Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:22
Static task
static1
Behavioral task
behavioral1
Sample
2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe
Resource
win10v2004-20241007-en
General
-
Target
2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe
-
Size
864KB
-
MD5
222516f5bd6624c566ca95e2be9d7296
-
SHA1
8585ec12f4e5733d4e4d4a22e962e80b82624bbe
-
SHA256
2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f
-
SHA512
118a611cbaa12f4268e0135bd9eae8bfd961dfad411a20887524509f39bcd637ea5330fddc58e96d39175fe9ca4ebcfcc91649b6c0d3b3ddf58aa5289e8ffcb6
-
SSDEEP
12288:oMrQy90tZLt6hBKAbUZeRdUfoQlGFG33a9v4YuYGpo2wfvtADzow6xnwXodlq455:YyAAhhUEEmG3sVGpoYvowOKo+4gk
Malware Config
Extracted
redline
sito
193.233.20.28:4125
-
auth_value
030f94d8e396dbe51ce339b815cdad17
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x000b000000023b7a-19.dat healer behavioral1/memory/4012-22-0x0000000000340000-0x000000000034A000-memory.dmp healer behavioral1/memory/1404-29-0x00000000048B0000-0x00000000048CA000-memory.dmp healer behavioral1/memory/1404-31-0x0000000004980000-0x0000000004998000-memory.dmp healer behavioral1/memory/1404-47-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1404-59-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1404-58-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1404-55-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1404-53-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1404-51-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1404-49-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1404-45-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1404-43-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1404-41-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1404-39-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1404-37-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1404-35-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1404-33-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral1/memory/1404-32-0x0000000004980000-0x0000000004992000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b5028lQ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b5028lQ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b5028lQ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c85jk18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c85jk18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c85jk18.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b5028lQ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b5028lQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c85jk18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c85jk18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c85jk18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b5028lQ.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/files/0x000a000000023b75-72.dat family_redline behavioral1/memory/4084-76-0x0000000000F20000-0x0000000000F52000-memory.dmp family_redline behavioral1/memory/4956-77-0x00000000022F0000-0x0000000002336000-memory.dmp family_redline behavioral1/memory/4956-78-0x00000000024D0000-0x0000000002514000-memory.dmp family_redline behavioral1/memory/4956-101-0x00000000024D0000-0x000000000250E000-memory.dmp family_redline behavioral1/memory/4956-109-0x00000000024D0000-0x000000000250E000-memory.dmp family_redline behavioral1/memory/4956-106-0x00000000024D0000-0x000000000250E000-memory.dmp family_redline behavioral1/memory/4956-104-0x00000000024D0000-0x000000000250E000-memory.dmp family_redline behavioral1/memory/4956-103-0x00000000024D0000-0x000000000250E000-memory.dmp family_redline behavioral1/memory/4956-98-0x00000000024D0000-0x000000000250E000-memory.dmp family_redline behavioral1/memory/4956-96-0x00000000024D0000-0x000000000250E000-memory.dmp family_redline behavioral1/memory/4956-94-0x00000000024D0000-0x000000000250E000-memory.dmp family_redline behavioral1/memory/4956-90-0x00000000024D0000-0x000000000250E000-memory.dmp family_redline behavioral1/memory/4956-88-0x00000000024D0000-0x000000000250E000-memory.dmp family_redline behavioral1/memory/4956-86-0x00000000024D0000-0x000000000250E000-memory.dmp family_redline behavioral1/memory/4956-84-0x00000000024D0000-0x000000000250E000-memory.dmp family_redline behavioral1/memory/4956-82-0x00000000024D0000-0x000000000250E000-memory.dmp family_redline behavioral1/memory/4956-79-0x00000000024D0000-0x000000000250E000-memory.dmp family_redline behavioral1/memory/4956-92-0x00000000024D0000-0x000000000250E000-memory.dmp family_redline behavioral1/memory/4956-80-0x00000000024D0000-0x000000000250E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 7 IoCs
pid Process 1420 tice7583.exe 4028 tice6916.exe 4012 b5028lQ.exe 1404 c85jk18.exe 704 deMLI84.exe 4956 deMLI84.exe 4084 e52kh04.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b5028lQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c85jk18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c85jk18.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tice7583.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" tice6916.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 704 set thread context of 4956 704 deMLI84.exe 99 -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4488 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2568 1404 WerFault.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c85jk18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language deMLI84.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language deMLI84.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e52kh04.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tice7583.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tice6916.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4012 b5028lQ.exe 4012 b5028lQ.exe 1404 c85jk18.exe 1404 c85jk18.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4012 b5028lQ.exe Token: SeDebugPrivilege 1404 c85jk18.exe Token: SeDebugPrivilege 4956 deMLI84.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2304 wrote to memory of 1420 2304 2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe 85 PID 2304 wrote to memory of 1420 2304 2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe 85 PID 2304 wrote to memory of 1420 2304 2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe 85 PID 1420 wrote to memory of 4028 1420 tice7583.exe 87 PID 1420 wrote to memory of 4028 1420 tice7583.exe 87 PID 1420 wrote to memory of 4028 1420 tice7583.exe 87 PID 4028 wrote to memory of 4012 4028 tice6916.exe 88 PID 4028 wrote to memory of 4012 4028 tice6916.exe 88 PID 4028 wrote to memory of 1404 4028 tice6916.exe 94 PID 4028 wrote to memory of 1404 4028 tice6916.exe 94 PID 4028 wrote to memory of 1404 4028 tice6916.exe 94 PID 1420 wrote to memory of 704 1420 tice7583.exe 98 PID 1420 wrote to memory of 704 1420 tice7583.exe 98 PID 1420 wrote to memory of 704 1420 tice7583.exe 98 PID 704 wrote to memory of 4956 704 deMLI84.exe 99 PID 704 wrote to memory of 4956 704 deMLI84.exe 99 PID 704 wrote to memory of 4956 704 deMLI84.exe 99 PID 704 wrote to memory of 4956 704 deMLI84.exe 99 PID 704 wrote to memory of 4956 704 deMLI84.exe 99 PID 704 wrote to memory of 4956 704 deMLI84.exe 99 PID 704 wrote to memory of 4956 704 deMLI84.exe 99 PID 704 wrote to memory of 4956 704 deMLI84.exe 99 PID 704 wrote to memory of 4956 704 deMLI84.exe 99 PID 2304 wrote to memory of 4084 2304 2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe 100 PID 2304 wrote to memory of 4084 2304 2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe 100 PID 2304 wrote to memory of 4084 2304 2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe"C:\Users\Admin\AppData\Local\Temp\2163b36e5b797ff8b2cfb1924417d597f774bc801864f3143a07ca023450345f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7583.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7583.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6916.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice6916.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5028lQ.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5028lQ.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85jk18.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c85jk18.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 10805⤵
- Program crash
PID:2568
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\deMLI84.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e52kh04.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e52kh04.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4084
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1404 -ip 14041⤵PID:1988
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4488
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5795f3fe5687db9b19853eaf6acdc389a
SHA1cd1ba862909c58a01d3a8e44c29cb71bb6b50630
SHA256448bad37914cb6f2102c2c8b10cd93770e529ab4fd13e616ee99e2e184cb0e56
SHA512d9fdfef28242f378cda4698e6e89ae736dc60f5e1852aa414519bf0bdfce129e6c015306c43c7f10ab7648d158761ebaeb4dd54c1a04fa6d20a2f35cbf2b6130
-
Filesize
719KB
MD5c2c07db1f71e570c1b36cb75abf7ad35
SHA15450433c9b5663f0b275872188659af84ffcc2f5
SHA256d416b4eb9c51a459f750743d42c585ecfba93060decc83978f4fc97df0e42f97
SHA512bd80aa29b4b9b290181aa46a1fb5bf9cc2db46788f24333b543aea5c46e4a53c5ea4e94db6b483b4bf28807fc0b2f69a2b824ebe068b4b86ece00f6cdf6c373e
-
Filesize
408KB
MD59913b2a973e6a5f4654f1a588048d251
SHA1834a42420536412319a8063a5f9c3bc4e920b594
SHA256ab2b96e19cb005b81d5f970aeec366a9153a9bd3ff1cde63b4207d4b503a5d72
SHA5128c5a73a7c10373814f59f3bb7ab964460e3911b35f2f9ddca55e6ec894d8959c7a39c08a0f62170e221471c5c36daae3f88cca9490b9cecede7aba0b0241461d
-
Filesize
360KB
MD5006d4ead14b352cfbf2c15acbdce789c
SHA14b06befc9d0fd003b1500b3c70b58647cb9cb8b2
SHA2561079d4d05ad2e5737e29a11e87030a12cf50284ceec1f06a6795e4c96df37ba3
SHA512772ba276c079bf96cf8888757edd91f42a412a9ac3890b990d8a5650ae1173b81d594171e1b94a3ccf6e34f8d51cda8b455357b56a68ae460d8f17fb6e505918
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
350KB
MD56308417c59a28b391b6bfb040d1999fe
SHA132cf533d589ed27217fd1e13308ef4a2ccc61a2a
SHA2563e1b1d987b7f0b7f4f5eff81d78981aac67c6f317c7dfff77e6e3d9aea5600c8
SHA51237d3e7f5dca67db499e81c1658c680028e2042a4d238b21a3e0c6cd835c8a8f519a7bb40533289267c39a814b926b001c96c8b1d373c17e10bee6b0be7f5f697