Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 13:45 UTC
Static task
static1
Behavioral task
behavioral1
Sample
9fda643f867efb45dae72af1bbc630b8a21c2e67b949817c696b5f514156b29a.exe
Resource
win10v2004-20241007-en
General
-
Target
9fda643f867efb45dae72af1bbc630b8a21c2e67b949817c696b5f514156b29a.exe
-
Size
470KB
-
MD5
99301c3ff246ad836f31a4ec102ad972
-
SHA1
20269e57b2105ea4ea3db648897885325fd65bcb
-
SHA256
9fda643f867efb45dae72af1bbc630b8a21c2e67b949817c696b5f514156b29a
-
SHA512
007c1e500b26c8d87fcca541ce7cfc3cec89752b7f40d7c92614886d555f6f8006fb30ca8daa9e5305f8fcc65ce29e196a313e86f7fd0c4691efe4178d254749
-
SSDEEP
12288:jMrly90CvQXDrV1h5kehkbXZgczPJOEZzMV:GyBoXXV1rke+J/hOYu
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1980-19-0x0000000002500000-0x000000000251A000-memory.dmp healer behavioral1/memory/1980-21-0x0000000002700000-0x0000000002718000-memory.dmp healer behavioral1/memory/1980-49-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/1980-47-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/1980-45-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/1980-43-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/1980-41-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/1980-39-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/1980-37-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/1980-35-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/1980-33-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/1980-31-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/1980-29-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/1980-27-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/1980-25-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/1980-23-0x0000000002700000-0x0000000002712000-memory.dmp healer behavioral1/memory/1980-22-0x0000000002700000-0x0000000002712000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection boa39nl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" boa39nl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" boa39nl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" boa39nl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" boa39nl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" boa39nl.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023ce7-58.dat family_redline behavioral1/memory/4900-60-0x0000000000F10000-0x0000000000F42000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3036 nRQ66pQ.exe 1980 boa39nl.exe 4900 dUU07Ot.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features boa39nl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" boa39nl.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9fda643f867efb45dae72af1bbc630b8a21c2e67b949817c696b5f514156b29a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nRQ66pQ.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4704 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4140 1980 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fda643f867efb45dae72af1bbc630b8a21c2e67b949817c696b5f514156b29a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nRQ66pQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language boa39nl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dUU07Ot.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1980 boa39nl.exe 1980 boa39nl.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1980 boa39nl.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2148 wrote to memory of 3036 2148 9fda643f867efb45dae72af1bbc630b8a21c2e67b949817c696b5f514156b29a.exe 85 PID 2148 wrote to memory of 3036 2148 9fda643f867efb45dae72af1bbc630b8a21c2e67b949817c696b5f514156b29a.exe 85 PID 2148 wrote to memory of 3036 2148 9fda643f867efb45dae72af1bbc630b8a21c2e67b949817c696b5f514156b29a.exe 85 PID 3036 wrote to memory of 1980 3036 nRQ66pQ.exe 86 PID 3036 wrote to memory of 1980 3036 nRQ66pQ.exe 86 PID 3036 wrote to memory of 1980 3036 nRQ66pQ.exe 86 PID 3036 wrote to memory of 4900 3036 nRQ66pQ.exe 102 PID 3036 wrote to memory of 4900 3036 nRQ66pQ.exe 102 PID 3036 wrote to memory of 4900 3036 nRQ66pQ.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fda643f867efb45dae72af1bbc630b8a21c2e67b949817c696b5f514156b29a.exe"C:\Users\Admin\AppData\Local\Temp\9fda643f867efb45dae72af1bbc630b8a21c2e67b949817c696b5f514156b29a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nRQ66pQ.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nRQ66pQ.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\boa39nl.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\boa39nl.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 11044⤵
- Program crash
PID:4140
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dUU07Ot.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dUU07Ot.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4900
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1980 -ip 19801⤵PID:1564
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4704
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request74.209.201.84.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
156 B 3
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
71.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
72 B 132 B 1 1
DNS Request
74.209.201.84.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
366KB
MD540a036ed1c863070adcec33b04c79c46
SHA113a639946175817060a4f6add81472d5d11d6aa9
SHA256362309419643d15f283416e0d3653c42d8d81e537d120628e43a3d4db4e3176c
SHA512e04accd13acaa57d144d72ed09de4995748cf765d335b594002715ccd1ecea77ead79ab154c8f8c934178b4bc8f3495ff7b4a4b6decf9392270fa15e27204bb9
-
Filesize
220KB
MD57d71db541ff6151995c7b73304ee17f2
SHA14defdc9e269af4f08e915de5dc319fb2de320a07
SHA2567dc985eb9aa57d698906cc85f11eaf3e8f375c3264b9cef4cebaf4560869444b
SHA5120e3af6fb8ad5648f6ccbc5382a430f27675ceb59352d1a572a8694fb22df46b62a981eda8e010f081020c71027c91a37bdb3d3cf7b9bc944afeb7b3d0f203ced
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2