Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2024 22:19
Static task
static1
Behavioral task
behavioral1
Sample
9dd7ea17c0ca5edcb22654bfe7c78b2c04ab23b1f94aa1fa80e0ef01320fd9b2.exe
Resource
win10v2004-20241007-en
General
-
Target
9dd7ea17c0ca5edcb22654bfe7c78b2c04ab23b1f94aa1fa80e0ef01320fd9b2.exe
-
Size
470KB
-
MD5
c06546df0e1e0e427f14a9620e78895f
-
SHA1
56885880b2155bae2d2f4e207fcc07e46ddae47d
-
SHA256
9dd7ea17c0ca5edcb22654bfe7c78b2c04ab23b1f94aa1fa80e0ef01320fd9b2
-
SHA512
ea58699ccb827389943490c77ff24721cb3cd5fe23f6a217058ec1968b58ce19fc309d9b2037522773450766ed8eaa4f1ac650841d7b99e95a5f9efa3f46ad62
-
SSDEEP
12288:LMrZy908fUEsueDW9wl5k3FgqiV9Zq1HD50LVsX:mybUd89mk3WqiVrqT0BsX
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4844-19-0x0000000002540000-0x000000000255A000-memory.dmp healer behavioral1/memory/4844-21-0x0000000002960000-0x0000000002978000-memory.dmp healer behavioral1/memory/4844-31-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/4844-49-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/4844-47-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/4844-45-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/4844-43-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/4844-42-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/4844-39-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/4844-37-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/4844-35-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/4844-33-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/4844-29-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/4844-25-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/4844-22-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/4844-28-0x0000000002960000-0x0000000002972000-memory.dmp healer behavioral1/memory/4844-23-0x0000000002960000-0x0000000002972000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection bgL98Tu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bgL98Tu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bgL98Tu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bgL98Tu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bgL98Tu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bgL98Tu.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b97-59.dat family_redline behavioral1/memory/4952-60-0x0000000000F10000-0x0000000000F42000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1916 nXF05il.exe 4844 bgL98Tu.exe 4952 dER48gB.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features bgL98Tu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" bgL98Tu.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9dd7ea17c0ca5edcb22654bfe7c78b2c04ab23b1f94aa1fa80e0ef01320fd9b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nXF05il.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3180 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3812 4844 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dd7ea17c0ca5edcb22654bfe7c78b2c04ab23b1f94aa1fa80e0ef01320fd9b2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nXF05il.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bgL98Tu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dER48gB.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4844 bgL98Tu.exe 4844 bgL98Tu.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4844 bgL98Tu.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2440 wrote to memory of 1916 2440 9dd7ea17c0ca5edcb22654bfe7c78b2c04ab23b1f94aa1fa80e0ef01320fd9b2.exe 83 PID 2440 wrote to memory of 1916 2440 9dd7ea17c0ca5edcb22654bfe7c78b2c04ab23b1f94aa1fa80e0ef01320fd9b2.exe 83 PID 2440 wrote to memory of 1916 2440 9dd7ea17c0ca5edcb22654bfe7c78b2c04ab23b1f94aa1fa80e0ef01320fd9b2.exe 83 PID 1916 wrote to memory of 4844 1916 nXF05il.exe 84 PID 1916 wrote to memory of 4844 1916 nXF05il.exe 84 PID 1916 wrote to memory of 4844 1916 nXF05il.exe 84 PID 1916 wrote to memory of 4952 1916 nXF05il.exe 95 PID 1916 wrote to memory of 4952 1916 nXF05il.exe 95 PID 1916 wrote to memory of 4952 1916 nXF05il.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\9dd7ea17c0ca5edcb22654bfe7c78b2c04ab23b1f94aa1fa80e0ef01320fd9b2.exe"C:\Users\Admin\AppData\Local\Temp\9dd7ea17c0ca5edcb22654bfe7c78b2c04ab23b1f94aa1fa80e0ef01320fd9b2.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nXF05il.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nXF05il.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bgL98Tu.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bgL98Tu.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4844 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 10924⤵
- Program crash
PID:3812
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dER48gB.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dER48gB.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4952
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4844 -ip 48441⤵PID:552
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3180
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
366KB
MD5b8f7e6454f3a642934c0ed2cbf1ee67b
SHA1e529f9c2293a4ba703e4b9efff0b4f35d9884934
SHA256a766ef62b1e154fbce8a05543071f598c9fc8213f147d1c97ea4cf0c8eda020b
SHA51257ab154eac6e75e4b6ba5fec137e89d80e48e2b22563a9578889b99b931cf950a8c68ad9c28585b6273901c24c081ee09d114af94df5edfcc22e93d3b3259806
-
Filesize
220KB
MD5462c4ee3ed98352a8e3f5b8b1b71dfac
SHA153e7780c3e7fe6e8fe288bde903d0774210308cf
SHA2566215b8732177d0f5efec6b7e798416a29a67833258ff60860b79eb618d3808d1
SHA512a0a828bbe9f604d66e83be73f6702cd0601adf01115ff1b7497be32d68dad2ae7c199a43ec0fb2f603dd63012a64a35719b9dfaa2e37e2296ef644219fa77989
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2