Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:06
Static task
static1
Behavioral task
behavioral1
Sample
58de535317ba814adf45ce88ef43a7e121413f1efb5355a2b035f8f2776c0a24.exe
Resource
win10v2004-20241007-en
General
-
Target
58de535317ba814adf45ce88ef43a7e121413f1efb5355a2b035f8f2776c0a24.exe
-
Size
875KB
-
MD5
011e67821d1e015ebc1517746e81bbeb
-
SHA1
14ab21706ff143922825c0b54b8e2de7f3c723de
-
SHA256
58de535317ba814adf45ce88ef43a7e121413f1efb5355a2b035f8f2776c0a24
-
SHA512
98f07fc10740c6a5f30fc15285edd315fa1176bb0d3164c1e2fe99479a866e65432da0e0e4e97edcd89833a92d3185c21acb5e9a25176eb5cbfa7493bffc172e
-
SSDEEP
24576:gyYIWvhrorHYmw9N5GCE/uJTdwBDm6S1iPWZds:nYIcUrHYmzCu+dj6SMK
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x0008000000023cc7-19.dat healer behavioral1/memory/1380-22-0x0000000000CE0000-0x0000000000CEA000-memory.dmp healer behavioral1/memory/2408-29-0x0000000004A40000-0x0000000004A5A000-memory.dmp healer behavioral1/memory/2408-31-0x00000000070C0000-0x00000000070D8000-memory.dmp healer behavioral1/memory/2408-53-0x00000000070C0000-0x00000000070D2000-memory.dmp healer behavioral1/memory/2408-59-0x00000000070C0000-0x00000000070D2000-memory.dmp healer behavioral1/memory/2408-57-0x00000000070C0000-0x00000000070D2000-memory.dmp healer behavioral1/memory/2408-55-0x00000000070C0000-0x00000000070D2000-memory.dmp healer behavioral1/memory/2408-51-0x00000000070C0000-0x00000000070D2000-memory.dmp healer behavioral1/memory/2408-49-0x00000000070C0000-0x00000000070D2000-memory.dmp healer behavioral1/memory/2408-47-0x00000000070C0000-0x00000000070D2000-memory.dmp healer behavioral1/memory/2408-45-0x00000000070C0000-0x00000000070D2000-memory.dmp healer behavioral1/memory/2408-43-0x00000000070C0000-0x00000000070D2000-memory.dmp healer behavioral1/memory/2408-41-0x00000000070C0000-0x00000000070D2000-memory.dmp healer behavioral1/memory/2408-39-0x00000000070C0000-0x00000000070D2000-memory.dmp healer behavioral1/memory/2408-37-0x00000000070C0000-0x00000000070D2000-memory.dmp healer behavioral1/memory/2408-35-0x00000000070C0000-0x00000000070D2000-memory.dmp healer behavioral1/memory/2408-33-0x00000000070C0000-0x00000000070D2000-memory.dmp healer behavioral1/memory/2408-32-0x00000000070C0000-0x00000000070D2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b6112du.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b6112du.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b6112du.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c84Wi05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c84Wi05.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b6112du.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b6112du.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c84Wi05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c84Wi05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c84Wi05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b6112du.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c84Wi05.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4552-67-0x0000000004C20000-0x0000000004C66000-memory.dmp family_redline behavioral1/memory/4552-68-0x0000000007110000-0x0000000007154000-memory.dmp family_redline behavioral1/memory/4552-72-0x0000000007110000-0x000000000714E000-memory.dmp family_redline behavioral1/memory/4552-102-0x0000000007110000-0x000000000714E000-memory.dmp family_redline behavioral1/memory/4552-101-0x0000000007110000-0x000000000714E000-memory.dmp family_redline behavioral1/memory/4552-98-0x0000000007110000-0x000000000714E000-memory.dmp family_redline behavioral1/memory/4552-96-0x0000000007110000-0x000000000714E000-memory.dmp family_redline behavioral1/memory/4552-94-0x0000000007110000-0x000000000714E000-memory.dmp family_redline behavioral1/memory/4552-92-0x0000000007110000-0x000000000714E000-memory.dmp family_redline behavioral1/memory/4552-90-0x0000000007110000-0x000000000714E000-memory.dmp family_redline behavioral1/memory/4552-88-0x0000000007110000-0x000000000714E000-memory.dmp family_redline behavioral1/memory/4552-86-0x0000000007110000-0x000000000714E000-memory.dmp family_redline behavioral1/memory/4552-84-0x0000000007110000-0x000000000714E000-memory.dmp family_redline behavioral1/memory/4552-82-0x0000000007110000-0x000000000714E000-memory.dmp family_redline behavioral1/memory/4552-80-0x0000000007110000-0x000000000714E000-memory.dmp family_redline behavioral1/memory/4552-78-0x0000000007110000-0x000000000714E000-memory.dmp family_redline behavioral1/memory/4552-76-0x0000000007110000-0x000000000714E000-memory.dmp family_redline behavioral1/memory/4552-74-0x0000000007110000-0x000000000714E000-memory.dmp family_redline behavioral1/memory/4552-70-0x0000000007110000-0x000000000714E000-memory.dmp family_redline behavioral1/memory/4552-69-0x0000000007110000-0x000000000714E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 3532 tice9908.exe 4144 tice4075.exe 1380 b6112du.exe 2408 c84Wi05.exe 4552 dEChX11.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c84Wi05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b6112du.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c84Wi05.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 58de535317ba814adf45ce88ef43a7e121413f1efb5355a2b035f8f2776c0a24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tice9908.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" tice4075.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 556 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 116 2408 WerFault.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tice4075.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c84Wi05.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dEChX11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 58de535317ba814adf45ce88ef43a7e121413f1efb5355a2b035f8f2776c0a24.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tice9908.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1380 b6112du.exe 1380 b6112du.exe 2408 c84Wi05.exe 2408 c84Wi05.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1380 b6112du.exe Token: SeDebugPrivilege 2408 c84Wi05.exe Token: SeDebugPrivilege 4552 dEChX11.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4416 wrote to memory of 3532 4416 58de535317ba814adf45ce88ef43a7e121413f1efb5355a2b035f8f2776c0a24.exe 85 PID 4416 wrote to memory of 3532 4416 58de535317ba814adf45ce88ef43a7e121413f1efb5355a2b035f8f2776c0a24.exe 85 PID 4416 wrote to memory of 3532 4416 58de535317ba814adf45ce88ef43a7e121413f1efb5355a2b035f8f2776c0a24.exe 85 PID 3532 wrote to memory of 4144 3532 tice9908.exe 87 PID 3532 wrote to memory of 4144 3532 tice9908.exe 87 PID 3532 wrote to memory of 4144 3532 tice9908.exe 87 PID 4144 wrote to memory of 1380 4144 tice4075.exe 88 PID 4144 wrote to memory of 1380 4144 tice4075.exe 88 PID 4144 wrote to memory of 2408 4144 tice4075.exe 97 PID 4144 wrote to memory of 2408 4144 tice4075.exe 97 PID 4144 wrote to memory of 2408 4144 tice4075.exe 97 PID 3532 wrote to memory of 4552 3532 tice9908.exe 102 PID 3532 wrote to memory of 4552 3532 tice9908.exe 102 PID 3532 wrote to memory of 4552 3532 tice9908.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\58de535317ba814adf45ce88ef43a7e121413f1efb5355a2b035f8f2776c0a24.exe"C:\Users\Admin\AppData\Local\Temp\58de535317ba814adf45ce88ef43a7e121413f1efb5355a2b035f8f2776c0a24.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9908.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9908.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice4075.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice4075.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6112du.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6112du.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c84Wi05.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c84Wi05.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 10725⤵
- Program crash
PID:116
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dEChX11.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dEChX11.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2408 -ip 24081⤵PID:4212
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:556
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
731KB
MD56c08c80c3e71c323918204b2713ec198
SHA1fa2d1e7a832331258e1b076782bb755d3faef9ea
SHA2560a30ad0995f879cb7c5a230398873b2bd79b0ffbca0592bb60c51591a848890c
SHA512461581a471f8b12f80e6bf8c0e92670498b71add0ef6b1efdc4412b7a32f5e795787be1ee8cb1a76046ba3880c9e803cef4b117b9fb53881d2715dd8fc3c4f4b
-
Filesize
409KB
MD52a370a0ef832c6becb74e6eeb0d1082c
SHA164c765ba474f978b541ae94e5cd1f3a9485b039a
SHA2561fe95c6c9c8d4f325f11bf4d3f43add34fe132717c0cf9f01336aa37e29e42cc
SHA512625f2c7ec9f0e332ffe6ae911a608616b14073af911bf399f3ee7c90a79d81dfd054c53aee6d9ba34f31bb2346141fd47fb44b1551a3b886237e4b6fbfb67b44
-
Filesize
366KB
MD5c2fff1f299fcc9361151f3a49e391bd5
SHA1f66f5352049ff8093fe5cea9a7b010d26d253b1a
SHA25651503f32dff7c208feac1b70a82cc68d2010486e1b11cc7c1f7493f3d59cd932
SHA512baf64a1dda9f3dfa773d01fe92d7775e9f44c11127f89a730eeca9f6000d956a224a91e13a095fc046e646b7f2c6b912cb6c34e107a86d2033b6a78584caf8de
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
351KB
MD503a59b262b65330dadc5e3818fd8758f
SHA14ad91a514021ed9d01c2cdaaf7518f5c0c007074
SHA2569b57c0ca74efbac6b9a5a23b4e971aae71fd1563ec24aeefd43c7ab5ad0954e7
SHA5124f39eaad9028a11520f3e5774a2fc3127417b3c15bbf5f13168fc5bdf9b976ce73ba081eefd9b3e0599db0c7b5d7aa1e22e5e06ebfee7fe12adeb6f1afa4bd41