Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:02
Static task
static1
Behavioral task
behavioral1
Sample
25a35d1152bcc52f44179b71ab82c9d93d188ae715a0b91bdd39a3203d48a065.exe
Resource
win10v2004-20241007-en
General
-
Target
25a35d1152bcc52f44179b71ab82c9d93d188ae715a0b91bdd39a3203d48a065.exe
-
Size
696KB
-
MD5
f7532414a9b0dc8200cff751ec9104b1
-
SHA1
50802d383306f656be228c7117ff8ac2645dd0ef
-
SHA256
25a35d1152bcc52f44179b71ab82c9d93d188ae715a0b91bdd39a3203d48a065
-
SHA512
f4ea6e97b30b79dd12dd4d8375de0f121c94857f6dc0884ddff07b1c69f3847e7b242cf1378f70c1451d2ba47218d90603915704531b263fa019e9c153657151
-
SSDEEP
12288:nMrsy90XTuX7J4ZK3HN3EAooK2+8tqg0wiDcOcjq8aHXeMz0hE7ROjLBx:XyWuXFI6tUdob+8tqgoDVciHum0hyOjz
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2840-19-0x0000000002530000-0x000000000254A000-memory.dmp healer behavioral1/memory/2840-21-0x0000000004BB0000-0x0000000004BC8000-memory.dmp healer behavioral1/memory/2840-48-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2840-49-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2840-45-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2840-43-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2840-42-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2840-39-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2840-37-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2840-35-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2840-33-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2840-31-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2840-29-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2840-27-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2840-25-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2840-23-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer behavioral1/memory/2840-22-0x0000000004BB0000-0x0000000004BC2000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection b7359Zt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b7359Zt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b7359Zt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b7359Zt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b7359Zt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b7359Zt.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2000-61-0x0000000004A70000-0x0000000004AB6000-memory.dmp family_redline behavioral1/memory/2000-62-0x0000000004AF0000-0x0000000004B34000-memory.dmp family_redline behavioral1/memory/2000-66-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2000-70-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2000-68-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2000-96-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2000-84-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2000-72-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2000-64-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2000-63-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2000-94-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2000-92-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2000-90-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2000-88-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2000-86-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2000-82-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2000-80-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2000-78-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2000-76-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline behavioral1/memory/2000-74-0x0000000004AF0000-0x0000000004B2E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3872 nYP1475Pq.exe 2840 b7359Zt.exe 2000 c90iD31.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features b7359Zt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" b7359Zt.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 25a35d1152bcc52f44179b71ab82c9d93d188ae715a0b91bdd39a3203d48a065.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nYP1475Pq.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5204 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 25a35d1152bcc52f44179b71ab82c9d93d188ae715a0b91bdd39a3203d48a065.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nYP1475Pq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b7359Zt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c90iD31.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2840 b7359Zt.exe 2840 b7359Zt.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2840 b7359Zt.exe Token: SeDebugPrivilege 2000 c90iD31.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1584 wrote to memory of 3872 1584 25a35d1152bcc52f44179b71ab82c9d93d188ae715a0b91bdd39a3203d48a065.exe 83 PID 1584 wrote to memory of 3872 1584 25a35d1152bcc52f44179b71ab82c9d93d188ae715a0b91bdd39a3203d48a065.exe 83 PID 1584 wrote to memory of 3872 1584 25a35d1152bcc52f44179b71ab82c9d93d188ae715a0b91bdd39a3203d48a065.exe 83 PID 3872 wrote to memory of 2840 3872 nYP1475Pq.exe 84 PID 3872 wrote to memory of 2840 3872 nYP1475Pq.exe 84 PID 3872 wrote to memory of 2840 3872 nYP1475Pq.exe 84 PID 3872 wrote to memory of 2000 3872 nYP1475Pq.exe 92 PID 3872 wrote to memory of 2000 3872 nYP1475Pq.exe 92 PID 3872 wrote to memory of 2000 3872 nYP1475Pq.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\25a35d1152bcc52f44179b71ab82c9d93d188ae715a0b91bdd39a3203d48a065.exe"C:\Users\Admin\AppData\Local\Temp\25a35d1152bcc52f44179b71ab82c9d93d188ae715a0b91bdd39a3203d48a065.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nYP1475Pq.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nYP1475Pq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7359Zt.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7359Zt.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c90iD31.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c90iD31.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:5204
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
552KB
MD56ea1d83ab2891cbe31c6cdf4574265ea
SHA1f380fe4a342ef1c6a6ff88f4df09eab91906510e
SHA2567784dd7eb9e65454e953a0d3484f35031062085201089fa9d5b46d31fb638870
SHA51220eb8b6cfaaf656352a36c0a68354f7fb86f69926beb0e5d99956b949d9841b1e13a25383c69184d22d5df07072507c418142d1160a0d768b5471d7a0a9e465f
-
Filesize
323KB
MD5ee43881ab62092621b2d2e22a0295878
SHA10339221e3f787602fea6a0541817565d751a293c
SHA2562764ed1001c0289c438398b43297206b64e883f65c34eec0418f809392bab22d
SHA512df6b636d896665a3ec9ee572dc8dcb79169c02316741d9a693d7c09be7ce419e373b1c4d0635c8ecda95e936313750820fb97ee31111a005b334f44ec6112f6c
-
Filesize
381KB
MD579183f88b273bd94752126e28a74a872
SHA14969ee7676f48a9c26c21da543322993704c403f
SHA25635c6bb7d3f63d1c1b25b5dba53cbbbc3b3876baf9c02688ca95768b2b4062f21
SHA512c7f4663100fef6e7206b9f879afb6b1309460ef14af23444f9ef0e115e2d7892831e04dd4a344eac4d77654d400360223c45d1343638cf5f45edaefc1e569899