Analysis
-
max time kernel
112s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 07:59
Static task
static1
Behavioral task
behavioral1
Sample
a000c524a9b76417c772df8b34465f55754da2094d5a5ee0d6d6fa68b62f214dN.exe
Resource
win10v2004-20241007-en
General
-
Target
a000c524a9b76417c772df8b34465f55754da2094d5a5ee0d6d6fa68b62f214dN.exe
-
Size
787KB
-
MD5
c4843083b81bda5311cb304408e69330
-
SHA1
efc6cd04158de6ce58a3cc96764979f51ba3873c
-
SHA256
a000c524a9b76417c772df8b34465f55754da2094d5a5ee0d6d6fa68b62f214d
-
SHA512
899f15dcd8f05371d1595bf49fc3d15b3a973e6af808dea02537e08209bc2379a416d9c48e39b09b0c024bf6e58cd2ed52d9350a59212d0df5372075b8cc77ff
-
SSDEEP
24576:NyzSMEvTgvipuOJWFr1NOXSOP/YIQqUl0ae:o3oduOUZNOCyYIlUv
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe healer behavioral1/memory/2544-22-0x0000000000190000-0x000000000019A000-memory.dmp healer behavioral1/memory/208-29-0x0000000002210000-0x000000000222A000-memory.dmp healer behavioral1/memory/208-31-0x0000000002630000-0x0000000002648000-memory.dmp healer behavioral1/memory/208-32-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/208-39-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/208-59-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/208-57-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/208-55-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/208-53-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/208-52-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/208-49-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/208-47-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/208-45-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/208-43-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/208-41-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/208-37-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/208-35-0x0000000002630000-0x0000000002642000-memory.dmp healer behavioral1/memory/208-33-0x0000000002630000-0x0000000002642000-memory.dmp healer -
Healer family
-
Processes:
c43cb40.exeb8799SO.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c43cb40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c43cb40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c43cb40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b8799SO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b8799SO.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c43cb40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b8799SO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c43cb40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c43cb40.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b8799SO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b8799SO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b8799SO.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/2408-67-0x0000000002550000-0x0000000002596000-memory.dmp family_redline behavioral1/memory/2408-68-0x0000000004AB0000-0x0000000004AF4000-memory.dmp family_redline behavioral1/memory/2408-82-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/2408-84-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/2408-102-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/2408-100-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/2408-98-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/2408-96-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/2408-94-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/2408-92-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/2408-90-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/2408-88-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/2408-86-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/2408-80-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/2408-78-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/2408-76-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/2408-74-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/2408-72-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/2408-70-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline behavioral1/memory/2408-69-0x0000000004AB0000-0x0000000004AEE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
Processes:
tice7397.exetice0715.exeb8799SO.exec43cb40.exedgEoB84.exepid process 1872 tice7397.exe 3516 tice0715.exe 2544 b8799SO.exe 208 c43cb40.exe 2408 dgEoB84.exe -
Processes:
b8799SO.exec43cb40.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b8799SO.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c43cb40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c43cb40.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
tice7397.exetice0715.exea000c524a9b76417c772df8b34465f55754da2094d5a5ee0d6d6fa68b62f214dN.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tice7397.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" tice0715.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a000c524a9b76417c772df8b34465f55754da2094d5a5ee0d6d6fa68b62f214dN.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3348 208 WerFault.exe c43cb40.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a000c524a9b76417c772df8b34465f55754da2094d5a5ee0d6d6fa68b62f214dN.exetice7397.exetice0715.exec43cb40.exedgEoB84.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a000c524a9b76417c772df8b34465f55754da2094d5a5ee0d6d6fa68b62f214dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tice7397.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tice0715.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c43cb40.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dgEoB84.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
b8799SO.exec43cb40.exepid process 2544 b8799SO.exe 2544 b8799SO.exe 208 c43cb40.exe 208 c43cb40.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
b8799SO.exec43cb40.exedgEoB84.exedescription pid process Token: SeDebugPrivilege 2544 b8799SO.exe Token: SeDebugPrivilege 208 c43cb40.exe Token: SeDebugPrivilege 2408 dgEoB84.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
a000c524a9b76417c772df8b34465f55754da2094d5a5ee0d6d6fa68b62f214dN.exetice7397.exetice0715.exedescription pid process target process PID 1924 wrote to memory of 1872 1924 a000c524a9b76417c772df8b34465f55754da2094d5a5ee0d6d6fa68b62f214dN.exe tice7397.exe PID 1924 wrote to memory of 1872 1924 a000c524a9b76417c772df8b34465f55754da2094d5a5ee0d6d6fa68b62f214dN.exe tice7397.exe PID 1924 wrote to memory of 1872 1924 a000c524a9b76417c772df8b34465f55754da2094d5a5ee0d6d6fa68b62f214dN.exe tice7397.exe PID 1872 wrote to memory of 3516 1872 tice7397.exe tice0715.exe PID 1872 wrote to memory of 3516 1872 tice7397.exe tice0715.exe PID 1872 wrote to memory of 3516 1872 tice7397.exe tice0715.exe PID 3516 wrote to memory of 2544 3516 tice0715.exe b8799SO.exe PID 3516 wrote to memory of 2544 3516 tice0715.exe b8799SO.exe PID 3516 wrote to memory of 208 3516 tice0715.exe c43cb40.exe PID 3516 wrote to memory of 208 3516 tice0715.exe c43cb40.exe PID 3516 wrote to memory of 208 3516 tice0715.exe c43cb40.exe PID 1872 wrote to memory of 2408 1872 tice7397.exe dgEoB84.exe PID 1872 wrote to memory of 2408 1872 tice7397.exe dgEoB84.exe PID 1872 wrote to memory of 2408 1872 tice7397.exe dgEoB84.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a000c524a9b76417c772df8b34465f55754da2094d5a5ee0d6d6fa68b62f214dN.exe"C:\Users\Admin\AppData\Local\Temp\a000c524a9b76417c772df8b34465f55754da2094d5a5ee0d6d6fa68b62f214dN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 10845⤵
- Program crash
PID:3348
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgEoB84.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgEoB84.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 208 -ip 2081⤵PID:1436
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
642KB
MD5bc51a9e8040b1382777a3460776c5c3f
SHA1fd603bf51005e17db870261017fa5133f32e330d
SHA256f88632042070ab6f96d125d2c01f6697f8b7916cb74d1168bf2bf1f0623562a2
SHA5123515e0b6ae26b5eac996c4cf0a7810e2adca0104184280e9fa69b2fa46b7180bf3722d0e75fbc3444d0026fae09d9f5dbf93147e2939ae3df3fe45f425bda6d0
-
Filesize
294KB
MD567fea7c362f13f92f2028ad800e6a0eb
SHA15624b717fc92e019a210d1e863992ab5b6b0b851
SHA256245cd72755fd00b3f3f36d5b08f0ba395f363094655a8fd6a54f2ed4273343e9
SHA5127c38a6c450e8bf8ae09586eada676395eca117078764bf1a2fed75f4eae22084aa293fbeb07fba5443c3c7af53eb98007606f5d1db5f4159f31864291095394f
-
Filesize
322KB
MD53ebd2d0de0dda7f5f801bb87d8ad0f44
SHA1074fb4c3a5affa0e604b636b83be3164421f2d12
SHA256dfc11e034c2970239e3e0df7abdba97cef691e619876804ed18c7ed946fcb01a
SHA512dea9c987fa93bcc2887e94808d97134a6dce9f9e74cc7e12ce9579d39043bdaf34338daac2e89894e1892e3a8291ec111520e8430af7a9bb1f918a48cac90dfc
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
236KB
MD5c7a6a881515eb7ab0d1c3f67455ca980
SHA1f201499e8d0b2fd82f78687f5a23320b236a6881
SHA256b13855be933840cc9ae22ee6887717cea2a45b9550e6ab4b610c42c795d501b7
SHA512d64e309bf4ad1fa5a17fdf529db3258260ff5c718d828bb86ba1c5b621064724a319396392cc546642f012f7dd9cea4aa21ef254a98fd8e1fa3a9b86e4eda644