Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:18
Static task
static1
Behavioral task
behavioral1
Sample
09f4b5574f199582a24d3b81007be1c2949c13a4a03a4ffe381b5518235b4d74.exe
Resource
win10v2004-20241007-en
General
-
Target
09f4b5574f199582a24d3b81007be1c2949c13a4a03a4ffe381b5518235b4d74.exe
-
Size
1.0MB
-
MD5
04d4d41c50594ffa30a970708b9f5368
-
SHA1
f86de3838f1b224f039100a5f0ce1f80835bb28b
-
SHA256
09f4b5574f199582a24d3b81007be1c2949c13a4a03a4ffe381b5518235b4d74
-
SHA512
2cc1d0c08d829498e3a7ddbac39e450881b5ed3c6026d8d8675b2662a563fd0282ccc2e0b69e89a56d532c6a988c9483a0d74a7c90ad332f915ba72da28e70a6
-
SSDEEP
24576:yyZVUSZtmk+FfIdYMF+9E9GlHxnTJPCuPdvLrSMc6HEXv0:ZZ2StL+WdTFyAiRVKuPsMZEX
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x000b000000023ba6-26.dat healer behavioral1/memory/3996-28-0x00000000009D0000-0x00000000009DA000-memory.dmp healer behavioral1/memory/4544-34-0x0000000007020000-0x000000000703A000-memory.dmp healer behavioral1/memory/4544-36-0x00000000070A0000-0x00000000070B8000-memory.dmp healer behavioral1/memory/4544-56-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/4544-64-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/4544-62-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/4544-60-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/4544-58-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/4544-54-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/4544-52-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/4544-50-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/4544-48-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/4544-46-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/4544-44-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/4544-42-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/4544-40-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/4544-38-0x00000000070A0000-0x00000000070B2000-memory.dmp healer behavioral1/memory/4544-37-0x00000000070A0000-0x00000000070B2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mx5308AO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ns2024Hr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ns2024Hr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ns2024Hr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mx5308AO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mx5308AO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mx5308AO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mx5308AO.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection ns2024Hr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ns2024Hr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ns2024Hr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection mx5308AO.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2164-72-0x0000000004AC0000-0x0000000004B06000-memory.dmp family_redline behavioral1/memory/2164-73-0x0000000004CF0000-0x0000000004D34000-memory.dmp family_redline behavioral1/memory/2164-75-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/2164-107-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/2164-105-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/2164-103-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/2164-101-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/2164-99-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/2164-97-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/2164-95-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/2164-93-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/2164-91-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/2164-89-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/2164-87-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/2164-85-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/2164-83-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/2164-81-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/2164-79-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/2164-77-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/2164-74-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 408 will2184.exe 3288 will3157.exe 2840 will9963.exe 3996 mx5308AO.exe 4544 ns2024Hr.exe 2164 py75kj51.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" mx5308AO.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features ns2024Hr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ns2024Hr.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 09f4b5574f199582a24d3b81007be1c2949c13a4a03a4ffe381b5518235b4d74.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" will2184.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" will3157.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" will9963.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 09f4b5574f199582a24d3b81007be1c2949c13a4a03a4ffe381b5518235b4d74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language will2184.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language will3157.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language will9963.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ns2024Hr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language py75kj51.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3996 mx5308AO.exe 3996 mx5308AO.exe 4544 ns2024Hr.exe 4544 ns2024Hr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3996 mx5308AO.exe Token: SeDebugPrivilege 4544 ns2024Hr.exe Token: SeDebugPrivilege 2164 py75kj51.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2028 wrote to memory of 408 2028 09f4b5574f199582a24d3b81007be1c2949c13a4a03a4ffe381b5518235b4d74.exe 84 PID 2028 wrote to memory of 408 2028 09f4b5574f199582a24d3b81007be1c2949c13a4a03a4ffe381b5518235b4d74.exe 84 PID 2028 wrote to memory of 408 2028 09f4b5574f199582a24d3b81007be1c2949c13a4a03a4ffe381b5518235b4d74.exe 84 PID 408 wrote to memory of 3288 408 will2184.exe 85 PID 408 wrote to memory of 3288 408 will2184.exe 85 PID 408 wrote to memory of 3288 408 will2184.exe 85 PID 3288 wrote to memory of 2840 3288 will3157.exe 87 PID 3288 wrote to memory of 2840 3288 will3157.exe 87 PID 3288 wrote to memory of 2840 3288 will3157.exe 87 PID 2840 wrote to memory of 3996 2840 will9963.exe 89 PID 2840 wrote to memory of 3996 2840 will9963.exe 89 PID 2840 wrote to memory of 4544 2840 will9963.exe 97 PID 2840 wrote to memory of 4544 2840 will9963.exe 97 PID 2840 wrote to memory of 4544 2840 will9963.exe 97 PID 3288 wrote to memory of 2164 3288 will3157.exe 100 PID 3288 wrote to memory of 2164 3288 will3157.exe 100 PID 3288 wrote to memory of 2164 3288 will3157.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\09f4b5574f199582a24d3b81007be1c2949c13a4a03a4ffe381b5518235b4d74.exe"C:\Users\Admin\AppData\Local\Temp\09f4b5574f199582a24d3b81007be1c2949c13a4a03a4ffe381b5518235b4d74.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2184.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2184.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3157.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3157.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will9963.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will9963.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx5308AO.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx5308AO.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2024Hr.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2024Hr.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py75kj51.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py75kj51.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
865KB
MD5bb285ddf3022763d2862882cb3cc6bec
SHA1b2a3fef3e1660bdebe111e09f00d6c53e6c46e30
SHA2567c93ad2207865d2f6197dcce8c6a314c3c86e5fdfead1f5396fe2966470ae0c2
SHA512fbbc8111fa63477392ffc56afcda6dd31d6552ee26b50a4822a694c79d7cc57218515e8970a9470089f45cad818a750158f3bdc34936d872495a657a04b62173
-
Filesize
721KB
MD57990e9b42f7879f145cc0246fa134701
SHA1b11cec4c95dff7f27f912098a6b031ff7a62d01b
SHA2561aa6285737a529c336dfa53ab8be1402107fb9ec45c51f68b3253fed85082b96
SHA51245420b7452f1c973a436112da7ccfc671180df016aba5e41fc40cc1fcd6ada5c51aa2cb52f094b0c95735b6847d89986b19b6d37fe1fe6204a044a703169ac31
-
Filesize
391KB
MD5926b7196ba04e739f6551a89b0ec0f92
SHA12923d709ceb448b3f6338015788f4868d5378434
SHA256cef0693d195f66998119d4abce91ba3c681ef3afba2022418354841c4f063388
SHA512f491f3e696df10fe413164054e91abb5794315bcf7e7e441e51a0d6a608bcdfcccd9f23f01a7ba43c879ee2ec5a6bb38d5a99dbf55915ff8545801b31a30e54b
-
Filesize
367KB
MD56de3482b79fa480290e87a1aab50674a
SHA1985cd031606b75886fef9de3721c9500ee40ef99
SHA256f0851059637287cc37fc17736610fb10a884cca2122c658cb23c498d9c0e10f2
SHA51237930c3a526e85b2b84c8c5fda74503f1d1c6a1e8a3bd891d1938a37ee40c68bccdc9b9b4b5d70285a3e5ee90dceb38a6c6e27c12d268e6369064f581444cab1
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
371KB
MD5a0418e7b5aa8369e4d8176b75b0f697a
SHA1f9c9ad08f40af379f9aadc619d079a968ba67d6f
SHA2563abf2d14620dccec6bcd45e2d4a7f43512d8fa30e2d7e9283d15f9f488e63c0c
SHA512f9da44ccdfda95ee7e33d58bebded494bdcd8614f2cb6d4c839366aae643f10d90698acce52dde2a4ffb519ab7a3fae69ae27195a1f370a4988d3bab7214e574