Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:11
Static task
static1
Behavioral task
behavioral1
Sample
ad959e9c37eb41b7e446dfaec08d4ec1f7b6ba5fdc1169c9cf28f83247308165.exe
Resource
win10v2004-20241007-en
General
-
Target
ad959e9c37eb41b7e446dfaec08d4ec1f7b6ba5fdc1169c9cf28f83247308165.exe
-
Size
811KB
-
MD5
1a43269c7d4b0c9beae70560946f6eea
-
SHA1
656c07e9a4f39a101e273718793c55e7fbf6903f
-
SHA256
ad959e9c37eb41b7e446dfaec08d4ec1f7b6ba5fdc1169c9cf28f83247308165
-
SHA512
d1568d623bca93ba298b53c6be68df9bbc8cd1ba693390d8868fc4bec749bc595529d8f93c26c30d3f9a58697e12e5726e846fc70003f9b3d3f0b1a7f3074c3b
-
SSDEEP
12288:sMr1y90NOi69NI/nQD+xFk3oc9+/RU5dLksGf2lTPOgSGu7mN4WVWhSCjHg:5yOOiJoDGFuocHcfibOL7lWVWhSmHg
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x0008000000023cd8-19.dat healer behavioral1/memory/3644-22-0x0000000000A10000-0x0000000000A1A000-memory.dmp healer behavioral1/memory/2400-29-0x0000000002330000-0x000000000234A000-memory.dmp healer behavioral1/memory/2400-31-0x0000000002600000-0x0000000002618000-memory.dmp healer behavioral1/memory/2400-32-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/2400-41-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/2400-59-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/2400-57-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/2400-55-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/2400-53-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/2400-51-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/2400-49-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/2400-47-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/2400-45-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/2400-43-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/2400-39-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/2400-37-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/2400-35-0x0000000002600000-0x0000000002612000-memory.dmp healer behavioral1/memory/2400-33-0x0000000002600000-0x0000000002612000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b8199SX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b8199SX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c35Cv75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c35Cv75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c35Cv75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c35Cv75.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b8199SX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b8199SX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b8199SX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b8199SX.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c35Cv75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c35Cv75.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2492-67-0x00000000023C0000-0x0000000002406000-memory.dmp family_redline behavioral1/memory/2492-68-0x0000000004AA0000-0x0000000004AE4000-memory.dmp family_redline behavioral1/memory/2492-70-0x0000000004AA0000-0x0000000004ADE000-memory.dmp family_redline behavioral1/memory/2492-80-0x0000000004AA0000-0x0000000004ADE000-memory.dmp family_redline behavioral1/memory/2492-102-0x0000000004AA0000-0x0000000004ADE000-memory.dmp family_redline behavioral1/memory/2492-100-0x0000000004AA0000-0x0000000004ADE000-memory.dmp family_redline behavioral1/memory/2492-98-0x0000000004AA0000-0x0000000004ADE000-memory.dmp family_redline behavioral1/memory/2492-96-0x0000000004AA0000-0x0000000004ADE000-memory.dmp family_redline behavioral1/memory/2492-92-0x0000000004AA0000-0x0000000004ADE000-memory.dmp family_redline behavioral1/memory/2492-90-0x0000000004AA0000-0x0000000004ADE000-memory.dmp family_redline behavioral1/memory/2492-88-0x0000000004AA0000-0x0000000004ADE000-memory.dmp family_redline behavioral1/memory/2492-86-0x0000000004AA0000-0x0000000004ADE000-memory.dmp family_redline behavioral1/memory/2492-84-0x0000000004AA0000-0x0000000004ADE000-memory.dmp family_redline behavioral1/memory/2492-82-0x0000000004AA0000-0x0000000004ADE000-memory.dmp family_redline behavioral1/memory/2492-78-0x0000000004AA0000-0x0000000004ADE000-memory.dmp family_redline behavioral1/memory/2492-76-0x0000000004AA0000-0x0000000004ADE000-memory.dmp family_redline behavioral1/memory/2492-74-0x0000000004AA0000-0x0000000004ADE000-memory.dmp family_redline behavioral1/memory/2492-72-0x0000000004AA0000-0x0000000004ADE000-memory.dmp family_redline behavioral1/memory/2492-94-0x0000000004AA0000-0x0000000004ADE000-memory.dmp family_redline behavioral1/memory/2492-69-0x0000000004AA0000-0x0000000004ADE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 4044 nice7919.exe 4856 nice3676.exe 3644 b8199SX.exe 2400 c35Cv75.exe 2492 dtenT48.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c35Cv75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c35Cv75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b8199SX.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ad959e9c37eb41b7e446dfaec08d4ec1f7b6ba5fdc1169c9cf28f83247308165.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nice7919.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" nice3676.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4656 2400 WerFault.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad959e9c37eb41b7e446dfaec08d4ec1f7b6ba5fdc1169c9cf28f83247308165.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nice7919.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nice3676.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c35Cv75.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtenT48.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3644 b8199SX.exe 3644 b8199SX.exe 2400 c35Cv75.exe 2400 c35Cv75.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3644 b8199SX.exe Token: SeDebugPrivilege 2400 c35Cv75.exe Token: SeDebugPrivilege 2492 dtenT48.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3652 wrote to memory of 4044 3652 ad959e9c37eb41b7e446dfaec08d4ec1f7b6ba5fdc1169c9cf28f83247308165.exe 85 PID 3652 wrote to memory of 4044 3652 ad959e9c37eb41b7e446dfaec08d4ec1f7b6ba5fdc1169c9cf28f83247308165.exe 85 PID 3652 wrote to memory of 4044 3652 ad959e9c37eb41b7e446dfaec08d4ec1f7b6ba5fdc1169c9cf28f83247308165.exe 85 PID 4044 wrote to memory of 4856 4044 nice7919.exe 86 PID 4044 wrote to memory of 4856 4044 nice7919.exe 86 PID 4044 wrote to memory of 4856 4044 nice7919.exe 86 PID 4856 wrote to memory of 3644 4856 nice3676.exe 87 PID 4856 wrote to memory of 3644 4856 nice3676.exe 87 PID 4856 wrote to memory of 2400 4856 nice3676.exe 94 PID 4856 wrote to memory of 2400 4856 nice3676.exe 94 PID 4856 wrote to memory of 2400 4856 nice3676.exe 94 PID 4044 wrote to memory of 2492 4044 nice7919.exe 98 PID 4044 wrote to memory of 2492 4044 nice7919.exe 98 PID 4044 wrote to memory of 2492 4044 nice7919.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad959e9c37eb41b7e446dfaec08d4ec1f7b6ba5fdc1169c9cf28f83247308165.exe"C:\Users\Admin\AppData\Local\Temp\ad959e9c37eb41b7e446dfaec08d4ec1f7b6ba5fdc1169c9cf28f83247308165.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice7919.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice7919.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nice3676.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nice3676.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8199SX.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8199SX.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c35Cv75.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c35Cv75.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 11085⤵
- Program crash
PID:4656
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtenT48.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtenT48.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2400 -ip 24001⤵PID:4956
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
666KB
MD5fb515767b6823875838f7142d7a8082c
SHA1cd8626bf0d36f71896de65bcf6e3b15aa267c62c
SHA25661bbdae159d82e281e7d03809097279e2adb4ffae88cf9344b60b1894f7c4054
SHA5120b2d5c0ec449d0cd4cc1045e802cd738df23427b10e721c30750fd3dcc01c48375aaa2687062bf13cc00b34d46e391314ed2490f1ed034f4021005bb53758556
-
Filesize
308KB
MD5a880c9d7c0d1ccce7f92baa98f475054
SHA1ffab49943604c9d1ba69a176a75a34c0bb64cb4a
SHA256ce706744b980b700a11083d910b9b0edccc29cf1eab2930590b9418837534570
SHA512ccfc8136c4e12ed6aa6b5a58b144696d9fac23a67170ee17945ab1d9f06e795b71b516cf741fb962dec7a5e6c68d7d34a4e1fbb76c1dc4055342fe9ecb0341c6
-
Filesize
333KB
MD5e4fb5f652d32dbe91f08cf8d46d2d14f
SHA1e27f39321663a2fc63d8faf8d176822d49fc7e68
SHA2566b3676523eb407fc888f2563607872b38811fcfb938c1c1162dd148e1bb1df60
SHA5120f2d96b1b3a95d05bcd4f2379421f020aa21f511f8039a88f97be95ccf3cbaf7191b62864f59b09f99134e9f0994ca60373db25dfe8b5ef101b6db2fb594d9da
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
250KB
MD517b24c9cccfd2bf63e5a6b20f296e73f
SHA16be2813510668aab256fcfeae459c183e0ff3087
SHA256509183b383457d2f25575164686a55ac608f58c047fbd77b1dcbef9c8ee11459
SHA5123fd6f33676ff314a2a5594334c9830d306cfe2c03594dc19442fc90702a9d5a8d36ce76eced3dbc511e41fe60ca9110f39b71bb6504d01e3a20784bdc8c8158c