Analysis
-
max time kernel
116s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 19:52
Static task
static1
Behavioral task
behavioral1
Sample
541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe
Resource
win10v2004-20241007-en
General
-
Target
541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe
-
Size
385KB
-
MD5
84b9335fba6769263b80c8eb90c95c00
-
SHA1
4cf4ea7d200e53ee731bf0757ae7efc3b253046e
-
SHA256
541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1
-
SHA512
341d752cad51a3203bda876e6b9dda231c023ce8e2f6c9fa650f57122c812fa1351df58c2a2c118ac14dce2a9788625c1cfb60a7071f19c033f06b1e1a1eec94
-
SSDEEP
6144:8Mp0yN90QEccmITqfL88msJB6Hrpszqvbc9cFACd2q2K9fOwHCWbjQaR3:Oy906gT4D+TzcCFhX2K92T23
Malware Config
Extracted
redline
maxbi
185.161.248.73:4164
-
auth_value
6aa7dba884fe45693dfa04c91440daef
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3272-12-0x0000000002250000-0x000000000226A000-memory.dmp healer behavioral1/memory/3272-14-0x0000000004C60000-0x0000000004C78000-memory.dmp healer behavioral1/memory/3272-34-0x0000000004C60000-0x0000000004C72000-memory.dmp healer behavioral1/memory/3272-40-0x0000000004C60000-0x0000000004C72000-memory.dmp healer behavioral1/memory/3272-38-0x0000000004C60000-0x0000000004C72000-memory.dmp healer behavioral1/memory/3272-36-0x0000000004C60000-0x0000000004C72000-memory.dmp healer behavioral1/memory/3272-33-0x0000000004C60000-0x0000000004C72000-memory.dmp healer behavioral1/memory/3272-30-0x0000000004C60000-0x0000000004C72000-memory.dmp healer behavioral1/memory/3272-29-0x0000000004C60000-0x0000000004C72000-memory.dmp healer behavioral1/memory/3272-26-0x0000000004C60000-0x0000000004C72000-memory.dmp healer behavioral1/memory/3272-24-0x0000000004C60000-0x0000000004C72000-memory.dmp healer behavioral1/memory/3272-42-0x0000000004C60000-0x0000000004C72000-memory.dmp healer behavioral1/memory/3272-22-0x0000000004C60000-0x0000000004C72000-memory.dmp healer behavioral1/memory/3272-20-0x0000000004C60000-0x0000000004C72000-memory.dmp healer behavioral1/memory/3272-18-0x0000000004C60000-0x0000000004C72000-memory.dmp healer behavioral1/memory/3272-17-0x0000000004C60000-0x0000000004C72000-memory.dmp healer behavioral1/memory/3272-15-0x0000000004C60000-0x0000000004C72000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a92405775.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a92405775.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a92405775.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a92405775.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a92405775.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a92405775.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023c90-51.dat family_redline behavioral1/memory/1308-53-0x0000000000D80000-0x0000000000DB0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 3272 a92405775.exe 1308 b18432150.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a92405775.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a92405775.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b18432150.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a92405775.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3272 a92405775.exe 3272 a92405775.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3272 a92405775.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4068 wrote to memory of 3272 4068 541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe 84 PID 4068 wrote to memory of 3272 4068 541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe 84 PID 4068 wrote to memory of 3272 4068 541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe 84 PID 4068 wrote to memory of 1308 4068 541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe 91 PID 4068 wrote to memory of 1308 4068 541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe 91 PID 4068 wrote to memory of 1308 4068 541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe"C:\Users\Admin\AppData\Local\Temp\541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3272
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b18432150.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b18432150.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1308
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
291KB
MD5ce27553a2a3454e82a427b2a8a7847b8
SHA1572ce8d9daf60ba37132dfef202a22bf1db391e0
SHA25697734c5b3a6cc99d4baaafd1ca3e844e27b35b5c2072b2dd2fc258b3504a5373
SHA512036a00e8a137b9d746573598d4b4d51fe9c5f835abe72af0992261fc96e7a6d575209f4daafdeb6910fffcf7ef85fc10a42957c3d5c25d76b55c5fb31b1fda37
-
Filesize
168KB
MD5df9334955bb2461c384e61f8f8d7a628
SHA18a277eeb18bf974fdd58c5e5825c6779fde6ae51
SHA256827f9a77b86cb4745363cfeb07be2d2ab04149536a4085324289b9de1011bb5e
SHA5120055f0fe6417ff86d1d1ccb4cf8af88e1c481b325366922d1829281d1d3b957a54efaafa12f6fd8249ed96e1985d50f44d9aca8600e9fc2bcb5deec40a28019c