Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 20:19
Static task
static1
Behavioral task
behavioral1
Sample
1d52b7a8f57f98480d1aaaeff720b142b76862bd290160a88c6c666fb9727a30.exe
Resource
win10v2004-20241007-en
General
-
Target
1d52b7a8f57f98480d1aaaeff720b142b76862bd290160a88c6c666fb9727a30.exe
-
Size
930KB
-
MD5
1bc2c34b846c51d3d9efc5a46d930f03
-
SHA1
3179920414b803d7410b4d6fc616db70a63e0399
-
SHA256
1d52b7a8f57f98480d1aaaeff720b142b76862bd290160a88c6c666fb9727a30
-
SHA512
241751a6dc71a7bb253a56dd74d342d1be85a8551ccb7fdf08dff285aff8b78c2c065cc1168bd21b30200987b29a8b92c7d7b180aba8a6773882678a9a6fd526
-
SSDEEP
12288:+y90LcDwSIuQKOppkwxgrCCF/yUXUkm6V1FeL32YOUo8H7vbTeXFeH3ZuGmQ:+ysBSI7dFC/ykmwFjCCzM
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b6e-19.dat healer behavioral1/memory/4584-22-0x00000000001D0000-0x00000000001DA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" tz5134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" tz5134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" tz5134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" tz5134.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection tz5134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" tz5134.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1100-29-0x0000000004C80000-0x0000000004CBC000-memory.dmp family_redline behavioral1/memory/1100-31-0x0000000004E40000-0x0000000004E7A000-memory.dmp family_redline behavioral1/memory/1100-91-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-95-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-93-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-89-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-87-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-85-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-83-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-81-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-77-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-75-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-71-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-67-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-65-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-61-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-57-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-55-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-51-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-49-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-79-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-73-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-69-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-63-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-59-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-53-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-47-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-45-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-43-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-41-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-39-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-37-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-35-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-33-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline behavioral1/memory/1100-32-0x0000000004E40000-0x0000000004E75000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 3980 za563488.exe 4964 za985214.exe 4584 tz5134.exe 1100 v0432OF.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" tz5134.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" za985214.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1d52b7a8f57f98480d1aaaeff720b142b76862bd290160a88c6c666fb9727a30.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" za563488.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v0432OF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1d52b7a8f57f98480d1aaaeff720b142b76862bd290160a88c6c666fb9727a30.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language za563488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language za985214.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4584 tz5134.exe 4584 tz5134.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4584 tz5134.exe Token: SeDebugPrivilege 1100 v0432OF.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2784 wrote to memory of 3980 2784 1d52b7a8f57f98480d1aaaeff720b142b76862bd290160a88c6c666fb9727a30.exe 84 PID 2784 wrote to memory of 3980 2784 1d52b7a8f57f98480d1aaaeff720b142b76862bd290160a88c6c666fb9727a30.exe 84 PID 2784 wrote to memory of 3980 2784 1d52b7a8f57f98480d1aaaeff720b142b76862bd290160a88c6c666fb9727a30.exe 84 PID 3980 wrote to memory of 4964 3980 za563488.exe 85 PID 3980 wrote to memory of 4964 3980 za563488.exe 85 PID 3980 wrote to memory of 4964 3980 za563488.exe 85 PID 4964 wrote to memory of 4584 4964 za985214.exe 86 PID 4964 wrote to memory of 4584 4964 za985214.exe 86 PID 4964 wrote to memory of 1100 4964 za985214.exe 87 PID 4964 wrote to memory of 1100 4964 za985214.exe 87 PID 4964 wrote to memory of 1100 4964 za985214.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d52b7a8f57f98480d1aaaeff720b142b76862bd290160a88c6c666fb9727a30.exe"C:\Users\Admin\AppData\Local\Temp\1d52b7a8f57f98480d1aaaeff720b142b76862bd290160a88c6c666fb9727a30.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za563488.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za563488.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za985214.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za985214.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tz5134.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tz5134.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0432OF.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0432OF.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
695KB
MD5fea15ab434b79b1ad824a290a58e4b8f
SHA1f9c8d7da3769942be8deb27479a2c654d7731a77
SHA25662586c8a4cccda5c47bb2b91923f80701b23213c2bd6a4279c995a429de817fd
SHA512ace2c9c30fc1ad77df4f40782efc682b775760988dc1925790d0a9fc9a2aa5a05af28b88bbfcab018ff04b3e19332bae37f4083edcd90db8ed41ba7ef0a5cc7b
-
Filesize
415KB
MD526958aa2f3e2ffd4c73ccb79f485ec40
SHA14f669ae5ebbf461b47838554498373cb73790925
SHA256b54330f7e986383c0b62442b040870f93a5e1d7c479f85de321025f508bd92c5
SHA5121ba0b7c64198fd03c378b2ec9a1e42520c11b1d510e9e00956a4e3741753efd299d20a7a4c1b9077f42806ad7d60e69aee36081da74c86645a77f3fda8ac0b1b
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
360KB
MD5c5f8b0cc0f32a61797aedd3a56782d23
SHA16bcca5daa20d1e4407f5b6a8e90c338bd7822e04
SHA2567d9a88376430d799a0c42c4834c6f835033db7b3b412379bccbde38cf0b80be0
SHA512a1ce8dfc98354f471f01a0ba4737e84fb3af38d01b2e9d6bedab4c12cb5efcfb429075c1eaeab2cce0f2595a2b4c8c25c4634324c093695511ae90fa430feee5