Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:23
Static task
static1
Behavioral task
behavioral1
Sample
3c5a4fa5efe2852729ce8ae85af06c19f907208a0e100ce1ee5f8f85c90196ce.exe
Resource
win10v2004-20241007-en
General
-
Target
3c5a4fa5efe2852729ce8ae85af06c19f907208a0e100ce1ee5f8f85c90196ce.exe
-
Size
530KB
-
MD5
b7d355bcc3831c252ef8c730d31e0534
-
SHA1
ba22c5ea25aee25023cc3517b0db997df0aeacfe
-
SHA256
3c5a4fa5efe2852729ce8ae85af06c19f907208a0e100ce1ee5f8f85c90196ce
-
SHA512
fb0e5b6631681700b1131de47468df81b52507a8be392c62df2efc8792e19bdf66bdc4a7f21a57732b9223a32bb90491bcdeae55bc054cc17a7c35fe45b6417a
-
SSDEEP
12288:mMryy90YXlI5N5vVsfsfBE4juJZ2RIXGlEEM8nz:EyY5PVTE2uJZ2RiG2EMw
Malware Config
Extracted
redline
fud
193.233.20.27:4123
-
auth_value
cddc991efd6918ad5321d80dac884b40
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c9a-12.dat healer behavioral1/memory/2540-15-0x0000000000350000-0x000000000035A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sf22fg13fi41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sf22fg13fi41.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sf22fg13fi41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sf22fg13fi41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sf22fg13fi41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sf22fg13fi41.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4376-22-0x0000000002580000-0x00000000025C6000-memory.dmp family_redline behavioral1/memory/4376-24-0x0000000005120000-0x0000000005164000-memory.dmp family_redline behavioral1/memory/4376-34-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-36-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-28-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-72-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-54-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-32-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-30-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-26-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-25-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-88-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-86-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-84-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-82-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-80-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-78-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-76-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-74-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-70-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-68-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-66-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-64-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-62-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-60-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-58-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-56-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-52-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-50-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-48-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-46-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-44-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-42-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-40-0x0000000005120000-0x000000000515E000-memory.dmp family_redline behavioral1/memory/4376-38-0x0000000005120000-0x000000000515E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1416 vhnv3817DB.exe 2540 sf22fg13fi41.exe 4376 tf03VB48An55.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sf22fg13fi41.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3c5a4fa5efe2852729ce8ae85af06c19f907208a0e100ce1ee5f8f85c90196ce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vhnv3817DB.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 116 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vhnv3817DB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tf03VB48An55.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c5a4fa5efe2852729ce8ae85af06c19f907208a0e100ce1ee5f8f85c90196ce.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2540 sf22fg13fi41.exe 2540 sf22fg13fi41.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2540 sf22fg13fi41.exe Token: SeDebugPrivilege 4376 tf03VB48An55.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1892 wrote to memory of 1416 1892 3c5a4fa5efe2852729ce8ae85af06c19f907208a0e100ce1ee5f8f85c90196ce.exe 86 PID 1892 wrote to memory of 1416 1892 3c5a4fa5efe2852729ce8ae85af06c19f907208a0e100ce1ee5f8f85c90196ce.exe 86 PID 1892 wrote to memory of 1416 1892 3c5a4fa5efe2852729ce8ae85af06c19f907208a0e100ce1ee5f8f85c90196ce.exe 86 PID 1416 wrote to memory of 2540 1416 vhnv3817DB.exe 87 PID 1416 wrote to memory of 2540 1416 vhnv3817DB.exe 87 PID 1416 wrote to memory of 4376 1416 vhnv3817DB.exe 96 PID 1416 wrote to memory of 4376 1416 vhnv3817DB.exe 96 PID 1416 wrote to memory of 4376 1416 vhnv3817DB.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c5a4fa5efe2852729ce8ae85af06c19f907208a0e100ce1ee5f8f85c90196ce.exe"C:\Users\Admin\AppData\Local\Temp\3c5a4fa5efe2852729ce8ae85af06c19f907208a0e100ce1ee5f8f85c90196ce.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhnv3817DB.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhnv3817DB.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf22fg13fi41.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf22fg13fi41.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf03VB48An55.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf03VB48An55.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:116
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD596d70ea167980857a6190c61b2eedfcd
SHA1201e2a8391e851c78785b0d4edffd741cf432e72
SHA2567bde9c79d628cfd0de67b0110942b2d137f9217aa53913fb2ef1cdd2cebfc54f
SHA512b0d58a4f298942699efbd01a01a31adb34dbcdaea889e536928a7951be0ce8bce657a9cb005222ae0b604bc1ab6b6c98029525425baeeb866dd6d7462a2ba5a8
-
Filesize
11KB
MD5d2a648d150bb0a53fc559b236a18973c
SHA185570ee09410bcc66e6055f90894277641edc691
SHA2565427c34811ab141a37f013c91b9859089654ca29e03dabb11617fe2e8be81275
SHA51295f58c5b170d47b0406275f0d965f92ae6a2244849a3ffd8c9b478bd5ac39708edc5dc5763373208a13a3b682ee5907792799c74325374110e292226f9947532
-
Filesize
292KB
MD501f55e38d4139a3f84f11a36dbb67824
SHA128ba3e42c1bd4a60732f8a2b34771aa026253000
SHA2562dcc02ccacc4b825f2b5d18d6139650cad2798618e2fd66cac757735a3824004
SHA51256a9d5e32131b4d7265d3d0f7b049132400d58731717c3437b756b3597743637dce907a9932d4e82cc039e22c747380fe19c560df3dd6d8b0c7a98502a862de0