Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 01:52
Static task
static1
Behavioral task
behavioral1
Sample
8c15502d0695900af97a105f335a12abf4bb2b1ac0dda5219e0689f0585c3850.exe
Resource
win10v2004-20241007-en
General
-
Target
8c15502d0695900af97a105f335a12abf4bb2b1ac0dda5219e0689f0585c3850.exe
-
Size
569KB
-
MD5
708ea47536d313e368916e66e1499c7c
-
SHA1
6ef18031f7f5d2ffa575e5435a659a0a27ca84cd
-
SHA256
8c15502d0695900af97a105f335a12abf4bb2b1ac0dda5219e0689f0585c3850
-
SHA512
29a9c6131594cd3a51c7a0ecea16b84ab9177766921bdd089b5f6a3ae30f2484a0c2a2a93b90ff04ab9915b256b43708329e22cb214cdcc0d3aee0566eaa9ad7
-
SSDEEP
12288:8y90R4F3Z6H2Mod62y1k8mUOe8HIAY083E:8y3F3Z6dQ6L1kZUOe8HFSU
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b7a-12.dat healer behavioral1/memory/2232-15-0x0000000000770000-0x000000000077A000-memory.dmp healer -
Healer family
-
Processes:
it321464.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it321464.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it321464.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it321464.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it321464.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it321464.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it321464.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/2016-22-0x0000000004B80000-0x0000000004BBC000-memory.dmp family_redline behavioral1/memory/2016-24-0x00000000071C0000-0x00000000071FA000-memory.dmp family_redline behavioral1/memory/2016-42-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-44-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-88-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-86-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-84-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-82-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-80-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-78-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-76-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-75-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-72-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-70-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-69-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-66-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-64-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-62-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-60-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-58-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-56-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-52-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-50-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-48-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-46-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-40-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-38-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-54-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-36-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-34-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-32-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-30-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-28-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-26-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline behavioral1/memory/2016-25-0x00000000071C0000-0x00000000071F5000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
ziQR8111.exeit321464.exejr827991.exepid Process 364 ziQR8111.exe 2232 it321464.exe 2016 jr827991.exe -
Processes:
it321464.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it321464.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
8c15502d0695900af97a105f335a12abf4bb2b1ac0dda5219e0689f0585c3850.exeziQR8111.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8c15502d0695900af97a105f335a12abf4bb2b1ac0dda5219e0689f0585c3850.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziQR8111.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
jr827991.exe8c15502d0695900af97a105f335a12abf4bb2b1ac0dda5219e0689f0585c3850.exeziQR8111.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jr827991.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c15502d0695900af97a105f335a12abf4bb2b1ac0dda5219e0689f0585c3850.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziQR8111.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
it321464.exepid Process 2232 it321464.exe 2232 it321464.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
it321464.exejr827991.exedescription pid Process Token: SeDebugPrivilege 2232 it321464.exe Token: SeDebugPrivilege 2016 jr827991.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8c15502d0695900af97a105f335a12abf4bb2b1ac0dda5219e0689f0585c3850.exeziQR8111.exedescription pid Process procid_target PID 4012 wrote to memory of 364 4012 8c15502d0695900af97a105f335a12abf4bb2b1ac0dda5219e0689f0585c3850.exe 83 PID 4012 wrote to memory of 364 4012 8c15502d0695900af97a105f335a12abf4bb2b1ac0dda5219e0689f0585c3850.exe 83 PID 4012 wrote to memory of 364 4012 8c15502d0695900af97a105f335a12abf4bb2b1ac0dda5219e0689f0585c3850.exe 83 PID 364 wrote to memory of 2232 364 ziQR8111.exe 84 PID 364 wrote to memory of 2232 364 ziQR8111.exe 84 PID 364 wrote to memory of 2016 364 ziQR8111.exe 92 PID 364 wrote to memory of 2016 364 ziQR8111.exe 92 PID 364 wrote to memory of 2016 364 ziQR8111.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c15502d0695900af97a105f335a12abf4bb2b1ac0dda5219e0689f0585c3850.exe"C:\Users\Admin\AppData\Local\Temp\8c15502d0695900af97a105f335a12abf4bb2b1ac0dda5219e0689f0585c3850.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQR8111.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQR8111.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it321464.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it321464.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr827991.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr827991.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
415KB
MD5cf7650d1d03a2b586eee4a48ad4ef504
SHA164255f91aab1a10489bdcfd7c00ce32d32910a18
SHA2562b176b4cd0797c1bfe4863b742279f66ffc65a65eed8c181a4d303bbcf059dfc
SHA5123bd07720dcfcbce41504b822b628cd15c2471e9e98df73e7ed058ed20bd65030de74cb199b6d0cec13a1ffd95c5152a47597689ff509f807f1401b098ca126d5
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
360KB
MD5dc52f7be6920ff9d540304735031a64e
SHA13a2799a5025593b90419ef47ec7200ccae5e1f00
SHA256672baea5f9a5331ce034c6066f9e34b8f116f139082497d865d04b7076b8eeaa
SHA5121cd2e6f6087a7d4a602d6709808876a2d9e95a4a70ae25191e700961a3bbb7646fd4efffbb38109bf3af52bc0bd16df811d6b0be6e113d54528a992e563dec1f