Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
18917972f17e74bb6910c95de72949cdaf551bacddc0aba0579dfabd4e52fc2c.exe
Resource
win10v2004-20241007-en
General
-
Target
18917972f17e74bb6910c95de72949cdaf551bacddc0aba0579dfabd4e52fc2c.exe
-
Size
641KB
-
MD5
65ff91d45f9241a3565ec03e1b8b1076
-
SHA1
068d5ece6d7401a9f1209df1f34051ab6a1854b2
-
SHA256
18917972f17e74bb6910c95de72949cdaf551bacddc0aba0579dfabd4e52fc2c
-
SHA512
2b4d22b5621f34a3c9c563cb19aa18d608bdd75a7e97bc431ac893b8bad840c0ab03a25de3a339e7b10469075b54878b3e4c3cac610c3b9084640c1767e654bf
-
SSDEEP
12288:dMrUy90DfScl/qyJgBQMKQ4RH+4zo0K1XMC3P:Fy8jl/qyGBUlG7JP
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x000a000000023bbd-12.dat healer behavioral1/memory/4716-15-0x0000000000910000-0x000000000091A000-memory.dmp healer behavioral1/memory/316-22-0x0000000002230000-0x000000000224A000-memory.dmp healer behavioral1/memory/316-24-0x00000000023E0000-0x00000000023F8000-memory.dmp healer behavioral1/memory/316-34-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/316-52-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/316-51-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/316-48-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/316-46-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/316-44-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/316-43-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/316-40-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/316-38-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/316-37-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/316-32-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/316-31-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/316-28-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/316-26-0x00000000023E0000-0x00000000023F2000-memory.dmp healer behavioral1/memory/316-25-0x00000000023E0000-0x00000000023F2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b5827EL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c07jS02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c07jS02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c07jS02.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b5827EL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b5827EL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b5827EL.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c07jS02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c07jS02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c07jS02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b5827EL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b5827EL.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1228-60-0x0000000002400000-0x0000000002446000-memory.dmp family_redline behavioral1/memory/1228-61-0x0000000004AB0000-0x0000000004AF4000-memory.dmp family_redline behavioral1/memory/1228-73-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/1228-87-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/1228-95-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/1228-93-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/1228-91-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/1228-85-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/1228-83-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/1228-81-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/1228-79-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/1228-77-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/1228-75-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/1228-71-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/1228-69-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/1228-89-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/1228-67-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/1228-65-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/1228-63-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/1228-62-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 3688 nice6159.exe 4716 b5827EL.exe 316 c07jS02.exe 1228 doOmh79.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b5827EL.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c07jS02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c07jS02.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 18917972f17e74bb6910c95de72949cdaf551bacddc0aba0579dfabd4e52fc2c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nice6159.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1276 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2648 316 WerFault.exe 95 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 18917972f17e74bb6910c95de72949cdaf551bacddc0aba0579dfabd4e52fc2c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nice6159.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c07jS02.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language doOmh79.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4716 b5827EL.exe 4716 b5827EL.exe 316 c07jS02.exe 316 c07jS02.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4716 b5827EL.exe Token: SeDebugPrivilege 316 c07jS02.exe Token: SeDebugPrivilege 1228 doOmh79.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1008 wrote to memory of 3688 1008 18917972f17e74bb6910c95de72949cdaf551bacddc0aba0579dfabd4e52fc2c.exe 86 PID 1008 wrote to memory of 3688 1008 18917972f17e74bb6910c95de72949cdaf551bacddc0aba0579dfabd4e52fc2c.exe 86 PID 1008 wrote to memory of 3688 1008 18917972f17e74bb6910c95de72949cdaf551bacddc0aba0579dfabd4e52fc2c.exe 86 PID 3688 wrote to memory of 4716 3688 nice6159.exe 87 PID 3688 wrote to memory of 4716 3688 nice6159.exe 87 PID 3688 wrote to memory of 316 3688 nice6159.exe 95 PID 3688 wrote to memory of 316 3688 nice6159.exe 95 PID 3688 wrote to memory of 316 3688 nice6159.exe 95 PID 1008 wrote to memory of 1228 1008 18917972f17e74bb6910c95de72949cdaf551bacddc0aba0579dfabd4e52fc2c.exe 99 PID 1008 wrote to memory of 1228 1008 18917972f17e74bb6910c95de72949cdaf551bacddc0aba0579dfabd4e52fc2c.exe 99 PID 1008 wrote to memory of 1228 1008 18917972f17e74bb6910c95de72949cdaf551bacddc0aba0579dfabd4e52fc2c.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\18917972f17e74bb6910c95de72949cdaf551bacddc0aba0579dfabd4e52fc2c.exe"C:\Users\Admin\AppData\Local\Temp\18917972f17e74bb6910c95de72949cdaf551bacddc0aba0579dfabd4e52fc2c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice6159.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice6159.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5827EL.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5827EL.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c07jS02.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c07jS02.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 10884⤵
- Program crash
PID:2648
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\doOmh79.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\doOmh79.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1228
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 316 -ip 3161⤵PID:5044
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1276
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
297KB
MD56a242be8c8b7c9c1cc93f00236a234cb
SHA1b53912207d240b30ad1654f5647ecbece51d8e86
SHA2568aac947810208b5b54d5a05f2e1c34e41f9b6a7a905e742de8600802f23d6170
SHA5122c3f938458874270ea24d4101817b235110a91b01b7fa13bfedff2dc38adaa968c77e0b4c1d9768df0079ddad55a2b4ac84315667d35dea0a4da7c2a6ee3b8a2
-
Filesize
321KB
MD5c29d9ef557f69e0a16e100f596402da3
SHA1f3e80ac2409d2481fa89ef4c48dd16c01d908b97
SHA256b1709d2252b9a0eb8e20d103c41da30383122fa2b17746d32cde1cc61057dd40
SHA512d0af013f3030e11ca60c72d5d61eeb777e7a0e60ebbf1ad388353b19114267a3ea7038d63a24d0eaddca3fb2ebf4fe3d6e9ca5608af834f9fc4779cae7232a58
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
239KB
MD5c425d3b147736fe6fd76548da5f32ca2
SHA1c446a2a201ac9c3f4d713358bf0a9aee92faa987
SHA256f7f03bb631b3892a6db326ee7263085b8ac83c833903904c74652a47a0480988
SHA5120ac92da83d464b47474c7d217a4bbfd64afaf9905d28839c5d10f2778d52201b0c93a36dd97c75b551fb77d0b5cf8bbef1d61cd0219ca1e71f45733d40351870