Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:15
Static task
static1
Behavioral task
behavioral1
Sample
ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63.exe
Resource
win10v2004-20241007-en
General
-
Target
ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63.exe
-
Size
793KB
-
MD5
782c902869f8bf2f799e99ec4dd74d2f
-
SHA1
1864341890909927f07875ac5020b8d41c1316b7
-
SHA256
ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63
-
SHA512
c0c46602ab2647d8b232daf3d3a15b34fca2d2c1ae1b723d977b4f16b99fd7802f70b9dab5f7947e9b9a72edb046a7f8913d320bf01e367f3f94731c25bea6f6
-
SSDEEP
24576:0ySGe9uC1h7zngKQk2HV3/oAdTmxCEI0kWV6sX:DSH4C16/kMVPBIa4
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x000b000000023b80-19.dat healer behavioral1/memory/1724-22-0x0000000000E50000-0x0000000000E5A000-memory.dmp healer behavioral1/memory/1004-29-0x0000000002370000-0x000000000238A000-memory.dmp healer behavioral1/memory/1004-31-0x0000000002550000-0x0000000002568000-memory.dmp healer behavioral1/memory/1004-32-0x0000000002550000-0x0000000002562000-memory.dmp healer behavioral1/memory/1004-45-0x0000000002550000-0x0000000002562000-memory.dmp healer behavioral1/memory/1004-59-0x0000000002550000-0x0000000002562000-memory.dmp healer behavioral1/memory/1004-57-0x0000000002550000-0x0000000002562000-memory.dmp healer behavioral1/memory/1004-55-0x0000000002550000-0x0000000002562000-memory.dmp healer behavioral1/memory/1004-53-0x0000000002550000-0x0000000002562000-memory.dmp healer behavioral1/memory/1004-51-0x0000000002550000-0x0000000002562000-memory.dmp healer behavioral1/memory/1004-49-0x0000000002550000-0x0000000002562000-memory.dmp healer behavioral1/memory/1004-47-0x0000000002550000-0x0000000002562000-memory.dmp healer behavioral1/memory/1004-43-0x0000000002550000-0x0000000002562000-memory.dmp healer behavioral1/memory/1004-41-0x0000000002550000-0x0000000002562000-memory.dmp healer behavioral1/memory/1004-39-0x0000000002550000-0x0000000002562000-memory.dmp healer behavioral1/memory/1004-37-0x0000000002550000-0x0000000002562000-memory.dmp healer behavioral1/memory/1004-35-0x0000000002550000-0x0000000002562000-memory.dmp healer behavioral1/memory/1004-33-0x0000000002550000-0x0000000002562000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c26QT20.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c26QT20.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c26QT20.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b5572zf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c26QT20.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b5572zf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b5572zf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b5572zf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c26QT20.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c26QT20.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b5572zf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b5572zf.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/388-67-0x00000000023C0000-0x0000000002406000-memory.dmp family_redline behavioral1/memory/388-68-0x00000000050B0000-0x00000000050F4000-memory.dmp family_redline behavioral1/memory/388-72-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/388-78-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/388-84-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/388-102-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/388-100-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/388-96-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/388-94-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/388-92-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/388-90-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/388-88-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/388-86-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/388-82-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/388-80-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/388-76-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/388-74-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/388-98-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/388-70-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/388-69-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 436 tice4526.exe 4460 tice0727.exe 1724 b5572zf.exe 1004 c26QT20.exe 388 dtcAo10.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b5572zf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c26QT20.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c26QT20.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tice4526.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" tice0727.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4948 1004 WerFault.exe 98 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tice4526.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tice0727.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c26QT20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtcAo10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1724 b5572zf.exe 1724 b5572zf.exe 1004 c26QT20.exe 1004 c26QT20.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1724 b5572zf.exe Token: SeDebugPrivilege 1004 c26QT20.exe Token: SeDebugPrivilege 388 dtcAo10.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2224 wrote to memory of 436 2224 ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63.exe 83 PID 2224 wrote to memory of 436 2224 ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63.exe 83 PID 2224 wrote to memory of 436 2224 ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63.exe 83 PID 436 wrote to memory of 4460 436 tice4526.exe 84 PID 436 wrote to memory of 4460 436 tice4526.exe 84 PID 436 wrote to memory of 4460 436 tice4526.exe 84 PID 4460 wrote to memory of 1724 4460 tice0727.exe 85 PID 4460 wrote to memory of 1724 4460 tice0727.exe 85 PID 4460 wrote to memory of 1004 4460 tice0727.exe 98 PID 4460 wrote to memory of 1004 4460 tice0727.exe 98 PID 4460 wrote to memory of 1004 4460 tice0727.exe 98 PID 436 wrote to memory of 388 436 tice4526.exe 103 PID 436 wrote to memory of 388 436 tice4526.exe 103 PID 436 wrote to memory of 388 436 tice4526.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63.exe"C:\Users\Admin\AppData\Local\Temp\ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4526.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4526.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0727.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0727.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5572zf.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5572zf.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c26QT20.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c26QT20.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 10805⤵
- Program crash
PID:4948
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtcAo10.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtcAo10.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:388
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1004 -ip 10041⤵PID:4796
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
648KB
MD5e062e3eeb8f85b20d0b4852bc4bf4945
SHA18daefd95f5df8e09b58b79831258063a94bd6459
SHA256c32220f0fe324a77a4f9c4d3ffb0ab3cc597171fdb8a8f037ee528baa425cb54
SHA51265706f8f17c78fc5c37dc4ea71fa5065d75999f9e2816f4f83b79b6e99e13970a22d84eab3a07ad19028fd6aba5cc80139fc83566329590a18034d2d41fb14b1
-
Filesize
284KB
MD55ee7a56a1b34aadd4f53cc749672f15d
SHA11d25f0427b81e13613f58ec2c4bf19039c9c70c1
SHA2561e3fa5c4b98df0cb2012d04f799222117dc07ed7c1701c5797e43109adb4a5a6
SHA512d5debfd45704d6d0138954d1f21feb0f8c670c23c082b01f064d70463ff26598d346c4e2aae07e221b9563936173baed70ac6e8692e33fbd984e9750ee034341
-
Filesize
324KB
MD56526c98ce8358c6825c1721496e28c87
SHA12840469aea3fd970e95799ab1eea8016ffe3c31d
SHA2562dc495b215aefb3def5ecc0aa065e4a5c1d3041db5d28a6045f71caa4b8337c7
SHA512ad04a620146208027d24208152f61c78b57a1e1628af3c7c0f6758f73113b4af1436191947ebdc257e0d630376f6b25cbf9908db12828d2487f1199cdd8db97c
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
226KB
MD5248ca5ae85884f64cfad2c74f9e1ada1
SHA13c350f649bc5b66c32358d4c6ceb4ec11a200730
SHA25693fe4413c1af875a50fcf48bc90cd342ceeb7712bee66393d24cdbfcf816c151
SHA512ad04559b142b8315420e287f5dba612c46a19a874813a38750af596b3bd908ec0e2af6acab023b55b44a560fd01dd3a6521e171fc1925f30de437d6fd35bd901