Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 11:36 UTC
Static task
static1
Behavioral task
behavioral1
Sample
3e4d79dc7cb8a9e45d3bc2d3b2341da4bb619753324e1f0c78d52c2bf6f1aabc.exe
Resource
win10v2004-20241007-en
General
-
Target
3e4d79dc7cb8a9e45d3bc2d3b2341da4bb619753324e1f0c78d52c2bf6f1aabc.exe
-
Size
484KB
-
MD5
d34c8daec0857501415d1d5c1226dd33
-
SHA1
ebe5f0a615efb5ef3787324539a289571e52344e
-
SHA256
3e4d79dc7cb8a9e45d3bc2d3b2341da4bb619753324e1f0c78d52c2bf6f1aabc
-
SHA512
fad88abf636e1370ca801dcfd9f707e1e9d91e8b6a325ec7dca62c15d8b2fc1dcf8b452dac971ee893c519365a8fba8762a9af31fc752e71f32be5eabffcca43
-
SSDEEP
12288:WMrsy90Fixx+UxocCDL02Kgr4wsjDMIP65:Oy/FudLqY4lMIP65
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x0008000000023c96-12.dat healer behavioral1/memory/3784-15-0x00000000006C0000-0x00000000006CA000-memory.dmp healer behavioral1/memory/2380-22-0x0000000002630000-0x000000000264A000-memory.dmp healer behavioral1/memory/2380-24-0x00000000026F0000-0x0000000002708000-memory.dmp healer behavioral1/memory/2380-25-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2380-40-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2380-52-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2380-50-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2380-48-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2380-46-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2380-44-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2380-42-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2380-38-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2380-36-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2380-34-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2380-32-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2380-30-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2380-28-0x00000000026F0000-0x0000000002702000-memory.dmp healer behavioral1/memory/2380-26-0x00000000026F0000-0x0000000002702000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" dsV00Jv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" dsV00Jv.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection evf41hu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" evf41hu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" evf41hu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" evf41hu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" evf41hu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection dsV00Jv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" dsV00Jv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" dsV00Jv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" dsV00Jv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" evf41hu.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023c94-57.dat family_redline behavioral1/memory/4988-59-0x0000000000D30000-0x0000000000D62000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 2136 nkT95wm87.exe 3784 dsV00Jv.exe 2380 evf41hu.exe 4988 fSQ37Lf.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features evf41hu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" evf41hu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" dsV00Jv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nkT95wm87.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3e4d79dc7cb8a9e45d3bc2d3b2341da4bb619753324e1f0c78d52c2bf6f1aabc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3e4d79dc7cb8a9e45d3bc2d3b2341da4bb619753324e1f0c78d52c2bf6f1aabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nkT95wm87.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evf41hu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fSQ37Lf.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3784 dsV00Jv.exe 3784 dsV00Jv.exe 2380 evf41hu.exe 2380 evf41hu.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3784 dsV00Jv.exe Token: SeDebugPrivilege 2380 evf41hu.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3488 wrote to memory of 2136 3488 3e4d79dc7cb8a9e45d3bc2d3b2341da4bb619753324e1f0c78d52c2bf6f1aabc.exe 83 PID 3488 wrote to memory of 2136 3488 3e4d79dc7cb8a9e45d3bc2d3b2341da4bb619753324e1f0c78d52c2bf6f1aabc.exe 83 PID 3488 wrote to memory of 2136 3488 3e4d79dc7cb8a9e45d3bc2d3b2341da4bb619753324e1f0c78d52c2bf6f1aabc.exe 83 PID 2136 wrote to memory of 3784 2136 nkT95wm87.exe 84 PID 2136 wrote to memory of 3784 2136 nkT95wm87.exe 84 PID 2136 wrote to memory of 2380 2136 nkT95wm87.exe 96 PID 2136 wrote to memory of 2380 2136 nkT95wm87.exe 96 PID 2136 wrote to memory of 2380 2136 nkT95wm87.exe 96 PID 3488 wrote to memory of 4988 3488 3e4d79dc7cb8a9e45d3bc2d3b2341da4bb619753324e1f0c78d52c2bf6f1aabc.exe 97 PID 3488 wrote to memory of 4988 3488 3e4d79dc7cb8a9e45d3bc2d3b2341da4bb619753324e1f0c78d52c2bf6f1aabc.exe 97 PID 3488 wrote to memory of 4988 3488 3e4d79dc7cb8a9e45d3bc2d3b2341da4bb619753324e1f0c78d52c2bf6f1aabc.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e4d79dc7cb8a9e45d3bc2d3b2341da4bb619753324e1f0c78d52c2bf6f1aabc.exe"C:\Users\Admin\AppData\Local\Temp\3e4d79dc7cb8a9e45d3bc2d3b2341da4bb619753324e1f0c78d52c2bf6f1aabc.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nkT95wm87.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nkT95wm87.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dsV00Jv.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dsV00Jv.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\evf41hu.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\evf41hu.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fSQ37Lf.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fSQ37Lf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4988
-
Network
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.160.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2
-
Filesize
339KB
MD58f3ba88e26ce640ac201e0478aa4f842
SHA176e2c645a3e4f618b3c369ed6869c1f774c1ec22
SHA256f04f7dc4e9f738994b05e4f0635a579f9b551993b56c459c8d6381da5c1de063
SHA512fd3bfac5beea7b08009ea26abd45110611875bc73f215add40b4f49841fcceb130b5653d05573f99c332788c01d53595af89d6d9b716fe6695dcc1465d030169
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
249KB
MD5566f734554b2800514afb7cfd9d0e541
SHA1e580309b4ce2d38f9ece2a14bb675e8ceb62de73
SHA256dba4c1abdeaa378d90094d0a223d8a670786e7b402654646375e0cdf64103567
SHA512cb2eef0a8ef41ee026672395e1d74fe26ed3da3b89cd2b6a5684caa2501ec1f8a1e7c51359bdb80140d84e2e8259fe5980785703c99fa215aa01c23081855cc2