Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 08:00
Static task
static1
Behavioral task
behavioral1
Sample
e08a2acee76ef3ddd4a7ff792b12502d4139994a0fe5f8b1d2d09ea8a99bc0f0.exe
Resource
win10v2004-20241007-en
General
-
Target
e08a2acee76ef3ddd4a7ff792b12502d4139994a0fe5f8b1d2d09ea8a99bc0f0.exe
-
Size
793KB
-
MD5
3e9a9ded324f1069d3d09e7fa8edee96
-
SHA1
8f5247187d6eb06eccd1269ae844109924a43724
-
SHA256
e08a2acee76ef3ddd4a7ff792b12502d4139994a0fe5f8b1d2d09ea8a99bc0f0
-
SHA512
14b3f173876e8f8a1ef2ce7283fcff9933ebf2ba506160773d3b0fae4d387d89262c26d4cf3bfeb57f92e0c2a8bb57ac755d0b1ecddfc790a8bdb31ad30e6216
-
SSDEEP
12288:0MrZy90dGO/6FNe/Nb4RA9qkqAC4GXk0rHesWhzsEVZplHOOzvuP6JwyV:1yM/TnqMG00rHesWV7VZftXwA
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023cba-19.dat healer behavioral1/memory/4380-22-0x0000000000870000-0x000000000087A000-memory.dmp healer behavioral1/memory/640-29-0x00000000021F0000-0x000000000220A000-memory.dmp healer behavioral1/memory/640-31-0x0000000002430000-0x0000000002448000-memory.dmp healer behavioral1/memory/640-32-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/640-59-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/640-57-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/640-55-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/640-53-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/640-51-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/640-47-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/640-49-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/640-45-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/640-43-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/640-41-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/640-39-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/640-37-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/640-35-0x0000000002430000-0x0000000002442000-memory.dmp healer behavioral1/memory/640-33-0x0000000002430000-0x0000000002442000-memory.dmp healer -
Healer family
-
Processes:
b9048vj.exec07Mi62.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b9048vj.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c07Mi62.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c07Mi62.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b9048vj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b9048vj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b9048vj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b9048vj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c07Mi62.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b9048vj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c07Mi62.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c07Mi62.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c07Mi62.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/4808-67-0x0000000002570000-0x00000000025B6000-memory.dmp family_redline behavioral1/memory/4808-68-0x0000000004AD0000-0x0000000004B14000-memory.dmp family_redline behavioral1/memory/4808-72-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/4808-84-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/4808-102-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/4808-100-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/4808-98-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/4808-96-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/4808-94-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/4808-92-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/4808-90-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/4808-86-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/4808-82-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/4808-80-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/4808-78-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/4808-76-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/4808-74-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/4808-88-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/4808-70-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline behavioral1/memory/4808-69-0x0000000004AD0000-0x0000000004B0E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
Processes:
tice1385.exetice2659.exeb9048vj.exec07Mi62.exedFmYN91.exepid Process 4216 tice1385.exe 1516 tice2659.exe 4380 b9048vj.exe 640 c07Mi62.exe 4808 dFmYN91.exe -
Processes:
b9048vj.exec07Mi62.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b9048vj.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c07Mi62.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c07Mi62.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
e08a2acee76ef3ddd4a7ff792b12502d4139994a0fe5f8b1d2d09ea8a99bc0f0.exetice1385.exetice2659.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e08a2acee76ef3ddd4a7ff792b12502d4139994a0fe5f8b1d2d09ea8a99bc0f0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tice1385.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" tice2659.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 732 640 WerFault.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c07Mi62.exedFmYN91.exee08a2acee76ef3ddd4a7ff792b12502d4139994a0fe5f8b1d2d09ea8a99bc0f0.exetice1385.exetice2659.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c07Mi62.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dFmYN91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e08a2acee76ef3ddd4a7ff792b12502d4139994a0fe5f8b1d2d09ea8a99bc0f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tice1385.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tice2659.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
b9048vj.exec07Mi62.exepid Process 4380 b9048vj.exe 4380 b9048vj.exe 640 c07Mi62.exe 640 c07Mi62.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
b9048vj.exec07Mi62.exedFmYN91.exedescription pid Process Token: SeDebugPrivilege 4380 b9048vj.exe Token: SeDebugPrivilege 640 c07Mi62.exe Token: SeDebugPrivilege 4808 dFmYN91.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
e08a2acee76ef3ddd4a7ff792b12502d4139994a0fe5f8b1d2d09ea8a99bc0f0.exetice1385.exetice2659.exedescription pid Process procid_target PID 1172 wrote to memory of 4216 1172 e08a2acee76ef3ddd4a7ff792b12502d4139994a0fe5f8b1d2d09ea8a99bc0f0.exe 83 PID 1172 wrote to memory of 4216 1172 e08a2acee76ef3ddd4a7ff792b12502d4139994a0fe5f8b1d2d09ea8a99bc0f0.exe 83 PID 1172 wrote to memory of 4216 1172 e08a2acee76ef3ddd4a7ff792b12502d4139994a0fe5f8b1d2d09ea8a99bc0f0.exe 83 PID 4216 wrote to memory of 1516 4216 tice1385.exe 84 PID 4216 wrote to memory of 1516 4216 tice1385.exe 84 PID 4216 wrote to memory of 1516 4216 tice1385.exe 84 PID 1516 wrote to memory of 4380 1516 tice2659.exe 85 PID 1516 wrote to memory of 4380 1516 tice2659.exe 85 PID 1516 wrote to memory of 640 1516 tice2659.exe 96 PID 1516 wrote to memory of 640 1516 tice2659.exe 96 PID 1516 wrote to memory of 640 1516 tice2659.exe 96 PID 4216 wrote to memory of 4808 4216 tice1385.exe 101 PID 4216 wrote to memory of 4808 4216 tice1385.exe 101 PID 4216 wrote to memory of 4808 4216 tice1385.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\e08a2acee76ef3ddd4a7ff792b12502d4139994a0fe5f8b1d2d09ea8a99bc0f0.exe"C:\Users\Admin\AppData\Local\Temp\e08a2acee76ef3ddd4a7ff792b12502d4139994a0fe5f8b1d2d09ea8a99bc0f0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice1385.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice1385.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2659.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2659.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9048vj.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9048vj.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c07Mi62.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c07Mi62.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 11005⤵
- Program crash
PID:732
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dFmYN91.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dFmYN91.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 640 -ip 6401⤵PID:2032
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
648KB
MD592b275bacac0d18e3ba0f03a4723e803
SHA1990e755e875c513496ea9d3c88d0fd7bdb9da35d
SHA256c243da9b0b81780d5b62aa724ea10b888b1c9a76f60084d2c77f915f061cad11
SHA512dc417da1d914feb93239fc8427955ef3fd7b91d974e81b926493d495c2b126f273d2d5f333736fcc67d8231f7aa260590f3bdcb734e69e0d4d8bb5bda4ab2b23
-
Filesize
283KB
MD538774e9b10115b87ed8b8a158fdd464e
SHA1343f565feab106d6da114c7927fe5bddc4744550
SHA256d98fa0a894984363b1df93af3397cb0c6f77ca3441a4ccafe1809f3df7c51af7
SHA512fbe13a9e932a90795257207b6eaad19f2e8eb29bc5e2b11f6d0808e01d5e79f1d7aacaedfa2755658936ab02f68e6bb38af580c90dbc8d29161ed18a7df28b3d
-
Filesize
324KB
MD56b86337d31325fad5c04f25690426632
SHA16951cabaecc9193810eaa870a7e12b8f84eb36ba
SHA2563c0c5ba8a9e1997a1d141dba71b3429395cb6a53e18d72693eca2e8d7584424f
SHA512c77fde3fc4925fcc1af3c2428938e0b13fdb5edc8fd33562f86fb8c1d7f7bc4bc265c3a06b29f809c5eefb10675720678c035e6a716aad5bf7f3af60f973344a
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
226KB
MD5c9cfae3d3f687712dcf2c063b9ac14b8
SHA10aa066bcb7b7d6707808ecebb585023e68ef3465
SHA256763c39a9312d241fa242a48498703fc391dd1963a3a8b6b8c247e194b3759fe5
SHA512d9ae71c98d963cef5d403d06c7f2eecbb9e9209010ee0b128a9a8781622e38b34cf7117b1a454fd8f10e2848b1f5eb835b722a853019c4e66b1b1c20da5fed2d