Analysis
-
max time kernel
116s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 19:52
Static task
static1
Behavioral task
behavioral1
Sample
5326ad6d39f63d40cbd39715869233d82497f50ef0a4b9fb9ebe87aade21a8afN.exe
Resource
win10v2004-20241007-en
General
-
Target
5326ad6d39f63d40cbd39715869233d82497f50ef0a4b9fb9ebe87aade21a8afN.exe
-
Size
204KB
-
MD5
908d46fc4c97a0b8993adeea74757d20
-
SHA1
cabbaefb3191f20fb5417e3d1effe8f35e37f994
-
SHA256
5326ad6d39f63d40cbd39715869233d82497f50ef0a4b9fb9ebe87aade21a8af
-
SHA512
7018ce4d0faf07cca33243d66f24aed1de59404c0f4dddfc5e1aec75970f664d217e74e133a5b7339358da68cafd13cef17ebcaeea651f196df3fa4ed5742306
-
SSDEEP
3072:KZy+bnr+O1Y5GWp1icKAArDZz4N9GhbkrNEk1x7MicgKZzZzBXzRMbtnn+c66ob:KZy+bnr+Lp0yN90QEm7XbotzBXF28L
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023c83-5.dat healer behavioral1/memory/1832-8-0x00000000001B0000-0x00000000001BA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k1758702.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection k1758702.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k1758702.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k1758702.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k1758702.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k1758702.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023c87-12.dat family_redline behavioral1/memory/3840-15-0x00000000009E0000-0x0000000000A08000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 1832 k1758702.exe 3840 l1620933.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" k1758702.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5326ad6d39f63d40cbd39715869233d82497f50ef0a4b9fb9ebe87aade21a8afN.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5326ad6d39f63d40cbd39715869233d82497f50ef0a4b9fb9ebe87aade21a8afN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l1620933.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1832 k1758702.exe 1832 k1758702.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1832 k1758702.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1284 wrote to memory of 1832 1284 5326ad6d39f63d40cbd39715869233d82497f50ef0a4b9fb9ebe87aade21a8afN.exe 84 PID 1284 wrote to memory of 1832 1284 5326ad6d39f63d40cbd39715869233d82497f50ef0a4b9fb9ebe87aade21a8afN.exe 84 PID 1284 wrote to memory of 3840 1284 5326ad6d39f63d40cbd39715869233d82497f50ef0a4b9fb9ebe87aade21a8afN.exe 88 PID 1284 wrote to memory of 3840 1284 5326ad6d39f63d40cbd39715869233d82497f50ef0a4b9fb9ebe87aade21a8afN.exe 88 PID 1284 wrote to memory of 3840 1284 5326ad6d39f63d40cbd39715869233d82497f50ef0a4b9fb9ebe87aade21a8afN.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\5326ad6d39f63d40cbd39715869233d82497f50ef0a4b9fb9ebe87aade21a8afN.exe"C:\Users\Admin\AppData\Local\Temp\5326ad6d39f63d40cbd39715869233d82497f50ef0a4b9fb9ebe87aade21a8afN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k1758702.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k1758702.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l1620933.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l1620933.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3840
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
136KB
MD58ada60b5c884abd5e5e5f388035618f6
SHA1cd17d525156223f30f18bf537f238261875caa15
SHA256da8b11f179063bdb9ba8a92015eac59170cfad1cce8e03c9b3ef432efe3a71ea
SHA5129758f71a3fa06bc1b9b33a2a23f7b765d891414c32b104edb38d40f1ff4496ee6b139f848a777d2131bad1a8744ef0d3a937fecd3529b04e9a388413f6dca38e