Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:54
Static task
static1
Behavioral task
behavioral1
Sample
109abac33436a037848855c990c47547905e0576dee7eec37e63a64a8db90a49.exe
Resource
win10v2004-20241007-en
General
-
Target
109abac33436a037848855c990c47547905e0576dee7eec37e63a64a8db90a49.exe
-
Size
479KB
-
MD5
ef92e6593407ed33d37f68fca3b1e1c8
-
SHA1
47cf78cfce2be16a33419961eef7d3189096b74b
-
SHA256
109abac33436a037848855c990c47547905e0576dee7eec37e63a64a8db90a49
-
SHA512
86550872b5fa31bf37ec4f3b92c45e49b66a80dab93b7f9f5a3cba3238d700eeceefa51047369929c3316f65d099d0da76fe918dd8adca99eee83ad5f996b42d
-
SSDEEP
6144:K2y+bnr+Dp0yN90QE53hNhiMZrRZCkoebbyq0ayHGUJRADnc2IuDmnDuHq10tnEK:2Mrfy9033h3iMZlulJRADczETqGGXtg
Malware Config
Extracted
redline
dona
217.196.96.101:4132
-
auth_value
9fbb198992bbc83a84ab1f21384813e3
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1452-15-0x0000000002180000-0x000000000219A000-memory.dmp healer behavioral1/memory/1452-18-0x0000000004F50000-0x0000000004F68000-memory.dmp healer behavioral1/memory/1452-47-0x0000000004F50000-0x0000000004F62000-memory.dmp healer behavioral1/memory/1452-21-0x0000000004F50000-0x0000000004F62000-memory.dmp healer behavioral1/memory/1452-45-0x0000000004F50000-0x0000000004F62000-memory.dmp healer behavioral1/memory/1452-43-0x0000000004F50000-0x0000000004F62000-memory.dmp healer behavioral1/memory/1452-41-0x0000000004F50000-0x0000000004F62000-memory.dmp healer behavioral1/memory/1452-39-0x0000000004F50000-0x0000000004F62000-memory.dmp healer behavioral1/memory/1452-37-0x0000000004F50000-0x0000000004F62000-memory.dmp healer behavioral1/memory/1452-35-0x0000000004F50000-0x0000000004F62000-memory.dmp healer behavioral1/memory/1452-33-0x0000000004F50000-0x0000000004F62000-memory.dmp healer behavioral1/memory/1452-31-0x0000000004F50000-0x0000000004F62000-memory.dmp healer behavioral1/memory/1452-29-0x0000000004F50000-0x0000000004F62000-memory.dmp healer behavioral1/memory/1452-27-0x0000000004F50000-0x0000000004F62000-memory.dmp healer behavioral1/memory/1452-25-0x0000000004F50000-0x0000000004F62000-memory.dmp healer behavioral1/memory/1452-23-0x0000000004F50000-0x0000000004F62000-memory.dmp healer behavioral1/memory/1452-20-0x0000000004F50000-0x0000000004F62000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k5922697.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k5922697.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k5922697.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k5922697.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k5922697.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k5922697.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b79-54.dat family_redline behavioral1/memory/1256-56-0x0000000000C60000-0x0000000000C90000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1292 y0665836.exe 1452 k5922697.exe 1256 l1641414.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k5922697.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k5922697.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 109abac33436a037848855c990c47547905e0576dee7eec37e63a64a8db90a49.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y0665836.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 109abac33436a037848855c990c47547905e0576dee7eec37e63a64a8db90a49.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y0665836.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k5922697.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l1641414.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1452 k5922697.exe 1452 k5922697.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1452 k5922697.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1940 wrote to memory of 1292 1940 109abac33436a037848855c990c47547905e0576dee7eec37e63a64a8db90a49.exe 83 PID 1940 wrote to memory of 1292 1940 109abac33436a037848855c990c47547905e0576dee7eec37e63a64a8db90a49.exe 83 PID 1940 wrote to memory of 1292 1940 109abac33436a037848855c990c47547905e0576dee7eec37e63a64a8db90a49.exe 83 PID 1292 wrote to memory of 1452 1292 y0665836.exe 84 PID 1292 wrote to memory of 1452 1292 y0665836.exe 84 PID 1292 wrote to memory of 1452 1292 y0665836.exe 84 PID 1292 wrote to memory of 1256 1292 y0665836.exe 98 PID 1292 wrote to memory of 1256 1292 y0665836.exe 98 PID 1292 wrote to memory of 1256 1292 y0665836.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\109abac33436a037848855c990c47547905e0576dee7eec37e63a64a8db90a49.exe"C:\Users\Admin\AppData\Local\Temp\109abac33436a037848855c990c47547905e0576dee7eec37e63a64a8db90a49.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0665836.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0665836.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5922697.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5922697.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1641414.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1641414.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1256
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5671c31bef54a99bf78e2d6edccd5aa24
SHA18425d1721c595aad6ea26d271c85f6659cbeb688
SHA2563344ae3e184c39464ada18646e39a158139b263cd0ebe7eb0b0c11a4d6f2e144
SHA5125f0702801532d858686153c84cc2ed2dc7d02651f85b9b07d0b9641a7199ca70a2886bf0e0bb8782c487037f3b50f24a59e47a320e4ec27195b7c19eb4538cf6
-
Filesize
179KB
MD549becd02b926f89a5296d5dba92c4cf6
SHA1b73395f203cd6ec34d52da861d0576f201db6132
SHA2560c536c6ce212423995467232eaaf6c2e994ccc76571e30c3f61a019fe091c695
SHA512c3e8f353cd86c872b3dc8dd1f5fbb85c4c852641f7cdcf657a63496b8c11badbd2016582ec26c377a9f9c37191946e2045d5ce0973673daaceef80a38339372f
-
Filesize
168KB
MD51ddce55e81c36e7138d6edb0559d70f2
SHA152618c7079b303b54666a79a5e1b21d65262584b
SHA2565682122d02e00613b005636bb59e1837c8b7f7b6f8c9c25065cfc366b6149bfd
SHA512c48605620d978d2fb607d9d88d90844d6ca36a01b25cbe868f4d9f4e5419c1a87b84a41906fda2d6405d4322a8f06bbda08ba278fdc962bd159889839b38a182