Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:52
Static task
static1
Behavioral task
behavioral1
Sample
7a33ae5a53405997e8284a9d140db8a91fb0d65541323b92d68f149d229b8884.exe
Resource
win10v2004-20241007-en
General
-
Target
7a33ae5a53405997e8284a9d140db8a91fb0d65541323b92d68f149d229b8884.exe
-
Size
566KB
-
MD5
76cc5bcb3a567676b8b35afae9ca540d
-
SHA1
365d63f6a85234551b9c39e51cd30ce08255d52d
-
SHA256
7a33ae5a53405997e8284a9d140db8a91fb0d65541323b92d68f149d229b8884
-
SHA512
16a94559e0737a37ffab4f8b98290f7fdbfc28df81113deda2eccb3de6a81a24d2dcd38c6c9bfb16a72a23b5788837b2cce6dfb9271f28fc823fd4898ecf0d4b
-
SSDEEP
12288:by9063cGXPbEpW6Idw3ooe/PRy+ow4SYuT:byNc6PopW/YHeE+bD3
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b6f-12.dat healer behavioral1/memory/2544-15-0x0000000000900000-0x000000000090A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it191471.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it191471.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it191471.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it191471.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it191471.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it191471.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4932-22-0x0000000007250000-0x000000000728C000-memory.dmp family_redline behavioral1/memory/4932-24-0x00000000072E0000-0x000000000731A000-memory.dmp family_redline behavioral1/memory/4932-70-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-68-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-86-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-84-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-82-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-80-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-78-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-76-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-74-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-72-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-66-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-64-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-62-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-60-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-58-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-56-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-52-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-50-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-48-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-46-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-44-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-42-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-40-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-36-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-34-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-32-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-88-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-54-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-38-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-30-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-28-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-26-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline behavioral1/memory/4932-25-0x00000000072E0000-0x0000000007315000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4216 zitr8883.exe 2544 it191471.exe 4932 kp542075.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it191471.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7a33ae5a53405997e8284a9d140db8a91fb0d65541323b92d68f149d229b8884.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zitr8883.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7a33ae5a53405997e8284a9d140db8a91fb0d65541323b92d68f149d229b8884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zitr8883.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kp542075.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2544 it191471.exe 2544 it191471.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2544 it191471.exe Token: SeDebugPrivilege 4932 kp542075.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2732 wrote to memory of 4216 2732 7a33ae5a53405997e8284a9d140db8a91fb0d65541323b92d68f149d229b8884.exe 83 PID 2732 wrote to memory of 4216 2732 7a33ae5a53405997e8284a9d140db8a91fb0d65541323b92d68f149d229b8884.exe 83 PID 2732 wrote to memory of 4216 2732 7a33ae5a53405997e8284a9d140db8a91fb0d65541323b92d68f149d229b8884.exe 83 PID 4216 wrote to memory of 2544 4216 zitr8883.exe 85 PID 4216 wrote to memory of 2544 4216 zitr8883.exe 85 PID 4216 wrote to memory of 4932 4216 zitr8883.exe 93 PID 4216 wrote to memory of 4932 4216 zitr8883.exe 93 PID 4216 wrote to memory of 4932 4216 zitr8883.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a33ae5a53405997e8284a9d140db8a91fb0d65541323b92d68f149d229b8884.exe"C:\Users\Admin\AppData\Local\Temp\7a33ae5a53405997e8284a9d140db8a91fb0d65541323b92d68f149d229b8884.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitr8883.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitr8883.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it191471.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it191471.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp542075.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp542075.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4932
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
412KB
MD51f4ce7feb1e9175201f0d5d1ea0eee1f
SHA1178746503768b3cb61399bcd038617585dfe7e28
SHA256adf0d743eee8182a10a03694252292441a21e3cb07a3240ab3f7a7ae258e26c2
SHA512b6ff8bc94573082f850fcfd883052d4c29bd4fc1ebe1330aca29976cdaf310acff8c55c584fc373345d4664b85c5cfe497ddfe7feda5624a62324291e6f7a29f
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
369KB
MD5a8ed2888e5fd72ccf0f7f186040422ee
SHA187ec2e43aa61206cdd0e5d67b0a60ae3efca8222
SHA2560947c615b04f0c99d6eef93b36c252cf4b59e32bdec08f8045972cdfae2d1e17
SHA512ea15060126808a69fa382c1a7d482b9557898e71edd26dfd271f0ada550ec9764be1b39adfba97e09a53d99aa5178ee0a5a76c0fef144757fc4aa0faf03a79cb