Analysis
-
max time kernel
127s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 12:22
Static task
static1
Behavioral task
behavioral1
Sample
aa58c907b78987e09e3a485fbfb29d96b187dbcf2e26ff28173ad1972aa7c9a7.exe
Resource
win10v2004-20241007-en
General
-
Target
aa58c907b78987e09e3a485fbfb29d96b187dbcf2e26ff28173ad1972aa7c9a7.exe
-
Size
500KB
-
MD5
a5a111336950d4a7ee86f75d0e5bdb4f
-
SHA1
65b5745bac5d5e01f5264ee3a74c952f43c4b302
-
SHA256
aa58c907b78987e09e3a485fbfb29d96b187dbcf2e26ff28173ad1972aa7c9a7
-
SHA512
aeffbc01e6128729a6851ce911a7664ee28eb1c4f1a3c0c66fba98fd630d2abc56bf8a7a54ccd749c084b35fdfe89c442ee1d463e4d010fb56527b9522fec15b
-
SSDEEP
12288:QMrzy90OIRDaZ9KQAsQ2F5/2zprdWpZGy:zy2l28NXEOzlopZGy
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x000b000000023b7b-12.dat healer behavioral1/memory/1540-15-0x00000000002B0000-0x00000000002BA000-memory.dmp healer behavioral1/memory/3288-22-0x0000000000890000-0x00000000008AA000-memory.dmp healer behavioral1/memory/3288-24-0x00000000024C0000-0x00000000024D8000-memory.dmp healer behavioral1/memory/3288-25-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/3288-32-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/3288-52-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/3288-51-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/3288-48-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/3288-46-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/3288-44-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/3288-42-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/3288-40-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/3288-38-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/3288-36-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/3288-34-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/3288-30-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/3288-28-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/3288-26-0x00000000024C0000-0x00000000024D2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection eqt39Pz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" eqt39Pz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" eqt39Pz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" eqt39Pz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" dns95MX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" dns95MX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" dns95MX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" dns95MX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" dns95MX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" eqt39Pz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" eqt39Pz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection dns95MX.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b79-57.dat family_redline behavioral1/memory/2964-59-0x00000000007B0000-0x00000000007E2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 4572 nAp54yj56.exe 1540 dns95MX.exe 3288 eqt39Pz.exe 2964 fKO62eE.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" dns95MX.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features eqt39Pz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" eqt39Pz.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" aa58c907b78987e09e3a485fbfb29d96b187dbcf2e26ff28173ad1972aa7c9a7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nAp54yj56.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1044 3288 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa58c907b78987e09e3a485fbfb29d96b187dbcf2e26ff28173ad1972aa7c9a7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nAp54yj56.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eqt39Pz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fKO62eE.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1540 dns95MX.exe 1540 dns95MX.exe 3288 eqt39Pz.exe 3288 eqt39Pz.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1540 dns95MX.exe Token: SeDebugPrivilege 3288 eqt39Pz.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4972 wrote to memory of 4572 4972 aa58c907b78987e09e3a485fbfb29d96b187dbcf2e26ff28173ad1972aa7c9a7.exe 83 PID 4972 wrote to memory of 4572 4972 aa58c907b78987e09e3a485fbfb29d96b187dbcf2e26ff28173ad1972aa7c9a7.exe 83 PID 4972 wrote to memory of 4572 4972 aa58c907b78987e09e3a485fbfb29d96b187dbcf2e26ff28173ad1972aa7c9a7.exe 83 PID 4572 wrote to memory of 1540 4572 nAp54yj56.exe 84 PID 4572 wrote to memory of 1540 4572 nAp54yj56.exe 84 PID 4572 wrote to memory of 3288 4572 nAp54yj56.exe 89 PID 4572 wrote to memory of 3288 4572 nAp54yj56.exe 89 PID 4572 wrote to memory of 3288 4572 nAp54yj56.exe 89 PID 4972 wrote to memory of 2964 4972 aa58c907b78987e09e3a485fbfb29d96b187dbcf2e26ff28173ad1972aa7c9a7.exe 93 PID 4972 wrote to memory of 2964 4972 aa58c907b78987e09e3a485fbfb29d96b187dbcf2e26ff28173ad1972aa7c9a7.exe 93 PID 4972 wrote to memory of 2964 4972 aa58c907b78987e09e3a485fbfb29d96b187dbcf2e26ff28173ad1972aa7c9a7.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa58c907b78987e09e3a485fbfb29d96b187dbcf2e26ff28173ad1972aa7c9a7.exe"C:\Users\Admin\AppData\Local\Temp\aa58c907b78987e09e3a485fbfb29d96b187dbcf2e26ff28173ad1972aa7c9a7.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nAp54yj56.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nAp54yj56.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dns95MX.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dns95MX.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eqt39Pz.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eqt39Pz.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3288 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 10884⤵
- Program crash
PID:1044
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fKO62eE.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fKO62eE.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2964
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3288 -ip 32881⤵PID:1576
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2
-
Filesize
355KB
MD53931e0715e9d4bc520df6831e3306e37
SHA1d5be6b9c95eade84382e0ba143951a71e4bcdcce
SHA256b150a4479c38a6623720d201c2f679ed012a1f0b44fc3b77a309e43da79957fb
SHA512cfab04f74b1c8039ff3bde8fa888aed6017eafd10834b4bbbcfb2194fe8db95983c5125c134cc1eb427a002f0aafbf357e0dde682696183abb50a751df6e8833
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
295KB
MD5304766f61a677814af31d2737d118b6f
SHA1213a7e70d4f7d13e17ddff12152bcfe2c1cc2de4
SHA25607c33396ed7ec1b40808aae921c50c552dc21b08beabbd5541b9fc9f062e08ac
SHA51208c9202e988e4f6518a14f37b19eefc8b5901a2c07472140303c48535b67830e956759db3738b3bf63559220cb1e59f8045a2fad5d84530e9cb2e670740441ea