Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:41
Static task
static1
Behavioral task
behavioral1
Sample
5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe
Resource
win10v2004-20241007-en
General
-
Target
5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe
-
Size
874KB
-
MD5
cf017376abd2d1fe4d7d20b0f98e8d09
-
SHA1
ba5165d6be8250b08b97caef3f9974acda27e013
-
SHA256
5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c
-
SHA512
614003915dc82ba9768f6305d82f87444d90042af32ec22f6caa083c4ad0d2d74dc743ff8b69ca6718de9f78c434a6ff532583549b547ae2a7cf45dbc9a43008
-
SSDEEP
12288:cMrpy904BJsLRE91tuKyCz9cN9rST9ySgmFhl5tUR6am8HbhdnlhGj15SPO5ym0M:FyMLRenxjhlf06d8zlhc5BdzVf9
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
Processes:
resource yara_rule behavioral1/files/0x000a000000023ad4-19.dat healer behavioral1/memory/1668-22-0x0000000000850000-0x000000000085A000-memory.dmp healer behavioral1/memory/1260-29-0x00000000048D0000-0x00000000048EA000-memory.dmp healer behavioral1/memory/1260-31-0x0000000004A30000-0x0000000004A48000-memory.dmp healer behavioral1/memory/1260-57-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1260-55-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1260-53-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1260-51-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1260-49-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1260-47-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1260-45-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1260-43-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1260-41-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1260-39-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1260-37-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1260-35-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1260-33-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1260-59-0x0000000004A30000-0x0000000004A42000-memory.dmp healer behavioral1/memory/1260-32-0x0000000004A30000-0x0000000004A42000-memory.dmp healer -
Healer family
-
Processes:
b8597jA.exec71zH32.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b8597jA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b8597jA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c71zH32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c71zH32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c71zH32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b8597jA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b8597jA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b8597jA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b8597jA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c71zH32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c71zH32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c71zH32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/1816-67-0x0000000004A60000-0x0000000004AA6000-memory.dmp family_redline behavioral1/memory/1816-68-0x0000000007120000-0x0000000007164000-memory.dmp family_redline behavioral1/memory/1816-92-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/1816-102-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/1816-100-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/1816-98-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/1816-96-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/1816-94-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/1816-90-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/1816-88-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/1816-86-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/1816-84-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/1816-82-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/1816-80-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/1816-78-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/1816-76-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/1816-74-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/1816-72-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/1816-70-0x0000000007120000-0x000000000715E000-memory.dmp family_redline behavioral1/memory/1816-69-0x0000000007120000-0x000000000715E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
Processes:
tice3037.exetice2106.exeb8597jA.exec71zH32.exedtTkN90.exepid Process 2700 tice3037.exe 3232 tice2106.exe 1668 b8597jA.exe 1260 c71zH32.exe 1816 dtTkN90.exe -
Processes:
c71zH32.exeb8597jA.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c71zH32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c71zH32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b8597jA.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
tice3037.exetice2106.exe5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tice3037.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" tice2106.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4840 1260 WerFault.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exetice3037.exetice2106.exec71zH32.exedtTkN90.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tice3037.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tice2106.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c71zH32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtTkN90.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
b8597jA.exec71zH32.exepid Process 1668 b8597jA.exe 1668 b8597jA.exe 1260 c71zH32.exe 1260 c71zH32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
b8597jA.exec71zH32.exedtTkN90.exedescription pid Process Token: SeDebugPrivilege 1668 b8597jA.exe Token: SeDebugPrivilege 1260 c71zH32.exe Token: SeDebugPrivilege 1816 dtTkN90.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exetice3037.exetice2106.exedescription pid Process procid_target PID 8 wrote to memory of 2700 8 5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe 84 PID 8 wrote to memory of 2700 8 5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe 84 PID 8 wrote to memory of 2700 8 5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe 84 PID 2700 wrote to memory of 3232 2700 tice3037.exe 85 PID 2700 wrote to memory of 3232 2700 tice3037.exe 85 PID 2700 wrote to memory of 3232 2700 tice3037.exe 85 PID 3232 wrote to memory of 1668 3232 tice2106.exe 87 PID 3232 wrote to memory of 1668 3232 tice2106.exe 87 PID 3232 wrote to memory of 1260 3232 tice2106.exe 96 PID 3232 wrote to memory of 1260 3232 tice2106.exe 96 PID 3232 wrote to memory of 1260 3232 tice2106.exe 96 PID 2700 wrote to memory of 1816 2700 tice3037.exe 101 PID 2700 wrote to memory of 1816 2700 tice3037.exe 101 PID 2700 wrote to memory of 1816 2700 tice3037.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe"C:\Users\Admin\AppData\Local\Temp\5020fb4ac78166754a595b80274b8ce38d2b14165dff1a2794368dca3612805c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3037.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2106.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8597jA.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c71zH32.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 10845⤵
- Program crash
PID:4840
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtTkN90.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtTkN90.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1260 -ip 12601⤵PID:4436
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
729KB
MD54690e66bf12ff6f4e1008fa73f05e00a
SHA1747225b04df7949d8763905e91cae03349b72a2d
SHA256c038930accf215ccd6131b7779c7138e506e313c170abb6cc20d528e306371be
SHA5125f2db42d03181647fb97c52aa8ab8b0da9bd6e976cb217d7dd8e917b422a86e00fb11d972f3d6b06a9664c27272fa72fcf8153cac670cf2b7c280b4ff6a1c61b
-
Filesize
408KB
MD5acf946990cce268bab83e423eba360f4
SHA10d3bdccf0182f0807380473466d5b6b60f193904
SHA25617cd8db80e084509a543f7ec21399d4f9cf9c8906d6890a3db4da80854bf8d27
SHA512aed8bd98b0f033d724091419548880c463be734886c8a5e0b8065a66060b350783221049475d0fad4999425d03b8dcc889e7fbff7b9fd3b1575f1745f3e7f4f1
-
Filesize
365KB
MD53a5820a8fee9833d5b486e60502677f5
SHA142bc63f25deae86b694bf607230909bff91f3b2d
SHA25617080a59f7489790629c61c70fde514b70ed5cfed705da159d375e96d3b96b82
SHA512d618d39bf9990e1554eb9876e9c13d82e74122745c88ac63a0fcbe978be8135375dce5a0666b129f057c34884e8a86300e2afa808cb4ef6384a04022a7d833c6
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
351KB
MD5ff1800b6e8f9a60395425226a5a76d1c
SHA10872a5e7a2c25b60df6b1ccceb39d472658ad502
SHA2564fe41b77721fb7a0794c189fa93ad03ad938a6085c77914a0f174b5bc4129ee1
SHA51227585f4743067bc1bfc2dfe048f01779fe10595a52545d6b90e60b67a9fbb0aeb97e75941f4ccd705ba58a96cccc4b00af8c1f3d4d4b5fa8591f62560311911a