Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:42
Static task
static1
Behavioral task
behavioral1
Sample
c291f4e3b3328aa6c125cfb7178ec72184e7f1af856e1a273aec0a43ce7226a1.exe
Resource
win10v2004-20241007-en
General
-
Target
c291f4e3b3328aa6c125cfb7178ec72184e7f1af856e1a273aec0a43ce7226a1.exe
-
Size
794KB
-
MD5
c08d08f43078b4bce7aa493bc8f89882
-
SHA1
02280d62514279ccbf1125c5f8ca91f3541c1fab
-
SHA256
c291f4e3b3328aa6c125cfb7178ec72184e7f1af856e1a273aec0a43ce7226a1
-
SHA512
c488936804f01fea806c6220fa12dfcf21b952492532f126ed3468086b5ec62c5515424469962fef7e3831c3f8d1d579eeb1fa36991158242290b0715fded11f
-
SSDEEP
12288:wMrRy90fGXKDTwCEwpLFZMRZKemIKqzWezvAAJxcZy5g0cYXbVFhrPC+bm4:xywG6DTwCEC3Sr7z45ugVu5a+T
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x000b000000023b68-19.dat healer behavioral1/memory/2672-22-0x0000000000DD0000-0x0000000000DDA000-memory.dmp healer behavioral1/memory/3672-29-0x0000000002370000-0x000000000238A000-memory.dmp healer behavioral1/memory/3672-31-0x0000000004A60000-0x0000000004A78000-memory.dmp healer behavioral1/memory/3672-39-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/3672-59-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/3672-57-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/3672-55-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/3672-53-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/3672-51-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/3672-49-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/3672-47-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/3672-45-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/3672-43-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/3672-41-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/3672-37-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/3672-35-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/3672-32-0x0000000004A60000-0x0000000004A72000-memory.dmp healer behavioral1/memory/3672-33-0x0000000004A60000-0x0000000004A72000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c62ya65.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b4510QO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b4510QO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b4510QO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c62ya65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c62ya65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c62ya65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b4510QO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b4510QO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b4510QO.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c62ya65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c62ya65.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3012-67-0x0000000004A50000-0x0000000004A96000-memory.dmp family_redline behavioral1/memory/3012-68-0x0000000004B10000-0x0000000004B54000-memory.dmp family_redline behavioral1/memory/3012-80-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/3012-92-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/3012-102-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/3012-100-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/3012-98-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/3012-94-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/3012-90-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/3012-88-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/3012-86-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/3012-84-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/3012-82-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/3012-78-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/3012-76-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/3012-74-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/3012-96-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/3012-72-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/3012-70-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/3012-69-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 5076 tice8344.exe 2676 tice8375.exe 2672 b4510QO.exe 3672 c62ya65.exe 3012 dGMUe22.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b4510QO.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c62ya65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c62ya65.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tice8344.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" tice8375.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c291f4e3b3328aa6c125cfb7178ec72184e7f1af856e1a273aec0a43ce7226a1.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4516 3672 WerFault.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tice8344.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tice8375.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c62ya65.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dGMUe22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c291f4e3b3328aa6c125cfb7178ec72184e7f1af856e1a273aec0a43ce7226a1.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2672 b4510QO.exe 2672 b4510QO.exe 3672 c62ya65.exe 3672 c62ya65.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2672 b4510QO.exe Token: SeDebugPrivilege 3672 c62ya65.exe Token: SeDebugPrivilege 3012 dGMUe22.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3184 wrote to memory of 5076 3184 c291f4e3b3328aa6c125cfb7178ec72184e7f1af856e1a273aec0a43ce7226a1.exe 84 PID 3184 wrote to memory of 5076 3184 c291f4e3b3328aa6c125cfb7178ec72184e7f1af856e1a273aec0a43ce7226a1.exe 84 PID 3184 wrote to memory of 5076 3184 c291f4e3b3328aa6c125cfb7178ec72184e7f1af856e1a273aec0a43ce7226a1.exe 84 PID 5076 wrote to memory of 2676 5076 tice8344.exe 85 PID 5076 wrote to memory of 2676 5076 tice8344.exe 85 PID 5076 wrote to memory of 2676 5076 tice8344.exe 85 PID 2676 wrote to memory of 2672 2676 tice8375.exe 86 PID 2676 wrote to memory of 2672 2676 tice8375.exe 86 PID 2676 wrote to memory of 3672 2676 tice8375.exe 94 PID 2676 wrote to memory of 3672 2676 tice8375.exe 94 PID 2676 wrote to memory of 3672 2676 tice8375.exe 94 PID 5076 wrote to memory of 3012 5076 tice8344.exe 98 PID 5076 wrote to memory of 3012 5076 tice8344.exe 98 PID 5076 wrote to memory of 3012 5076 tice8344.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\c291f4e3b3328aa6c125cfb7178ec72184e7f1af856e1a273aec0a43ce7226a1.exe"C:\Users\Admin\AppData\Local\Temp\c291f4e3b3328aa6c125cfb7178ec72184e7f1af856e1a273aec0a43ce7226a1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8344.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8344.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice8375.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice8375.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4510QO.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4510QO.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c62ya65.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c62ya65.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 11005⤵
- Program crash
PID:4516
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dGMUe22.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dGMUe22.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3672 -ip 36721⤵PID:4280
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649KB
MD5871c702825623d9dc89f32e0ec2a5c5a
SHA183b10da2c4967003e45277599ba189b297f360ed
SHA2560c249e86fa35b70dc28a41a47993f1735a37e52209631ca7a3cf245564a124c1
SHA5124f009074920c8c0b62e9d43d108256c1d96221bd4836a4b045dd90c52940880d1b2a08e180f0f32f0987cf913f0688640a99565073f90a9fda71c62c454266d9
-
Filesize
284KB
MD52e5ee6bc606d9f52291a8472257ab357
SHA194a95218ff8e501b53327ae1512aca4d7faf02df
SHA25629d1fe498cac08fb5b730affc829419c04de158eff866cc2b9afe5f4dcd2b59a
SHA512ec05f0fe2a8d31d5d6745e67b9db3da30ce4ba864bad0ef9073c6ae20efaafc4a9a2c945d8a06e5e2c5edbbadd8c4219ce3f38c6aff60e5b3b40d88f5161997b
-
Filesize
324KB
MD59de817233245fca35163045dd0af7c8a
SHA1c1e5e2b03cc410b7b2cc5fe905e5bcbcc8044182
SHA2569b0204b93ae3154d7d9b156f21fab3b3b1796ea83d377ce8f0efe1aa4169e0f2
SHA51282268cd26e90b27b25d92ff80d876d7acc1cb538069cb0bd2881eaf3e56f9d86801e9cc2117f345f9501544d14e9224da578416da351178608c4afd76e831dff
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
226KB
MD5ddafbeb7fcccc3421f085567583cfec4
SHA19276b73a01c8c869bf98905995d714b450239425
SHA256f6dea6a2c545a9841b3a8ba54fb44a5ea5471887bd9c1f24dae9daa10e3fa61d
SHA512dfc512b0f79fe578cf05e236ee41d50c3efc743e62dd91f57212f0a82e375fe7d4ac3fd50e337d85ab19faea8e226ae19493071e8e971eafa6de191b3c611a62