Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 12:57
Static task
static1
Behavioral task
behavioral1
Sample
46b2a5529fce9b1d79828283b6f9c958868a88025d0a6073182379fd8f9eb75d.exe
Resource
win10v2004-20241007-en
General
-
Target
46b2a5529fce9b1d79828283b6f9c958868a88025d0a6073182379fd8f9eb75d.exe
-
Size
615KB
-
MD5
816b4450c20432e1e2715de09ba5f6af
-
SHA1
10ff8f27c0f5a97b8c393c3403abca298aeda33b
-
SHA256
46b2a5529fce9b1d79828283b6f9c958868a88025d0a6073182379fd8f9eb75d
-
SHA512
cf970d0a45807897306e14c10959f6b0cad55e3dd70f75f8f96d9ce9711918de8361d7b12cfda413cfa2c14f190112025f0341d84910c115bb95d1cc73de507d
-
SSDEEP
12288:Py90jz3PvCL9nC1F2c38vJVZEcMNp3ePga6KH6cDEnywfR:Pye3XCLQocoEjda6KacwnhfR
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0009000000023c89-12.dat healer behavioral1/memory/4348-15-0x0000000000800000-0x000000000080A000-memory.dmp healer -
Healer family
-
Processes:
it260085.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it260085.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it260085.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it260085.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it260085.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it260085.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it260085.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/2488-22-0x0000000002610000-0x000000000264C000-memory.dmp family_redline behavioral1/memory/2488-24-0x00000000028D0000-0x000000000290A000-memory.dmp family_redline behavioral1/memory/2488-30-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-38-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-58-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-88-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-86-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-84-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-82-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-80-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-78-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-74-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-73-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-70-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-68-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-66-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-65-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-62-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-60-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-56-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-54-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-52-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-50-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-48-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-44-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-42-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-41-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-36-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-34-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-32-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-76-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-46-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-28-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-26-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline behavioral1/memory/2488-25-0x00000000028D0000-0x0000000002905000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
zify2259.exeit260085.exejr472365.exepid Process 4472 zify2259.exe 4348 it260085.exe 2488 jr472365.exe -
Processes:
it260085.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it260085.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
46b2a5529fce9b1d79828283b6f9c958868a88025d0a6073182379fd8f9eb75d.exezify2259.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 46b2a5529fce9b1d79828283b6f9c958868a88025d0a6073182379fd8f9eb75d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zify2259.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
46b2a5529fce9b1d79828283b6f9c958868a88025d0a6073182379fd8f9eb75d.exezify2259.exejr472365.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46b2a5529fce9b1d79828283b6f9c958868a88025d0a6073182379fd8f9eb75d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zify2259.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jr472365.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
it260085.exepid Process 4348 it260085.exe 4348 it260085.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
it260085.exejr472365.exedescription pid Process Token: SeDebugPrivilege 4348 it260085.exe Token: SeDebugPrivilege 2488 jr472365.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
46b2a5529fce9b1d79828283b6f9c958868a88025d0a6073182379fd8f9eb75d.exezify2259.exedescription pid Process procid_target PID 3512 wrote to memory of 4472 3512 46b2a5529fce9b1d79828283b6f9c958868a88025d0a6073182379fd8f9eb75d.exe 82 PID 3512 wrote to memory of 4472 3512 46b2a5529fce9b1d79828283b6f9c958868a88025d0a6073182379fd8f9eb75d.exe 82 PID 3512 wrote to memory of 4472 3512 46b2a5529fce9b1d79828283b6f9c958868a88025d0a6073182379fd8f9eb75d.exe 82 PID 4472 wrote to memory of 4348 4472 zify2259.exe 83 PID 4472 wrote to memory of 4348 4472 zify2259.exe 83 PID 4472 wrote to memory of 2488 4472 zify2259.exe 93 PID 4472 wrote to memory of 2488 4472 zify2259.exe 93 PID 4472 wrote to memory of 2488 4472 zify2259.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\46b2a5529fce9b1d79828283b6f9c958868a88025d0a6073182379fd8f9eb75d.exe"C:\Users\Admin\AppData\Local\Temp\46b2a5529fce9b1d79828283b6f9c958868a88025d0a6073182379fd8f9eb75d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zify2259.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zify2259.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it260085.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it260085.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr472365.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr472365.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
461KB
MD5a15f9eb6fb12d6161918e3d5af831c72
SHA1dee605e3c5a70f7112b29e0dabab311b4912f21d
SHA2561f6425fa7905cbb9d04e3e004d427967c5bed80891b1ed7a110db49ea0eda3d6
SHA512c3277299a7f2a19d9cb8324c0e6d544a1519d29a29d2c4263f75066efaf587563b0f7978082fc8564aa73138f7e03ecf51b0b5c128e7f71a0307c5f0a4928846
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
472KB
MD5161aca45b4ce0ba1267d41e86f14490a
SHA1f7a0c346c354d2e9731948ed1297de840bd00999
SHA256d8c68abba59f7cbf354ea1931106decac77d5b472af1a9692dfd3b88be4ff65a
SHA512a38e1ce42e8ff0a3ff5240ec780a70f1c650c91d97a824d7b2f1b2e0e7924b4c31ea3309ffe789efa7f4c327692c7f70f2bbc29f1b9c3daaa733fb12ae975b9b