Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:29
Static task
static1
Behavioral task
behavioral1
Sample
51525f7dee72a72882f70eda8e8b2d0a892b38a3253fd533397097686fecdcb9.exe
Resource
win10v2004-20241007-en
General
-
Target
51525f7dee72a72882f70eda8e8b2d0a892b38a3253fd533397097686fecdcb9.exe
-
Size
346KB
-
MD5
1cb0869e637173a124f98955c6700dd6
-
SHA1
5d25dc0fd992a62b96edabfaeb6b06e26cc73298
-
SHA256
51525f7dee72a72882f70eda8e8b2d0a892b38a3253fd533397097686fecdcb9
-
SHA512
f9d26595a5615fde36348742e0768a7f4eb0e6c16fd7b17aeda1be5be0fb7a9a67aef5c123bbbba16a6465c25d1a1cb1ee88a6d7409290ec0b06d85f01e3c8aa
-
SSDEEP
6144:Kqy+bnr+Ip0yN90QEHBHqHNezSycMgyYwfy8sOmmotqaO8hd6Va8lK:mMrwy909BHSTfMgvwkOdYhdYTlK
Malware Config
Extracted
redline
fuma
193.233.20.17:4139
-
auth_value
116ab7335d0316d186d563bd6d41b9dd
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b95-11.dat healer behavioral1/memory/1264-15-0x0000000000220000-0x000000000022A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection dMk69dS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" dMk69dS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" dMk69dS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" dMk69dS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" dMk69dS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" dMk69dS.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b96-19.dat family_redline behavioral1/memory/3228-21-0x0000000000F90000-0x0000000000FC2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3128 nEe78ER50.exe 1264 dMk69dS.exe 3228 eDh67DH.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" dMk69dS.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nEe78ER50.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 51525f7dee72a72882f70eda8e8b2d0a892b38a3253fd533397097686fecdcb9.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 51525f7dee72a72882f70eda8e8b2d0a892b38a3253fd533397097686fecdcb9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nEe78ER50.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eDh67DH.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1264 dMk69dS.exe 1264 dMk69dS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1264 dMk69dS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1824 wrote to memory of 3128 1824 51525f7dee72a72882f70eda8e8b2d0a892b38a3253fd533397097686fecdcb9.exe 84 PID 1824 wrote to memory of 3128 1824 51525f7dee72a72882f70eda8e8b2d0a892b38a3253fd533397097686fecdcb9.exe 84 PID 1824 wrote to memory of 3128 1824 51525f7dee72a72882f70eda8e8b2d0a892b38a3253fd533397097686fecdcb9.exe 84 PID 3128 wrote to memory of 1264 3128 nEe78ER50.exe 85 PID 3128 wrote to memory of 1264 3128 nEe78ER50.exe 85 PID 3128 wrote to memory of 3228 3128 nEe78ER50.exe 93 PID 3128 wrote to memory of 3228 3128 nEe78ER50.exe 93 PID 3128 wrote to memory of 3228 3128 nEe78ER50.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\51525f7dee72a72882f70eda8e8b2d0a892b38a3253fd533397097686fecdcb9.exe"C:\Users\Admin\AppData\Local\Temp\51525f7dee72a72882f70eda8e8b2d0a892b38a3253fd533397097686fecdcb9.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nEe78ER50.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nEe78ER50.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dMk69dS.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dMk69dS.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eDh67DH.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eDh67DH.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3228
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD506593e0e7a93c8c7ac2f7298ecb84975
SHA1c12b4a520a4af10d0616e192436e7d5c64901102
SHA2567688bd74da972a7647fffae9818d6aa3b98fbe08d143a7092d3879927b9188e6
SHA5121809d4974d3ce7b9c3e51b9a433b04994b946cd8582bca08b0659d846ca31a14d46cadf417d777f74e0c73145f39856cd4afe89aa8e8b7d42b194544a115677a
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
175KB
MD549bcfcdf691f7f064efe833bb548f3ee
SHA15cd584332d71af58865bb1c1b0acd127e8ced7fc
SHA2569c7a3fcd95e07c795991d968f023e251e1b19033acbdeff99a2534ed804b283b
SHA51275f6191c5c4422fee685747c2636b8f38db26e2e3fbb54da78c2b5b16075b9f08bd5a74bac06cd97c32ae3d3ec81f39894a0b51f13f7a7a1b8369125ff007d3c