Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:48
Static task
static1
Behavioral task
behavioral1
Sample
cceaa97f5bb5ae0e81575522ba7117ee7832476da41d9f72fc5519015c8d0b8a.exe
Resource
win10v2004-20241007-en
General
-
Target
cceaa97f5bb5ae0e81575522ba7117ee7832476da41d9f72fc5519015c8d0b8a.exe
-
Size
479KB
-
MD5
2f5dc3c551c5825647e06a36ff100438
-
SHA1
d12f64144f52c8b67a8c0e0645a20f7d2ddfa4b6
-
SHA256
cceaa97f5bb5ae0e81575522ba7117ee7832476da41d9f72fc5519015c8d0b8a
-
SHA512
4c4b7d19f3a5c51da6e1e7ca8be746e6c1f2f74d3a3d5091ef523741a93689d8c954d3a16e1d0cdcfad7a8237d08763af11a07cf2d9ed6123a5bb717ba241d43
-
SSDEEP
12288:JMr8y90/NrfArMROEw9VmzfF/0rUwpEDYP9ViA:9yYorpfmzNJUYYT7
Malware Config
Extracted
redline
divan
217.196.96.102:4132
-
auth_value
b414986bebd7f5a3ec9aee0341b8e769
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4020-15-0x00000000025A0000-0x00000000025BA000-memory.dmp healer behavioral1/memory/4020-18-0x0000000004AC0000-0x0000000004AD8000-memory.dmp healer behavioral1/memory/4020-40-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4020-48-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4020-46-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4020-44-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4020-42-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4020-38-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4020-36-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4020-34-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4020-32-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4020-30-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4020-28-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4020-26-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4020-24-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4020-22-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/4020-21-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k2652102.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k2652102.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k2652102.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k2652102.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k2652102.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k2652102.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023bbd-54.dat family_redline behavioral1/memory/1080-56-0x00000000006D0000-0x00000000006FE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 392 y7320706.exe 4020 k2652102.exe 1080 l9325192.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k2652102.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k2652102.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cceaa97f5bb5ae0e81575522ba7117ee7832476da41d9f72fc5519015c8d0b8a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y7320706.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cceaa97f5bb5ae0e81575522ba7117ee7832476da41d9f72fc5519015c8d0b8a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y7320706.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k2652102.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l9325192.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4020 k2652102.exe 4020 k2652102.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4020 k2652102.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 640 wrote to memory of 392 640 cceaa97f5bb5ae0e81575522ba7117ee7832476da41d9f72fc5519015c8d0b8a.exe 83 PID 640 wrote to memory of 392 640 cceaa97f5bb5ae0e81575522ba7117ee7832476da41d9f72fc5519015c8d0b8a.exe 83 PID 640 wrote to memory of 392 640 cceaa97f5bb5ae0e81575522ba7117ee7832476da41d9f72fc5519015c8d0b8a.exe 83 PID 392 wrote to memory of 4020 392 y7320706.exe 84 PID 392 wrote to memory of 4020 392 y7320706.exe 84 PID 392 wrote to memory of 4020 392 y7320706.exe 84 PID 392 wrote to memory of 1080 392 y7320706.exe 93 PID 392 wrote to memory of 1080 392 y7320706.exe 93 PID 392 wrote to memory of 1080 392 y7320706.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\cceaa97f5bb5ae0e81575522ba7117ee7832476da41d9f72fc5519015c8d0b8a.exe"C:\Users\Admin\AppData\Local\Temp\cceaa97f5bb5ae0e81575522ba7117ee7832476da41d9f72fc5519015c8d0b8a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7320706.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7320706.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2652102.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2652102.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9325192.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9325192.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1080
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5b74f513a7e8eacdac1aaacb6f5985de4
SHA104ae1373f5a72e4fbd4b3b4de7e1285e7022cd3d
SHA25645e55e8758a5068591ed79c6e2501c2ba52f82151baa32781cf334760c218d86
SHA51229aebf72d0e2ae6a2bdab6825303f4fe44abbd0f051cb77c2d813c85af66cd288293e51143edf48be39aeab3e551f3a94495306be3b6a316c5e5bca8c16c1442
-
Filesize
182KB
MD54909cec01bac8f17a4973513236f16f4
SHA1eefeb0930c82fec8e7b46ec267bd4de4e0689a0a
SHA256c0ffaf17cd460bd4066c2883ba384163eb62af8dc277e24239732f194daee29c
SHA512da48c145077bb388d4cdc7b061290599ec8d77389cc9b9cf00d777a294cf995e0e4e387e5de08614d89e7edbbc20b83a1a20cd3ad0a5bf5875f018cb0865630c
-
Filesize
168KB
MD51c6cf6e376f1494ef7201bf45db1c9a4
SHA14de3637b2eb8981ec3314ab15982955f50ebb7d0
SHA25681eba19d9b1da9535cba7fe409a9e1671daa17e3a7cde051d9ae027dded4703e
SHA5124e76212c06a2b1e742d23ec096ead80422519cd8b00d940a31cc8292790e139f3bcaf731d0f20a3ae72681300faa751233bb73b80ac26247d7ee5744502381e0