Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:30
Static task
static1
Behavioral task
behavioral1
Sample
f6f9e1c1633207f5559fedb663ee12039125c381bb378dba8a02bc1695577163.exe
Resource
win10v2004-20241007-en
General
-
Target
f6f9e1c1633207f5559fedb663ee12039125c381bb378dba8a02bc1695577163.exe
-
Size
1.1MB
-
MD5
60f2ec9fdcb9b314a840c2cb2d565d16
-
SHA1
43970483d185c683836d63d4cd41b26d843e3992
-
SHA256
f6f9e1c1633207f5559fedb663ee12039125c381bb378dba8a02bc1695577163
-
SHA512
cb8a62cdd7a409f02ab9bc128229214bc5ba6e0390e67c56eaaa2bf80beb779f3c0256df30a81ea82b94b59b8834a4097a5481908673f0bae8afd7760702a48b
-
SSDEEP
24576:byfbyHvEC2hUfP75J0M4Hu+oBCzDfs37nigxVqt4d:OfbyPEC2S7D3YvE3Digb
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023bbe-32.dat healer behavioral1/memory/948-35-0x0000000000170000-0x000000000017A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" iWx20Dc52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" iWx20Dc52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" iWx20Dc52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" iWx20Dc52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" iWx20Dc52.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection iWx20Dc52.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1604-41-0x0000000002550000-0x0000000002596000-memory.dmp family_redline behavioral1/memory/1604-43-0x0000000005260000-0x00000000052A4000-memory.dmp family_redline behavioral1/memory/1604-49-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-47-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-45-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-44-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-57-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-107-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-105-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-101-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-99-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-97-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-96-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-91-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-89-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-87-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-85-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-83-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-79-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-77-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-75-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-73-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-71-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-67-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-65-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-63-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-61-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-60-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-56-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-53-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-52-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-103-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-93-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-81-0x0000000005260000-0x000000000529E000-memory.dmp family_redline behavioral1/memory/1604-69-0x0000000005260000-0x000000000529E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 4780 vmtE18QL60.exe 1344 vmju08fp16.exe 1924 vmLK49vc63.exe 1072 vmZF57qb45.exe 948 iWx20Dc52.exe 1604 kOf44nu54.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" iWx20Dc52.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" vmLK49vc63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" vmZF57qb45.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f6f9e1c1633207f5559fedb663ee12039125c381bb378dba8a02bc1695577163.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vmtE18QL60.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vmju08fp16.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4904 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kOf44nu54.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6f9e1c1633207f5559fedb663ee12039125c381bb378dba8a02bc1695577163.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmtE18QL60.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmju08fp16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmLK49vc63.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmZF57qb45.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 948 iWx20Dc52.exe 948 iWx20Dc52.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 948 iWx20Dc52.exe Token: SeDebugPrivilege 1604 kOf44nu54.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3492 wrote to memory of 4780 3492 f6f9e1c1633207f5559fedb663ee12039125c381bb378dba8a02bc1695577163.exe 84 PID 3492 wrote to memory of 4780 3492 f6f9e1c1633207f5559fedb663ee12039125c381bb378dba8a02bc1695577163.exe 84 PID 3492 wrote to memory of 4780 3492 f6f9e1c1633207f5559fedb663ee12039125c381bb378dba8a02bc1695577163.exe 84 PID 4780 wrote to memory of 1344 4780 vmtE18QL60.exe 85 PID 4780 wrote to memory of 1344 4780 vmtE18QL60.exe 85 PID 4780 wrote to memory of 1344 4780 vmtE18QL60.exe 85 PID 1344 wrote to memory of 1924 1344 vmju08fp16.exe 86 PID 1344 wrote to memory of 1924 1344 vmju08fp16.exe 86 PID 1344 wrote to memory of 1924 1344 vmju08fp16.exe 86 PID 1924 wrote to memory of 1072 1924 vmLK49vc63.exe 87 PID 1924 wrote to memory of 1072 1924 vmLK49vc63.exe 87 PID 1924 wrote to memory of 1072 1924 vmLK49vc63.exe 87 PID 1072 wrote to memory of 948 1072 vmZF57qb45.exe 88 PID 1072 wrote to memory of 948 1072 vmZF57qb45.exe 88 PID 1072 wrote to memory of 1604 1072 vmZF57qb45.exe 97 PID 1072 wrote to memory of 1604 1072 vmZF57qb45.exe 97 PID 1072 wrote to memory of 1604 1072 vmZF57qb45.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6f9e1c1633207f5559fedb663ee12039125c381bb378dba8a02bc1695577163.exe"C:\Users\Admin\AppData\Local\Temp\f6f9e1c1633207f5559fedb663ee12039125c381bb378dba8a02bc1695577163.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmtE18QL60.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmtE18QL60.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmju08fp16.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmju08fp16.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmLK49vc63.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmLK49vc63.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmZF57qb45.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmZF57qb45.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iWx20Dc52.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iWx20Dc52.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kOf44nu54.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kOf44nu54.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
-
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4904
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
992KB
MD5259683fc1c3b77cc135ea83598d64806
SHA1be84a3a570a460e155c8a038db4927ab5c119562
SHA2569ffbf5bc44cdb1f26a8acc4fa5e5315bff1f274547c2578ca28191affa2742bc
SHA5123084f9707ac86f74ba612b0946dccc36a4c2363cad09ab1208bd3320e5c2e36271d5f1c4bc7492d0019abc1f5e6079780937e744f4d4a069967653f48c0ed2a1
-
Filesize
888KB
MD53189a8ab63c8aa36961ffe296d518541
SHA18603a4cc0be35757b5304f9f3346984e2c8de142
SHA256abde4546f827e5b05c2bda3dbc0e5e9f3f58853acb1fca57576203b50073a3cc
SHA512a188aedc4569f6ed3d3fff8b8f3820cc139ef9780da7eb5c3a4473dd948f81df1d11f92717594a45e71ee7cb62a64707b7570b93232d1b553d4fe965e4eb4cf4
-
Filesize
665KB
MD5c1e82f6712e79c3f150b64c0436d89e4
SHA1e98d37be68f0ad574b07a7a78984c79bb4715d98
SHA256063f16f73125f41cfddfc9be129b550f7f2d19b92d095bec0831e18ad216ee78
SHA51276530ea98abb45ca1bbe08d2699ba502254bf5c34e1e5ed9ee2a69ef26b65438ec1a84f6e9d640bf9b3f24c8589440b0042eac602ab805e6c438ab82c76b656e
-
Filesize
386KB
MD58f626b1df4c28400b1269e8c8d4fcb8b
SHA1303cbb9ae57896c6dced03d5629889eb8322ab67
SHA256acc5a127ead431abcea8e176acfe79d9333948688a19807b1c9c7283f6afb7a2
SHA512d8fdf6d2aec8cff3c856932a8ca26593b9c984095abc8f0fbbad427068ad784e3a2530270b1da54fd10b1b248931998aefdd5a767a11fcfa154cfc9fecee6775
-
Filesize
11KB
MD5036116115ab9622ae5e42117bb20db6a
SHA1ad597c5c21afae12511a30191ee3a1d2326c1654
SHA256730bde99bd70063e39c20056d3ca04365b199d06e3d01dbaf6201e04f258735e
SHA5126cf43fdafc3cffde3003243634633a7d8b0ebffbe86c6796b083bb040707903e6007840e8defafc6aace75d2e72f9c21c30493c565415ac70a5903dfc1796474
-
Filesize
300KB
MD5bc06501e2cbbcfd5b533d51c6a5ef3fb
SHA17caa42a1b56383b958098d71bdffbe0b69b1ba93
SHA2561ea5e787e9d231e9e5c0ebc4a058e587a9b37057469fc949d6458acef78a6c16
SHA51298da782c0b87b2b6dca516a98a86a0bd90966be55b40ed55cb61975277efbb366d3fb7d3ef8fbbb841cf62d2c39c842db8180013667193caff98285dd3769970