Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/11/2024, 06:50 UTC
Static task
static1
Behavioral task
behavioral1
Sample
39ce1c128a0cac71345ccebc8a519f08ffe4ca61ef1cdcf41c162a9562766ed5.exe
Resource
win10v2004-20241007-en
General
-
Target
39ce1c128a0cac71345ccebc8a519f08ffe4ca61ef1cdcf41c162a9562766ed5.exe
-
Size
470KB
-
MD5
750deaae91e0a128f0c4023dd1a8c754
-
SHA1
8d68148e4618a2b959d80dece49cb83d99eb7f27
-
SHA256
39ce1c128a0cac71345ccebc8a519f08ffe4ca61ef1cdcf41c162a9562766ed5
-
SHA512
0c09a838fd48191690e4a4a586ad37dd358122272d71e6967db4bf4099fb46695daca2515a9c555c29eed3a62c919d12fb6c1423e4a673d052bfc0312f4d73d1
-
SSDEEP
12288:1y90n5IQXsfZeT2mFhiu+Jc/p9xmGdn+ZK:1yCuQtz3RL/yK
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000c000000023b78-5.dat healer behavioral1/memory/4736-8-0x0000000000C20000-0x0000000000C2A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it586781.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it586781.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it586781.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it586781.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it586781.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it586781.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4076-18-0x0000000002650000-0x000000000268C000-memory.dmp family_redline behavioral1/memory/4076-20-0x00000000029E0000-0x0000000002A1A000-memory.dmp family_redline behavioral1/memory/4076-22-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-28-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-84-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-82-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-80-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-78-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-76-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-74-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-72-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-70-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-68-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-66-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-64-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-62-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-60-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-56-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-54-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-52-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-50-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-48-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-46-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-44-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-42-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-40-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-38-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-36-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-32-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-30-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-26-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-24-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-58-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-34-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline behavioral1/memory/4076-21-0x00000000029E0000-0x0000000002A15000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 4736 it586781.exe 4076 jr465971.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it586781.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 39ce1c128a0cac71345ccebc8a519f08ffe4ca61ef1cdcf41c162a9562766ed5.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 39ce1c128a0cac71345ccebc8a519f08ffe4ca61ef1cdcf41c162a9562766ed5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jr465971.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4736 it586781.exe 4736 it586781.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4736 it586781.exe Token: SeDebugPrivilege 4076 jr465971.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1460 wrote to memory of 4736 1460 39ce1c128a0cac71345ccebc8a519f08ffe4ca61ef1cdcf41c162a9562766ed5.exe 83 PID 1460 wrote to memory of 4736 1460 39ce1c128a0cac71345ccebc8a519f08ffe4ca61ef1cdcf41c162a9562766ed5.exe 83 PID 1460 wrote to memory of 4076 1460 39ce1c128a0cac71345ccebc8a519f08ffe4ca61ef1cdcf41c162a9562766ed5.exe 96 PID 1460 wrote to memory of 4076 1460 39ce1c128a0cac71345ccebc8a519f08ffe4ca61ef1cdcf41c162a9562766ed5.exe 96 PID 1460 wrote to memory of 4076 1460 39ce1c128a0cac71345ccebc8a519f08ffe4ca61ef1cdcf41c162a9562766ed5.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\39ce1c128a0cac71345ccebc8a519f08ffe4ca61ef1cdcf41c162a9562766ed5.exe"C:\Users\Admin\AppData\Local\Temp\39ce1c128a0cac71345ccebc8a519f08ffe4ca61ef1cdcf41c162a9562766ed5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it586781.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\it586781.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr465971.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr465971.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request64.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
208 B 4
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
64.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
487KB
MD5af86640b636e077f81cd464646692dfb
SHA1509663109a3f89e6d2bbad8e3bd250dcb77ca71c
SHA2560f0398c9110e144a59a68c7a18f8011c952fdd4d5755a50cbf5efc1cb78a0390
SHA512c51e52dbc857f568af8a4f264e2230d59c30cbfa04dcd0b2abdad6c42f41bc5fa664fbb5b1d5d47a20182f72dbd6be1218c54fec667714292040cd3a5714b409