Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2024, 08:59
Static task
static1
Behavioral task
behavioral1
Sample
c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a.exe
Resource
win10v2004-20241007-en
General
-
Target
c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a.exe
-
Size
1.1MB
-
MD5
2d969c73c1d99c6a9a198d6381eb0532
-
SHA1
c2256985a4f08c0766ff290c7c9efa62ca00b782
-
SHA256
c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a
-
SHA512
6268b98d236277b0049c671d4f7f18c8a5b26d5adca89c617ae0cba71ebdf3151af46aac1d371d3ffa063edc903df39446d17c11e59d0d2d0ccb86bf2622a7e1
-
SSDEEP
24576:Wya9L1FwDXXiS0m0qxE9KYiojPccVF47tBHXvoB9uDu3P2OaIBbVhq:lkM7SW0qxwK1ojPccVW7PnhabVh
Malware Config
Extracted
redline
maxbi
185.161.248.73:4164
-
auth_value
6aa7dba884fe45693dfa04c91440daef
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4612-25-0x0000000002370000-0x000000000238A000-memory.dmp healer behavioral1/memory/4612-27-0x00000000024F0000-0x0000000002508000-memory.dmp healer behavioral1/memory/4612-45-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4612-55-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4612-53-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4612-51-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4612-49-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4612-47-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4612-43-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4612-41-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4612-39-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4612-37-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4612-35-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4612-31-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4612-28-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4612-33-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4612-29-0x00000000024F0000-0x0000000002502000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a79350827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a79350827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a79350827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a79350827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a79350827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a79350827.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cb0-64.dat family_redline behavioral1/memory/372-66-0x0000000000040000-0x0000000000070000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 2560 i30199716.exe 612 i29593467.exe 4612 a79350827.exe 372 b42430628.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a79350827.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a79350827.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i30199716.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i29593467.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 804 4612 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a79350827.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b42430628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i30199716.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i29593467.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4612 a79350827.exe 4612 a79350827.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4612 a79350827.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4692 wrote to memory of 2560 4692 c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a.exe 83 PID 4692 wrote to memory of 2560 4692 c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a.exe 83 PID 4692 wrote to memory of 2560 4692 c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a.exe 83 PID 2560 wrote to memory of 612 2560 i30199716.exe 84 PID 2560 wrote to memory of 612 2560 i30199716.exe 84 PID 2560 wrote to memory of 612 2560 i30199716.exe 84 PID 612 wrote to memory of 4612 612 i29593467.exe 85 PID 612 wrote to memory of 4612 612 i29593467.exe 85 PID 612 wrote to memory of 4612 612 i29593467.exe 85 PID 612 wrote to memory of 372 612 i29593467.exe 96 PID 612 wrote to memory of 372 612 i29593467.exe 96 PID 612 wrote to memory of 372 612 i29593467.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a.exe"C:\Users\Admin\AppData\Local\Temp\c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30199716.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30199716.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i29593467.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i29593467.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a79350827.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a79350827.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 10965⤵
- Program crash
PID:804
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b42430628.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b42430628.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:372
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4612 -ip 46121⤵PID:2116
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
646KB
MD57b10849c090d55ebabec6c88681a58a2
SHA168a0cc7b6c271889be06fcd5887a079b8de65c35
SHA256d22fe2f55fbacc45800db3e805d1787b9816ea08ce0cd302903a41f4ba1c6623
SHA5129fde6fe75a8c2edf0cbd0dadfda027a3b0cd8821d5cc1322caac5e5e6a7cd18489854bc26294ee4447dc1fb9ad2260c2b3cdda7ca599614d3e9f45d57cd8e865
-
Filesize
386KB
MD52ef99d8b78b22f10f0b0c76e833fb278
SHA1f84bb3a9889f03640a37232b71ae9ec0b3042c44
SHA2563f7eed0eb69ec24e1f8623a492088fd566a1fd61e2ae4cfff4f33d7778931586
SHA512a6a9087c85f420df132bbe3b63f3601d46b77b66874298286aa7871bc55515a69dc14b96b60feda718ec70289e286559b293d4c611f59430cdc51103763a0561
-
Filesize
294KB
MD5f1477fec2edbf82cd829e8c8a3c26265
SHA1d8cae5e77c025b4c122b970b7c6d04833e7330cf
SHA256fa314f8240e9d4791a87e35cfb914e28eeb8551d51a005a1c2a0bc757a6d6e25
SHA512d01dc1ae737f28830c823357fbc8cca104f652a2ce4db1338bcd509c4c6051575f7e8468f9aa08ece45da315c71fcb5b20d713d2a2663fa7856d326ec7f03a1d
-
Filesize
168KB
MD517f75b96ee94b0e55b69fdf7f14d6852
SHA14fbbfe42674d6418f70681e55c561f0445f46ac6
SHA25667a207f23396e4c437fb989150f2a55b5452aa82445799a6dd341a1479245739
SHA512497f03f4009a85bf32aa5759b95d8e0ac6f70c639d38d8c7aa7c819f22b938a515452e62e018b732ae1f4b269801755914e9aefc7190f8120413cebc81e064ea