Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:47
Static task
static1
Behavioral task
behavioral1
Sample
ef375d83b36df95583d8cfecb23286d3f5ee1020bb5e1dab857553fedcea8b85.exe
Resource
win10v2004-20241007-en
General
-
Target
ef375d83b36df95583d8cfecb23286d3f5ee1020bb5e1dab857553fedcea8b85.exe
-
Size
480KB
-
MD5
093591ec6acf410dd1a42b34b4a84715
-
SHA1
855df4be29c3f22bc3a3eaf259d44ee03d3848a0
-
SHA256
ef375d83b36df95583d8cfecb23286d3f5ee1020bb5e1dab857553fedcea8b85
-
SHA512
5c298fbea41df8c72e8ae00184bf67f1bf0598addc9ef7b16a2e57cd19221d0025cae6702f31b7607e557695f985615f3078f38feb157acc927e569b3178bd8c
-
SSDEEP
12288:yMrry90sOxevasUt+P8evPHO4S/fKMs+ncsNAE04nlK72hHqz:5yBOEvnU1evE/fKycsaE04nkC9qz
Malware Config
Extracted
redline
mofun
217.196.96.101:4132
-
auth_value
da5d4987d25c2de43d34fcc99b29fff3
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2136-15-0x00000000024A0000-0x00000000024BA000-memory.dmp healer behavioral1/memory/2136-18-0x0000000004AC0000-0x0000000004AD8000-memory.dmp healer behavioral1/memory/2136-47-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2136-45-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2136-43-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2136-41-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2136-39-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2136-37-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2136-35-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2136-33-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2136-31-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2136-29-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2136-27-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2136-25-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2136-23-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2136-21-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer behavioral1/memory/2136-20-0x0000000004AC0000-0x0000000004AD2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a5375063.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a5375063.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a5375063.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a5375063.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a5375063.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a5375063.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023c86-54.dat family_redline behavioral1/memory/964-56-0x0000000000700000-0x0000000000730000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4712 v7211583.exe 2136 a5375063.exe 964 b2039371.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a5375063.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a5375063.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ef375d83b36df95583d8cfecb23286d3f5ee1020bb5e1dab857553fedcea8b85.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v7211583.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v7211583.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5375063.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2039371.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef375d83b36df95583d8cfecb23286d3f5ee1020bb5e1dab857553fedcea8b85.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2136 a5375063.exe 2136 a5375063.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2136 a5375063.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2592 wrote to memory of 4712 2592 ef375d83b36df95583d8cfecb23286d3f5ee1020bb5e1dab857553fedcea8b85.exe 84 PID 2592 wrote to memory of 4712 2592 ef375d83b36df95583d8cfecb23286d3f5ee1020bb5e1dab857553fedcea8b85.exe 84 PID 2592 wrote to memory of 4712 2592 ef375d83b36df95583d8cfecb23286d3f5ee1020bb5e1dab857553fedcea8b85.exe 84 PID 4712 wrote to memory of 2136 4712 v7211583.exe 85 PID 4712 wrote to memory of 2136 4712 v7211583.exe 85 PID 4712 wrote to memory of 2136 4712 v7211583.exe 85 PID 4712 wrote to memory of 964 4712 v7211583.exe 89 PID 4712 wrote to memory of 964 4712 v7211583.exe 89 PID 4712 wrote to memory of 964 4712 v7211583.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef375d83b36df95583d8cfecb23286d3f5ee1020bb5e1dab857553fedcea8b85.exe"C:\Users\Admin\AppData\Local\Temp\ef375d83b36df95583d8cfecb23286d3f5ee1020bb5e1dab857553fedcea8b85.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7211583.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7211583.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5375063.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5375063.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2039371.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2039371.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:964
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
309KB
MD5780444fad2e4f73097eec65b2fb4c6fc
SHA1130a109c3bc0fc9cbb5c092020e8df21d3e11209
SHA2569be46d85ee839c719d355f0ff6c685752d0a7ba068ea2bcdf6b3664c1049b78c
SHA512b49cfcc716a2985f62479a2eeae0b8e947e3982e926cc68c5692011faa6b5fd9d45e4f1a507c1ebdb8c2a6408642c6387489c0817b864687f41a22392c6f21c6
-
Filesize
181KB
MD5dfc3894bea87e1ae310782034648454a
SHA1de630c3434ccefaf90ce2d6f263efb31873b56d9
SHA25651e6d10002c4990bc3cd28db9720eeb761b31a7045e7153fd427199fe00dace3
SHA512d000dbd235128cac2c097dd85c77fe2ebfb13b452e4485cad1f5f51e6f35e827e3fdae6db93f04a45968d1932d32e77070f8fc2f8ef3a3eeb4ba9345d3bd8533
-
Filesize
168KB
MD5ac496b3f60c042db87072375b9e3fac2
SHA197a125ebacbf02758f97692a045ad1e03d3a0195
SHA256b1495aac5db9666132980bfc9ec9e1c283381377b61651c3974bc92694bc6722
SHA5126de416d4542760524fd7bd11eed297f9c60d0d45f6d304b1a0de653f209fab4cc8d3f111b283e9e6dd0e240223d9d8fb611bde899aec07088b6eccbaca7b2094