Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 14:03 UTC
Static task
static1
Behavioral task
behavioral1
Sample
e895a41a1164858f7e0954ef5b45e228740c0dcfad9b0988be654eee7aa835c2.exe
Resource
win10v2004-20241007-en
General
-
Target
e895a41a1164858f7e0954ef5b45e228740c0dcfad9b0988be654eee7aa835c2.exe
-
Size
470KB
-
MD5
13b6483961df265f89e61bc3ac782d68
-
SHA1
f0f44612d3c8ccb538088ca2312f1d238d19a03c
-
SHA256
e895a41a1164858f7e0954ef5b45e228740c0dcfad9b0988be654eee7aa835c2
-
SHA512
2e9bf11b3bcc981c8d9ebeb6caa6b34bc709ce8d289d51921177ecdd71db508bc6a8e2a8245ad679e4193d157327287dbf85002ff2e940d3a6dac8d7c2983bee
-
SSDEEP
12288:KMrly90hL9kqhrzaMGy+EopQb2vbW/D3xkWP5MgO:/yCyaVheeKbWTZ5M5
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/1900-19-0x0000000002900000-0x000000000291A000-memory.dmp healer behavioral1/memory/1900-21-0x0000000002920000-0x0000000002938000-memory.dmp healer behavioral1/memory/1900-47-0x0000000002920000-0x0000000002932000-memory.dmp healer behavioral1/memory/1900-49-0x0000000002920000-0x0000000002932000-memory.dmp healer behavioral1/memory/1900-45-0x0000000002920000-0x0000000002932000-memory.dmp healer behavioral1/memory/1900-43-0x0000000002920000-0x0000000002932000-memory.dmp healer behavioral1/memory/1900-39-0x0000000002920000-0x0000000002932000-memory.dmp healer behavioral1/memory/1900-37-0x0000000002920000-0x0000000002932000-memory.dmp healer behavioral1/memory/1900-35-0x0000000002920000-0x0000000002932000-memory.dmp healer behavioral1/memory/1900-33-0x0000000002920000-0x0000000002932000-memory.dmp healer behavioral1/memory/1900-31-0x0000000002920000-0x0000000002932000-memory.dmp healer behavioral1/memory/1900-30-0x0000000002920000-0x0000000002932000-memory.dmp healer behavioral1/memory/1900-27-0x0000000002920000-0x0000000002932000-memory.dmp healer behavioral1/memory/1900-25-0x0000000002920000-0x0000000002932000-memory.dmp healer behavioral1/memory/1900-23-0x0000000002920000-0x0000000002932000-memory.dmp healer behavioral1/memory/1900-22-0x0000000002920000-0x0000000002932000-memory.dmp healer behavioral1/memory/1900-41-0x0000000002920000-0x0000000002932000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bVn93kC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bVn93kC.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection bVn93kC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bVn93kC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bVn93kC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bVn93kC.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023bd4-58.dat family_redline behavioral1/memory/3456-59-0x0000000000340000-0x0000000000372000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1688 ngp77jj.exe 1900 bVn93kC.exe 3456 dnh61rN.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features bVn93kC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" bVn93kC.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e895a41a1164858f7e0954ef5b45e228740c0dcfad9b0988be654eee7aa835c2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ngp77jj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1236 1900 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e895a41a1164858f7e0954ef5b45e228740c0dcfad9b0988be654eee7aa835c2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngp77jj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bVn93kC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dnh61rN.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1900 bVn93kC.exe 1900 bVn93kC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1900 bVn93kC.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1496 wrote to memory of 1688 1496 e895a41a1164858f7e0954ef5b45e228740c0dcfad9b0988be654eee7aa835c2.exe 84 PID 1496 wrote to memory of 1688 1496 e895a41a1164858f7e0954ef5b45e228740c0dcfad9b0988be654eee7aa835c2.exe 84 PID 1496 wrote to memory of 1688 1496 e895a41a1164858f7e0954ef5b45e228740c0dcfad9b0988be654eee7aa835c2.exe 84 PID 1688 wrote to memory of 1900 1688 ngp77jj.exe 85 PID 1688 wrote to memory of 1900 1688 ngp77jj.exe 85 PID 1688 wrote to memory of 1900 1688 ngp77jj.exe 85 PID 1688 wrote to memory of 3456 1688 ngp77jj.exe 95 PID 1688 wrote to memory of 3456 1688 ngp77jj.exe 95 PID 1688 wrote to memory of 3456 1688 ngp77jj.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\e895a41a1164858f7e0954ef5b45e228740c0dcfad9b0988be654eee7aa835c2.exe"C:\Users\Admin\AppData\Local\Temp\e895a41a1164858f7e0954ef5b45e228740c0dcfad9b0988be654eee7aa835c2.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ngp77jj.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ngp77jj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bVn93kC.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bVn93kC.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 11004⤵
- Program crash
PID:1236
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dnh61rN.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dnh61rN.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3456
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1900 -ip 19001⤵PID:2384
Network
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request76.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
156 B 3
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
76.32.126.40.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
366KB
MD5057085711414ee62e4a6a31195295809
SHA19c8518ff611f776858647b888efa6b884830532b
SHA256229f42c88cddf25539626d67048366b7f1618d9b177c4973d86baa4bd9d46508
SHA5122c016ada00db8016bfd670b61236acb5583443521fd8432d9209500e8896b625dbd33c9647ee246d22c7d264d02d8801d4420dad0bf05e2b98cdaaba94de38c2
-
Filesize
220KB
MD5fd815ed5f97b5a0c8091f3f8d5125673
SHA18e062e61dc7fb58a3301741aa4c34b259e3e9b25
SHA2567f2e56fcc1d09a924faf8e9fd38f4781aa79d6d895e8d068d093b4201a3f08e7
SHA512e47b639e4692101ea444ee22b99d638c521ae5c5e8f27b16f9c2f335ab3a242bf0deb51f52a9e75ccb40edffa8bbaaa6cf8915ff74e10be79fbd697fe8ee96b7
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2