-0x0000000000B20000-0x0000000000B2A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it670988.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it670988.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it670988.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it670988.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it670988.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it670988.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3276-29-0x00000000027C0000-0x00000000027FC000-memory.dmp family_redline behavioral1/memory/3276-31-0x00000000029A0000-0x00000000029DA000-memory.dmp family_redline behavioral1/memory/3276-41-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-47-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-45-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-43-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-93-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-71-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-65-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-53-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-39-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-37-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-35-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-33-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-32-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-51-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-95-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-91-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-89-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-87-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-85-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-83-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-81-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-79-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-77-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-75-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-73-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-69-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-67-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-63-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-61-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-59-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-57-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-55-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline behavioral1/memory/3276-49-0x00000000029A0000-0x00000000029D5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 4656 zifJ9763.exe 4576 ziCM3020.exe 1560 it670988.exe 3276 jr843899.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it670988.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zifJ9763.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ziCM3020.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3316 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jr843899.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zifJ9763.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziCM3020.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1560 it670988.exe 1560 it670988.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1560 it670988.exe Token: SeDebugPrivilege 3276 jr843899.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3160 wrote to memory of 4656 3160 dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be.exe 84 PID 3160 wrote to memory of 4656 3160 dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be.exe 84 PID 3160 wrote to memory of 4656 3160 dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be.exe 84 PID 4656 wrote to memory of 4576 4656 zifJ9763.exe 86 PID 4656 wrote to memory of 4576 4656 zifJ9763.exe 86 PID 4656 wrote to memory of 4576 4656 zifJ9763.exe 86 PID 4576 wrote to memory of 1560 4576 ziCM3020.exe 87 PID 4576 wrote to memory of 1560 4576 ziCM3020.exe 87 PID 4576 wrote to memory of 3276 4576 ziCM3020.exe 93 PID 4576 wrote to memory of 3276 4576 ziCM3020.exe 93 PID 4576 wrote to memory of 3276 4576 ziCM3020.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be.exe"C:\Users\Admin\AppData\Local\Temp\dda2f7a4dc61593f572c743c4eecebfe3b5fb55ffea2844fb40372245f23e7be.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifJ9763.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifJ9763.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziCM3020.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziCM3020.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it670988.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it670988.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr843899.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr843899.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3276
-
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3316
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
616KB
MD53858354b8d04993efbc9908cf332adfe
SHA1ff3922abcf6f16777720c9e050fb750430f91478
SHA256aef7b199ad512e2e248ebb811785a7a6c274b9b7fb0a3e251217babe4d01ef1d
SHA5120f6c8de17f83bf2692e88f0d5b2ab459970431b6554918b5c6ca752cdb6675a19c73eba49e098bf71680260fc8453ecc01d4c8cb196c88df5ac3637bd2791de0
-
Filesize
461KB
MD5ee0825cdf5cfdb06e91ca522e2a75663
SHA11b1d4bc34e4b8219f482d53af0fe84a5b54f3bd2
SHA2562767936a4c6a15d76b71c2e6305f96aec19fde99333bb8ee69415e7eb6346137
SHA512a9e58569d774f8ca77f11e152f3fb4ee12fcd30a6b11a777237dffe34c1640059ace37d2b46bff3653d42e911dfa9beded19e707d49f4d6c457420310373965f
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
472KB
MD5a78344177ef52664d674b99498c8717a
SHA1c8bb120c471d5dbb47deda7e87f02c63e37698cc
SHA25660e3dd1958800944a7e02b2c8f73260be3c20c0a52ce459f4d2a7e5c1953260f
SHA51257a685c4f640786c390965e9162d9fc3bf5120d27fa9339805fcf209d67091bc44d2969e481b8ca37b600763be6797179f40a0bba4d700f30c79b91b6bf7bbfd