Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:25
Static task
static1
Behavioral task
behavioral1
Sample
7057c5b820e32ecc3e8a8f07cbc7f7cd93165b00f19ef85c0c6f4556ada1c9b6.exe
Resource
win10v2004-20241007-en
General
-
Target
7057c5b820e32ecc3e8a8f07cbc7f7cd93165b00f19ef85c0c6f4556ada1c9b6.exe
-
Size
693KB
-
MD5
7f324fb5d7febf14003c308e68b21465
-
SHA1
7fc5fe515ce585b516d5aeea9b6e40e772e174eb
-
SHA256
7057c5b820e32ecc3e8a8f07cbc7f7cd93165b00f19ef85c0c6f4556ada1c9b6
-
SHA512
1167706e37c93ecc40ea12480c8196f0d1579236ef94f4c8f7cb0cffad38a9cc7781329da47a02eb78221e98c6b0cc8634dab0a43faba0c74c3ba799da513075
-
SSDEEP
12288:6MrIy90DDeyywSmKuf+K2+FtBg0wimcgQxDGwEOPa8crbl/EsXaA8:WyUDey2uWb+FtBgomw+Tbl/t8
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/4880-19-0x00000000022F0000-0x000000000230A000-memory.dmp healer behavioral1/memory/4880-21-0x0000000004A70000-0x0000000004A88000-memory.dmp healer behavioral1/memory/4880-22-0x0000000004A70000-0x0000000004A82000-memory.dmp healer behavioral1/memory/4880-47-0x0000000004A70000-0x0000000004A82000-memory.dmp healer behavioral1/memory/4880-45-0x0000000004A70000-0x0000000004A82000-memory.dmp healer behavioral1/memory/4880-43-0x0000000004A70000-0x0000000004A82000-memory.dmp healer behavioral1/memory/4880-41-0x0000000004A70000-0x0000000004A82000-memory.dmp healer behavioral1/memory/4880-39-0x0000000004A70000-0x0000000004A82000-memory.dmp healer behavioral1/memory/4880-37-0x0000000004A70000-0x0000000004A82000-memory.dmp healer behavioral1/memory/4880-36-0x0000000004A70000-0x0000000004A82000-memory.dmp healer behavioral1/memory/4880-34-0x0000000004A70000-0x0000000004A82000-memory.dmp healer behavioral1/memory/4880-31-0x0000000004A70000-0x0000000004A82000-memory.dmp healer behavioral1/memory/4880-29-0x0000000004A70000-0x0000000004A82000-memory.dmp healer behavioral1/memory/4880-27-0x0000000004A70000-0x0000000004A82000-memory.dmp healer behavioral1/memory/4880-25-0x0000000004A70000-0x0000000004A82000-memory.dmp healer behavioral1/memory/4880-23-0x0000000004A70000-0x0000000004A82000-memory.dmp healer behavioral1/memory/4880-49-0x0000000004A70000-0x0000000004A82000-memory.dmp healer -
Healer family
-
Processes:
b9449yW.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b9449yW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b9449yW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b9449yW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b9449yW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b9449yW.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection b9449yW.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/2780-60-0x0000000002540000-0x0000000002586000-memory.dmp family_redline behavioral1/memory/2780-61-0x0000000004AD0000-0x0000000004B14000-memory.dmp family_redline behavioral1/memory/2780-62-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/2780-91-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/2780-93-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/2780-89-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/2780-87-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/2780-85-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/2780-83-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/2780-81-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/2780-79-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/2780-77-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/2780-75-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/2780-73-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/2780-71-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/2780-69-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/2780-67-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/2780-65-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/2780-63-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/2780-95-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
nqi9270hJ.exeb9449yW.exec79Al04.exepid process 1596 nqi9270hJ.exe 4880 b9449yW.exe 2780 c79Al04.exe -
Processes:
b9449yW.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features b9449yW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" b9449yW.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
nqi9270hJ.exe7057c5b820e32ecc3e8a8f07cbc7f7cd93165b00f19ef85c0c6f4556ada1c9b6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nqi9270hJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7057c5b820e32ecc3e8a8f07cbc7f7cd93165b00f19ef85c0c6f4556ada1c9b6.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c79Al04.exe7057c5b820e32ecc3e8a8f07cbc7f7cd93165b00f19ef85c0c6f4556ada1c9b6.exenqi9270hJ.exeb9449yW.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c79Al04.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7057c5b820e32ecc3e8a8f07cbc7f7cd93165b00f19ef85c0c6f4556ada1c9b6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nqi9270hJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b9449yW.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b9449yW.exepid process 4880 b9449yW.exe 4880 b9449yW.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b9449yW.exec79Al04.exedescription pid process Token: SeDebugPrivilege 4880 b9449yW.exe Token: SeDebugPrivilege 2780 c79Al04.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
7057c5b820e32ecc3e8a8f07cbc7f7cd93165b00f19ef85c0c6f4556ada1c9b6.exenqi9270hJ.exedescription pid process target process PID 548 wrote to memory of 1596 548 7057c5b820e32ecc3e8a8f07cbc7f7cd93165b00f19ef85c0c6f4556ada1c9b6.exe nqi9270hJ.exe PID 548 wrote to memory of 1596 548 7057c5b820e32ecc3e8a8f07cbc7f7cd93165b00f19ef85c0c6f4556ada1c9b6.exe nqi9270hJ.exe PID 548 wrote to memory of 1596 548 7057c5b820e32ecc3e8a8f07cbc7f7cd93165b00f19ef85c0c6f4556ada1c9b6.exe nqi9270hJ.exe PID 1596 wrote to memory of 4880 1596 nqi9270hJ.exe b9449yW.exe PID 1596 wrote to memory of 4880 1596 nqi9270hJ.exe b9449yW.exe PID 1596 wrote to memory of 4880 1596 nqi9270hJ.exe b9449yW.exe PID 1596 wrote to memory of 2780 1596 nqi9270hJ.exe c79Al04.exe PID 1596 wrote to memory of 2780 1596 nqi9270hJ.exe c79Al04.exe PID 1596 wrote to memory of 2780 1596 nqi9270hJ.exe c79Al04.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7057c5b820e32ecc3e8a8f07cbc7f7cd93165b00f19ef85c0c6f4556ada1c9b6.exe"C:\Users\Admin\AppData\Local\Temp\7057c5b820e32ecc3e8a8f07cbc7f7cd93165b00f19ef85c0c6f4556ada1c9b6.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nqi9270hJ.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nqi9270hJ.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9449yW.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9449yW.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4880
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c79Al04.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c79Al04.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
548KB
MD57b7054e01004a1fdd70f4035e08fd5c5
SHA1260f6a51667cb5e0f388d14eee51656803b2955c
SHA2567599e5a93ad768ea55f073927846365ab31d2622a975b42dbfc42b1925848a91
SHA512af90f8b3e9430ea83a3ff24ccb483cecd9fb6421fe95b2b03664f8430ca0e3da7f140165ffe067359805f6f4792914a6f38dc2d3b4eeabb2115ab84782a83acd
-
Filesize
323KB
MD5ee43881ab62092621b2d2e22a0295878
SHA10339221e3f787602fea6a0541817565d751a293c
SHA2562764ed1001c0289c438398b43297206b64e883f65c34eec0418f809392bab22d
SHA512df6b636d896665a3ec9ee572dc8dcb79169c02316741d9a693d7c09be7ce419e373b1c4d0635c8ecda95e936313750820fb97ee31111a005b334f44ec6112f6c
-
Filesize
380KB
MD5cd30df0759fea97083bdf62f610ec081
SHA1864bf5a66a31bf4bd217fa7c5496c9759211da26
SHA2567ac406e27ae45f23178785c807d52d6cf2954038e445f33f09b1fc5fa0e78ce0
SHA51213491b8f0b4a4c890f741825a8cf5903f857c33503a8f7ce61c543174693c9925f8ceb4847a92a148394d892adf8d9fed095cdac5cdbc9d84302f0f3c620883b