Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 14:36
Static task
static1
Behavioral task
behavioral1
Sample
58bea6624711dc41e8cae53688ccd9f9be49d93948eb6178bb663eed289cc30b.exe
Resource
win10v2004-20241007-en
General
-
Target
58bea6624711dc41e8cae53688ccd9f9be49d93948eb6178bb663eed289cc30b.exe
-
Size
863KB
-
MD5
f020491797f88c33a8443fd1941d0602
-
SHA1
1bae2a3681ede29c90f53ac8486846a6ed8c7282
-
SHA256
58bea6624711dc41e8cae53688ccd9f9be49d93948eb6178bb663eed289cc30b
-
SHA512
2f8fec1e79b062c3ce357b4b620a0555fc21ee69b059a366c0747e34a593993e52dc71652ed18edc07a8c6b5c9ac32c193d19cf07c1281e074f790c699b0ce26
-
SSDEEP
12288:lMrcy906/LsCVoLiZhjVdLM1ZJLGaHz0Xar1z1fJ3BlRMjr6Arsjy/pP6gC3gon:ByNJoLgL8F0X81zdjwTrG+Abnn
Malware Config
Extracted
redline
dubka
193.233.20.13:4136
-
auth_value
e5a9421183a033f283b2f23139b471f0
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2892-24-0x00000000022A0000-0x00000000022BA000-memory.dmp healer behavioral1/memory/2892-26-0x00000000025D0000-0x00000000025E8000-memory.dmp healer behavioral1/memory/2892-27-0x00000000025D0000-0x00000000025E2000-memory.dmp healer behavioral1/memory/2892-54-0x00000000025D0000-0x00000000025E2000-memory.dmp healer behavioral1/memory/2892-53-0x00000000025D0000-0x00000000025E2000-memory.dmp healer behavioral1/memory/2892-50-0x00000000025D0000-0x00000000025E2000-memory.dmp healer behavioral1/memory/2892-49-0x00000000025D0000-0x00000000025E2000-memory.dmp healer behavioral1/memory/2892-46-0x00000000025D0000-0x00000000025E2000-memory.dmp healer behavioral1/memory/2892-44-0x00000000025D0000-0x00000000025E2000-memory.dmp healer behavioral1/memory/2892-42-0x00000000025D0000-0x00000000025E2000-memory.dmp healer behavioral1/memory/2892-40-0x00000000025D0000-0x00000000025E2000-memory.dmp healer behavioral1/memory/2892-39-0x00000000025D0000-0x00000000025E2000-memory.dmp healer behavioral1/memory/2892-36-0x00000000025D0000-0x00000000025E2000-memory.dmp healer behavioral1/memory/2892-34-0x00000000025D0000-0x00000000025E2000-memory.dmp healer behavioral1/memory/2892-32-0x00000000025D0000-0x00000000025E2000-memory.dmp healer behavioral1/memory/2892-30-0x00000000025D0000-0x00000000025E2000-memory.dmp healer behavioral1/memory/2892-28-0x00000000025D0000-0x00000000025E2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mRp22sf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mRp22sf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mRp22sf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection mRp22sf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mRp22sf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mRp22sf.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b93-61.dat family_redline behavioral1/memory/4372-63-0x00000000006F0000-0x0000000000722000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 2528 dfe5963.exe 2984 dFo0320.exe 2892 mRp22sf.exe 4372 nlI17MF.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features mRp22sf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" mRp22sf.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" dfe5963.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" dFo0320.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 58bea6624711dc41e8cae53688ccd9f9be49d93948eb6178bb663eed289cc30b.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3488 2892 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfe5963.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dFo0320.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mRp22sf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nlI17MF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 58bea6624711dc41e8cae53688ccd9f9be49d93948eb6178bb663eed289cc30b.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2892 mRp22sf.exe 2892 mRp22sf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2892 mRp22sf.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3128 wrote to memory of 2528 3128 58bea6624711dc41e8cae53688ccd9f9be49d93948eb6178bb663eed289cc30b.exe 84 PID 3128 wrote to memory of 2528 3128 58bea6624711dc41e8cae53688ccd9f9be49d93948eb6178bb663eed289cc30b.exe 84 PID 3128 wrote to memory of 2528 3128 58bea6624711dc41e8cae53688ccd9f9be49d93948eb6178bb663eed289cc30b.exe 84 PID 2528 wrote to memory of 2984 2528 dfe5963.exe 85 PID 2528 wrote to memory of 2984 2528 dfe5963.exe 85 PID 2528 wrote to memory of 2984 2528 dfe5963.exe 85 PID 2984 wrote to memory of 2892 2984 dFo0320.exe 86 PID 2984 wrote to memory of 2892 2984 dFo0320.exe 86 PID 2984 wrote to memory of 2892 2984 dFo0320.exe 86 PID 2984 wrote to memory of 4372 2984 dFo0320.exe 101 PID 2984 wrote to memory of 4372 2984 dFo0320.exe 101 PID 2984 wrote to memory of 4372 2984 dFo0320.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\58bea6624711dc41e8cae53688ccd9f9be49d93948eb6178bb663eed289cc30b.exe"C:\Users\Admin\AppData\Local\Temp\58bea6624711dc41e8cae53688ccd9f9be49d93948eb6178bb663eed289cc30b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dfe5963.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dfe5963.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dFo0320.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dFo0320.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mRp22sf.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mRp22sf.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 10805⤵
- Program crash
PID:3488
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlI17MF.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlI17MF.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4372
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2892 -ip 28921⤵PID:3528
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
718KB
MD5322d0745666f9d517ca170c11d9b184f
SHA1018984989c15d778beb89643d6684363bf7d6887
SHA25618674b2629a9305a92e2f47f690d11c8b2585a1edafdf5fb940ffe69fb78d4bb
SHA5129de0ac8e32257857e9ce6afced94c8222203b6d44f1677ff2e72ddf71cbee308609d2d2869320753d0d976802f0c29c58d1f0a86c20db20ef175c995ddc2fce6
-
Filesize
380KB
MD59de4ff2d41d9f7abc425da50f6d55459
SHA19d85b65ccd8c02cdf05a298af8662c44676e9f9c
SHA25693805f429abea00a9a0b5a7ba3bfd9d3185afa395f211f24079bc23528243d5b
SHA512588b2fa8fcc389ff0b36d1ee5ffb09becb076a128d97ca28d190b1766cf423842d2778ac5f48908fa25aa498fb7c76c859bf01616cf1a908d3b765dbde965121
-
Filesize
258KB
MD5faeaf9bf8c211ef512e5d63a6199508e
SHA15a33aa871548e8ee95e348f285d5d0927a114a37
SHA2565401a7b5eb1d3aacb7395f4ba8c3feb7ae28cc16b446d838337da8024f01c134
SHA512e1c5beaa74e245f258fe7f42afb15391b1ff99b04c93e26ba527bd619d2fa062cc4b9564f23f515c4eefd3662702d6bcc0251b433693ba0f4ba291be427160d3
-
Filesize
175KB
MD5dd0c9e110c68ce1fa5308979ef718f7b
SHA1473deb8069f0841d47b74b7f414dacc6f96eca78
SHA256dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3
SHA51229bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236