Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 13:37 UTC
Static task
static1
Behavioral task
behavioral1
Sample
0c4ca8ab6ec588ab54d99e98e16c3a2db703f15904bc5895935144d7f4a460ff.exe
Resource
win10v2004-20241007-en
General
-
Target
0c4ca8ab6ec588ab54d99e98e16c3a2db703f15904bc5895935144d7f4a460ff.exe
-
Size
471KB
-
MD5
30ac4d482a0b5f8a01b7cc320145337f
-
SHA1
c09ef3297574b2ef7397acb696439f611ba8ce93
-
SHA256
0c4ca8ab6ec588ab54d99e98e16c3a2db703f15904bc5895935144d7f4a460ff
-
SHA512
5898cf00d6b77d2e6c2630be3f9d9f41b015d4bf8d4009e6e57dbf22f858fd94449db525f3f99d2687170663188b4b0d04f622914c3e24d3c8229a91fad36add
-
SSDEEP
12288:9MruAy90bLrVyprtn0kq7Ec3C7A4Subbc77BjHyNbSuWdl+xwhUoG:FAyYrYprtn0XAb7URdHue+xiUoG
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2276-19-0x0000000002660000-0x000000000267A000-memory.dmp healer behavioral1/memory/2276-21-0x0000000002800000-0x0000000002818000-memory.dmp healer behavioral1/memory/2276-44-0x0000000002800000-0x0000000002812000-memory.dmp healer behavioral1/memory/2276-49-0x0000000002800000-0x0000000002812000-memory.dmp healer behavioral1/memory/2276-47-0x0000000002800000-0x0000000002812000-memory.dmp healer behavioral1/memory/2276-45-0x0000000002800000-0x0000000002812000-memory.dmp healer behavioral1/memory/2276-41-0x0000000002800000-0x0000000002812000-memory.dmp healer behavioral1/memory/2276-37-0x0000000002800000-0x0000000002812000-memory.dmp healer behavioral1/memory/2276-35-0x0000000002800000-0x0000000002812000-memory.dmp healer behavioral1/memory/2276-33-0x0000000002800000-0x0000000002812000-memory.dmp healer behavioral1/memory/2276-31-0x0000000002800000-0x0000000002812000-memory.dmp healer behavioral1/memory/2276-29-0x0000000002800000-0x0000000002812000-memory.dmp healer behavioral1/memory/2276-27-0x0000000002800000-0x0000000002812000-memory.dmp healer behavioral1/memory/2276-23-0x0000000002800000-0x0000000002812000-memory.dmp healer behavioral1/memory/2276-22-0x0000000002800000-0x0000000002812000-memory.dmp healer behavioral1/memory/2276-39-0x0000000002800000-0x0000000002812000-memory.dmp healer behavioral1/memory/2276-25-0x0000000002800000-0x0000000002812000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" byP47fr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" byP47fr.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection byP47fr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" byP47fr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" byP47fr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" byP47fr.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cb2-58.dat family_redline behavioral1/memory/1636-60-0x0000000000C50000-0x0000000000C82000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4552 nNj71mJ.exe 2276 byP47fr.exe 1636 dMm13Ij.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features byP47fr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" byP47fr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0c4ca8ab6ec588ab54d99e98e16c3a2db703f15904bc5895935144d7f4a460ff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nNj71mJ.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4572 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4608 2276 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nNj71mJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language byP47fr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dMm13Ij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0c4ca8ab6ec588ab54d99e98e16c3a2db703f15904bc5895935144d7f4a460ff.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2276 byP47fr.exe 2276 byP47fr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2276 byP47fr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 448 wrote to memory of 4552 448 0c4ca8ab6ec588ab54d99e98e16c3a2db703f15904bc5895935144d7f4a460ff.exe 86 PID 448 wrote to memory of 4552 448 0c4ca8ab6ec588ab54d99e98e16c3a2db703f15904bc5895935144d7f4a460ff.exe 86 PID 448 wrote to memory of 4552 448 0c4ca8ab6ec588ab54d99e98e16c3a2db703f15904bc5895935144d7f4a460ff.exe 86 PID 4552 wrote to memory of 2276 4552 nNj71mJ.exe 87 PID 4552 wrote to memory of 2276 4552 nNj71mJ.exe 87 PID 4552 wrote to memory of 2276 4552 nNj71mJ.exe 87 PID 4552 wrote to memory of 1636 4552 nNj71mJ.exe 100 PID 4552 wrote to memory of 1636 4552 nNj71mJ.exe 100 PID 4552 wrote to memory of 1636 4552 nNj71mJ.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c4ca8ab6ec588ab54d99e98e16c3a2db703f15904bc5895935144d7f4a460ff.exe"C:\Users\Admin\AppData\Local\Temp\0c4ca8ab6ec588ab54d99e98e16c3a2db703f15904bc5895935144d7f4a460ff.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nNj71mJ.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nNj71mJ.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\byP47fr.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\byP47fr.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 10804⤵
- Program crash
PID:4608
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dMm13Ij.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dMm13Ij.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1636
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2276 -ip 22761⤵PID:2300
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4572
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
208 B 4
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
71.159.190.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
367KB
MD54af34c21370734004856eace239c973f
SHA19e372aa94d170389a33871f48fbb82a495956bdb
SHA2566a1f0125f56660736ac9e332362ee3318c068141595a190d6671bfc7d56098a8
SHA51212889f1f797b9d1310820ed516390cf12128eb64c5bc8ebdfbf7107ae639e0baf48950350e7639ec0a5748fcd53062cd4375921ea8725a72e2e20509aa9b7a0a
-
Filesize
222KB
MD5a9a31ca9a35d8caac2f16e884f5132d9
SHA1a9409333bff25265779546cee60a394f51d3ad62
SHA256422112976d1772dc6cf7a79460e8c72acc4b1d156212b15f2f0e8f84b456e32c
SHA512f330ab56bb96bf541edf4d55e739c5bc4031d2c940091ae01991e4ce4e6a9b3fc0adbe05c5fc09601e8ea44eed5ce5c12b73c85961cb12bdfd5a23ab6cec32ca
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2