Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 13:57
Static task
static1
Behavioral task
behavioral1
Sample
089b31c2dd81074580b8cc46c75b97bc23be1e2148b0069f79d7699e23785f32.exe
Resource
win10v2004-20241007-en
General
-
Target
089b31c2dd81074580b8cc46c75b97bc23be1e2148b0069f79d7699e23785f32.exe
-
Size
478KB
-
MD5
b2d8db6a33722d4cba42fe1057f571f3
-
SHA1
fea558c889f6ed1026884548a7e340f5455051a1
-
SHA256
089b31c2dd81074580b8cc46c75b97bc23be1e2148b0069f79d7699e23785f32
-
SHA512
debb37760f24f8469e1f5822a1f851db44dd81c902b5ec1bd61a71eec41d5e40720d14a5542a47341a20797bd95fa423e1af2f332918ddd83060882b773b8489
-
SSDEEP
12288:RMrLy90pBHDjAGQLOUl74YWaeWZH+y2y8fLWYxe2xdTjr:iySBUOUSzHyOLWNm
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4504-19-0x0000000004C80000-0x0000000004C9A000-memory.dmp healer behavioral1/memory/4504-21-0x00000000052C0000-0x00000000052D8000-memory.dmp healer behavioral1/memory/4504-33-0x00000000052C0000-0x00000000052D2000-memory.dmp healer behavioral1/memory/4504-49-0x00000000052C0000-0x00000000052D2000-memory.dmp healer behavioral1/memory/4504-47-0x00000000052C0000-0x00000000052D2000-memory.dmp healer behavioral1/memory/4504-45-0x00000000052C0000-0x00000000052D2000-memory.dmp healer behavioral1/memory/4504-43-0x00000000052C0000-0x00000000052D2000-memory.dmp healer behavioral1/memory/4504-41-0x00000000052C0000-0x00000000052D2000-memory.dmp healer behavioral1/memory/4504-39-0x00000000052C0000-0x00000000052D2000-memory.dmp healer behavioral1/memory/4504-37-0x00000000052C0000-0x00000000052D2000-memory.dmp healer behavioral1/memory/4504-35-0x00000000052C0000-0x00000000052D2000-memory.dmp healer behavioral1/memory/4504-31-0x00000000052C0000-0x00000000052D2000-memory.dmp healer behavioral1/memory/4504-29-0x00000000052C0000-0x00000000052D2000-memory.dmp healer behavioral1/memory/4504-25-0x00000000052C0000-0x00000000052D2000-memory.dmp healer behavioral1/memory/4504-23-0x00000000052C0000-0x00000000052D2000-memory.dmp healer behavioral1/memory/4504-22-0x00000000052C0000-0x00000000052D2000-memory.dmp healer behavioral1/memory/4504-27-0x00000000052C0000-0x00000000052D2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bST09Ny.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bST09Ny.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bST09Ny.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bST09Ny.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection bST09Ny.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bST09Ny.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023bf1-58.dat family_redline behavioral1/memory/5096-60-0x0000000000530000-0x0000000000562000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3208 nVn06sk.exe 4504 bST09Ny.exe 5096 dMM53PP.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features bST09Ny.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" bST09Ny.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 089b31c2dd81074580b8cc46c75b97bc23be1e2148b0069f79d7699e23785f32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nVn06sk.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4452 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4776 4504 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dMM53PP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 089b31c2dd81074580b8cc46c75b97bc23be1e2148b0069f79d7699e23785f32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nVn06sk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bST09Ny.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4504 bST09Ny.exe 4504 bST09Ny.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4504 bST09Ny.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3220 wrote to memory of 3208 3220 089b31c2dd81074580b8cc46c75b97bc23be1e2148b0069f79d7699e23785f32.exe 83 PID 3220 wrote to memory of 3208 3220 089b31c2dd81074580b8cc46c75b97bc23be1e2148b0069f79d7699e23785f32.exe 83 PID 3220 wrote to memory of 3208 3220 089b31c2dd81074580b8cc46c75b97bc23be1e2148b0069f79d7699e23785f32.exe 83 PID 3208 wrote to memory of 4504 3208 nVn06sk.exe 84 PID 3208 wrote to memory of 4504 3208 nVn06sk.exe 84 PID 3208 wrote to memory of 4504 3208 nVn06sk.exe 84 PID 3208 wrote to memory of 5096 3208 nVn06sk.exe 100 PID 3208 wrote to memory of 5096 3208 nVn06sk.exe 100 PID 3208 wrote to memory of 5096 3208 nVn06sk.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\089b31c2dd81074580b8cc46c75b97bc23be1e2148b0069f79d7699e23785f32.exe"C:\Users\Admin\AppData\Local\Temp\089b31c2dd81074580b8cc46c75b97bc23be1e2148b0069f79d7699e23785f32.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nVn06sk.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nVn06sk.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bST09Ny.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bST09Ny.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 10844⤵
- Program crash
PID:4776
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dMM53PP.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dMM53PP.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5096
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4504 -ip 45041⤵PID:2592
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4452
Network
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request69.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.42.69.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
156 B 3
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
69.31.126.40.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
241.42.69.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
374KB
MD5ebd8a896d3cf30bf44504e71cff5010c
SHA12aeb8337a175f33dc649fc57966cea8782801aa0
SHA256a64003b62a73222c7e31b13813dbc26bcff3fdb878f684dda22f8f44df2c068c
SHA512cef59eca1377f456c571db525cb672def3c5ec473a4c606dfa1249b760b4e63c53f07aaf787cb03bf3dfd9ee22b45d311943c67be083677b8fb35a23402d2336
-
Filesize
235KB
MD5760791b22909e7d142a6c97e4aa18476
SHA1912f22fb3409888fda2e71d7868242bad21681e2
SHA25630a7dd0b713c452b66bbe4dbde9f345919d3fb2b8fdbd0b2afe00c0913dd4c2d
SHA512415657cf57d4a74e8a221939a091b9ad87aad4ccd55d8667d8bfdd5b8a93a02ab359543a7ff936fdc866be5a39f0b4b73822f385dc9000d1a97a9d5f117a156e
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2