Analysis
-
max time kernel
116s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:06
Static task
static1
Behavioral task
behavioral1
Sample
a53e07fb586c4c75cc78bd67e56c89436c0f06ffb2213932ec2d03f14ee3b4deN.exe
Resource
win10v2004-20241007-en
General
-
Target
a53e07fb586c4c75cc78bd67e56c89436c0f06ffb2213932ec2d03f14ee3b4deN.exe
-
Size
402KB
-
MD5
fc249bf243c2ab83eae5117e62559740
-
SHA1
a14d6d19371a4022df0bc52f9c6f34738c854561
-
SHA256
a53e07fb586c4c75cc78bd67e56c89436c0f06ffb2213932ec2d03f14ee3b4de
-
SHA512
8c2008068a07cfe9913afc61d3855c06d7fa988ad904e00a5f30333a50c8f7e54977e9cbdb8e2a0ed8ffa9566d65fd266d6010b2dd8dd89544c4fef7cdbff0a3
-
SSDEEP
6144:KWy+bnr+jp0yN90QErXz/sZAjG77XYef78JidT2CWmSUDk6S3QZaqOyQ2BQ5+:aMr/y90plG77YegJidaaIMaqxQ2B5
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023bd3-5.dat healer behavioral1/memory/1992-8-0x0000000000450000-0x000000000045A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b1728py.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b1728py.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b1728py.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b1728py.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b1728py.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b1728py.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3260-17-0x0000000002410000-0x0000000002456000-memory.dmp family_redline behavioral1/memory/3260-19-0x00000000025B0000-0x00000000025F4000-memory.dmp family_redline behavioral1/memory/3260-31-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-35-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-83-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-81-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-79-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-77-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-73-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-71-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-69-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-67-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-65-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-63-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-61-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-59-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-57-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-53-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-51-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-50-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-47-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-45-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-43-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-41-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-39-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-37-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-33-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-29-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-27-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-25-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-75-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-55-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-23-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-21-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline behavioral1/memory/3260-20-0x00000000025B0000-0x00000000025EE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 1992 b1728py.exe 3260 c19IU97.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b1728py.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a53e07fb586c4c75cc78bd67e56c89436c0f06ffb2213932ec2d03f14ee3b4deN.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a53e07fb586c4c75cc78bd67e56c89436c0f06ffb2213932ec2d03f14ee3b4deN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c19IU97.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1992 b1728py.exe 1992 b1728py.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1992 b1728py.exe Token: SeDebugPrivilege 3260 c19IU97.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 5060 wrote to memory of 1992 5060 a53e07fb586c4c75cc78bd67e56c89436c0f06ffb2213932ec2d03f14ee3b4deN.exe 83 PID 5060 wrote to memory of 1992 5060 a53e07fb586c4c75cc78bd67e56c89436c0f06ffb2213932ec2d03f14ee3b4deN.exe 83 PID 5060 wrote to memory of 3260 5060 a53e07fb586c4c75cc78bd67e56c89436c0f06ffb2213932ec2d03f14ee3b4deN.exe 92 PID 5060 wrote to memory of 3260 5060 a53e07fb586c4c75cc78bd67e56c89436c0f06ffb2213932ec2d03f14ee3b4deN.exe 92 PID 5060 wrote to memory of 3260 5060 a53e07fb586c4c75cc78bd67e56c89436c0f06ffb2213932ec2d03f14ee3b4deN.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\a53e07fb586c4c75cc78bd67e56c89436c0f06ffb2213932ec2d03f14ee3b4deN.exe"C:\Users\Admin\AppData\Local\Temp\a53e07fb586c4c75cc78bd67e56c89436c0f06ffb2213932ec2d03f14ee3b4deN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1728py.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1728py.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c19IU97.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c19IU97.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3260
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
367KB
MD5b027ebb3e70d7bc51c75bbdfd85ea392
SHA189bea40a9f34e998af07884e9a3da1df21037b2a
SHA2560c7a52e23934ed22905ccf78982f546ab0a36f92cdc64bf1cfddc7b4cb02d0e3
SHA5124d51137bd5c210f57198dd9f08858415ec2b5f4cd4324651bbc4b0127fbcfb1486b4f5f2add49602afeb340675ba3f37344ccf3d728039dabf3411bd547f0a4c