Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:47
Static task
static1
Behavioral task
behavioral1
Sample
0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe
Resource
win10v2004-20241007-en
General
-
Target
0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe
-
Size
1.5MB
-
MD5
00ebe38ee1733d76518f76305c6543ab
-
SHA1
f54a19ea108809118e5cb73f7d30723388e8dd86
-
SHA256
0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700
-
SHA512
0c026e5b928f4ac8a527f1eba2241eb239cd3b3cfc9f2b0125b32ef1ec83c2b34f0dd5c3d7193e83fe782c338036cf34a5e4e8d1d40accffdd51c9d7cc306e49
-
SSDEEP
24576:2ysTDq+3UjlsfjPKVoY6DpZp01YAX0adOiiu0s5Zf+xNEMXrAZ66:FoDq+3nf26YIZp06AXIiysaLEOZ
Malware Config
Extracted
redline
max
185.161.248.73:4164
-
auth_value
efb1499709a5d08ed1ddf71cff71211f
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4196-35-0x00000000049F0000-0x0000000004A0A000-memory.dmp healer behavioral1/memory/4196-37-0x0000000005080000-0x0000000005098000-memory.dmp healer behavioral1/memory/4196-63-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/4196-61-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/4196-59-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/4196-57-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/4196-55-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/4196-65-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/4196-47-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/4196-45-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/4196-43-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/4196-41-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/4196-39-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/4196-53-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/4196-51-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/4196-49-0x0000000005080000-0x0000000005093000-memory.dmp healer behavioral1/memory/4196-38-0x0000000005080000-0x0000000005093000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a98532674.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a98532674.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a98532674.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a98532674.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a98532674.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a98532674.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023ca3-68.dat family_redline behavioral1/memory/4944-70-0x00000000008C0000-0x00000000008F0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 4480 i07930430.exe 1624 i41481659.exe 4736 i58734986.exe 1156 i09453305.exe 4196 a98532674.exe 4944 b04622328.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a98532674.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a98532674.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i07930430.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i41481659.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i58734986.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i09453305.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i58734986.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i09453305.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a98532674.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b04622328.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i07930430.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i41481659.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4196 a98532674.exe 4196 a98532674.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4196 a98532674.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2528 wrote to memory of 4480 2528 0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe 84 PID 2528 wrote to memory of 4480 2528 0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe 84 PID 2528 wrote to memory of 4480 2528 0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe 84 PID 4480 wrote to memory of 1624 4480 i07930430.exe 86 PID 4480 wrote to memory of 1624 4480 i07930430.exe 86 PID 4480 wrote to memory of 1624 4480 i07930430.exe 86 PID 1624 wrote to memory of 4736 1624 i41481659.exe 87 PID 1624 wrote to memory of 4736 1624 i41481659.exe 87 PID 1624 wrote to memory of 4736 1624 i41481659.exe 87 PID 4736 wrote to memory of 1156 4736 i58734986.exe 89 PID 4736 wrote to memory of 1156 4736 i58734986.exe 89 PID 4736 wrote to memory of 1156 4736 i58734986.exe 89 PID 1156 wrote to memory of 4196 1156 i09453305.exe 90 PID 1156 wrote to memory of 4196 1156 i09453305.exe 90 PID 1156 wrote to memory of 4196 1156 i09453305.exe 90 PID 1156 wrote to memory of 4944 1156 i09453305.exe 97 PID 1156 wrote to memory of 4944 1156 i09453305.exe 97 PID 1156 wrote to memory of 4944 1156 i09453305.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe"C:\Users\Admin\AppData\Local\Temp\0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07930430.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07930430.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41481659.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41481659.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i58734986.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i58734986.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b04622328.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b04622328.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4944
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD57db1ac7c2f9d84fe7b11df33d9b65259
SHA1ff41dfc211fbf4239dda95c705e6d479006cb402
SHA256a81fdc3be528b464d464b74542d690ecd502ac503788c495c1c60f5526a192cd
SHA5126b348156e4965a082e812ea952f5d68ddb1afb7be14c6b33facf580ece1a73a352a20a5f58f13456b748edee6a9c73ebb130ac9f704cf99374e2a72c00d2bd59
-
Filesize
1.1MB
MD5b425b4a9f016d95cddc22b8e6543deb6
SHA1a0b49db5b5e17a8add44d3b3eeb3fdab03659858
SHA2566ffb2299ae539c576f6ba0cdbad6062151aa0745c720f3ff39ab123cf802c313
SHA512302d06fab11fb6ad2a5ca233c782b3cffeba3c5ace9ceef68cb0d081ada79113ca88a21cdf1e4230c23164cbf67d88da2f40b2e5662e62d1ae31722ab8b88b21
-
Filesize
590KB
MD5fa5c4cc610eb9b882dd49d57c91e856f
SHA1169442ac3feb1988ff88b9e5dfbbb1ff634f6ad3
SHA256dfab72691cbfd39913f7694be89071b3dc98c1873b95855b42c1f1191fca1ccb
SHA5124d84ad07e051c84305194f086c9358f21b1615f78cd5c6a64d4e3cb69cf7f27336d6cea7027eaad2ad96e9b96f78378a9038df62053099dfa6b97608c4a75513
-
Filesize
310KB
MD5cdfb76668c1a0de0e545275331661b73
SHA17b96af1982fd27323468a5f74345c2de046a734a
SHA2560dea7ae46714df770e3674c6ae78f5f93abe886b0b45f0df02cfd694e356a415
SHA512bb5cdeff4fe687f746b63203b0e15ed6ce97dc6c8731640458d4872dbd9271573c9f21de46511dd019b75373546acd989ab76c34d4fd2ba4d5059138097e01f6
-
Filesize
177KB
MD50e70e336b50840a9ddc7817fc0caf63b
SHA11666ebb4448cecb7a21f32b340441878f1fb720e
SHA2560b96476ad431e92c5e7121f2d6cfae50d05f5eef14ba878f0d9550567e15ad70
SHA5120c7b5b78575005bf600f069eca4e570f8b2b00f24b8594ea1032c1c77b7a8c03c11acc5dbcd8d2fc39775db020363696de8033a9fccf020a9ac8d7f36dad376e
-
Filesize
168KB
MD5fb50afd3a9e83d1ce7932914cf8e3534
SHA1fd996173a34c311485b4a9671d6fde3392ae2843
SHA256498842af0fbff25318307ae68f5e0afbd2dc067e37d871b8dd5834592a36c720
SHA512f0efa77feb8bb33c556b61d20e3598ed1271366b587ff449de3455a544b9bd2673548a4ccc5e87164a7c47001b7ecd2ae353ec507ef10794fdb2bee26513f6ab