Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:31
Static task
static1
Behavioral task
behavioral1
Sample
6239fcfa95f5b7d296867ef3e819427f062b3cd41374bedea9eb6236b87eef7e.exe
Resource
win10v2004-20241007-en
General
-
Target
6239fcfa95f5b7d296867ef3e819427f062b3cd41374bedea9eb6236b87eef7e.exe
-
Size
536KB
-
MD5
7c49325fde016ef1e025cf6a2e05db38
-
SHA1
807e75cb122cb46ebfe0f8b7a6de96b3bfe9e352
-
SHA256
6239fcfa95f5b7d296867ef3e819427f062b3cd41374bedea9eb6236b87eef7e
-
SHA512
bb4d383dffbe377a9a64fce8ecdda3ba3b37624326db869a7051d3a27ceb320624e1c38c54c10863ac8d07a2a20eda5b8fa02f067640f7a3e65fbd8299d64f46
-
SSDEEP
12288:TMrHy90xvvFUP/oBj9y0/x9mP5FyaKn84JKt6fBQtf:oyovKPgBBy0DuTyfnRMt60f
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b5e-12.dat healer behavioral1/memory/3928-15-0x0000000000510000-0x000000000051A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sw32GQ05KM14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sw32GQ05KM14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sw32GQ05KM14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sw32GQ05KM14.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sw32GQ05KM14.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sw32GQ05KM14.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4828-22-0x0000000002560000-0x00000000025A6000-memory.dmp family_redline behavioral1/memory/4828-24-0x0000000002660000-0x00000000026A4000-memory.dmp family_redline behavioral1/memory/4828-32-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-44-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-88-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-84-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-82-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-80-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-78-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-76-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-74-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-70-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-68-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-66-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-64-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-62-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-60-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-58-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-56-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-54-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-52-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-48-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-46-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-43-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-40-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-39-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-36-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-34-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-86-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-72-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-50-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-30-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-28-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-26-0x0000000002660000-0x000000000269E000-memory.dmp family_redline behavioral1/memory/4828-25-0x0000000002660000-0x000000000269E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3648 vjA8002pf.exe 3928 sw32GQ05KM14.exe 4828 tiW66hp93.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sw32GQ05KM14.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6239fcfa95f5b7d296867ef3e819427f062b3cd41374bedea9eb6236b87eef7e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vjA8002pf.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5568 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6239fcfa95f5b7d296867ef3e819427f062b3cd41374bedea9eb6236b87eef7e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjA8002pf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tiW66hp93.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3928 sw32GQ05KM14.exe 3928 sw32GQ05KM14.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3928 sw32GQ05KM14.exe Token: SeDebugPrivilege 4828 tiW66hp93.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 948 wrote to memory of 3648 948 6239fcfa95f5b7d296867ef3e819427f062b3cd41374bedea9eb6236b87eef7e.exe 84 PID 948 wrote to memory of 3648 948 6239fcfa95f5b7d296867ef3e819427f062b3cd41374bedea9eb6236b87eef7e.exe 84 PID 948 wrote to memory of 3648 948 6239fcfa95f5b7d296867ef3e819427f062b3cd41374bedea9eb6236b87eef7e.exe 84 PID 3648 wrote to memory of 3928 3648 vjA8002pf.exe 85 PID 3648 wrote to memory of 3928 3648 vjA8002pf.exe 85 PID 3648 wrote to memory of 4828 3648 vjA8002pf.exe 94 PID 3648 wrote to memory of 4828 3648 vjA8002pf.exe 94 PID 3648 wrote to memory of 4828 3648 vjA8002pf.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\6239fcfa95f5b7d296867ef3e819427f062b3cd41374bedea9eb6236b87eef7e.exe"C:\Users\Admin\AppData\Local\Temp\6239fcfa95f5b7d296867ef3e819427f062b3cd41374bedea9eb6236b87eef7e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vjA8002pf.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vjA8002pf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw32GQ05KM14.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw32GQ05KM14.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tiW66hp93.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tiW66hp93.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:5568
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
391KB
MD5436de899850c0ce7c337eaa5ce04af55
SHA1b144d8f43c028f087fadaf44bf081e29996e6b3c
SHA2565859c63aab925dbce5cce9ea7e402b80e99c9f1720ded017597885e681615287
SHA512a8ae7eabb475d971fb3db6a904a4de01905bc1b58a8387f85bb004c29a8aa7bf8a140b8fdaa58161d28100bab0e90d0b0fa2f43e901beabdc721f7c42f021802
-
Filesize
17KB
MD5023dfa66c97a31e4adef242da786e97b
SHA19e24d79a0ad22852069570a1320d37d978ddd329
SHA256e7e691dca8f730a466024c5deb2efb768167a9ab0ebe4290396a2ad8b91a74a2
SHA512b7c03cdcd11b854b14bad5139da2a9dd688e390e28c9958c89c062e6510cacaecea0cda23565a15e427b3d0a469881783595ade36411eb1494d1f625d1794253
-
Filesize
303KB
MD512a07204bf4c65efdd968689ed260c4e
SHA18430e5110448dc962c4191a1a06b05c4e3c1a140
SHA256e4666bb9e57296f0140b125a1c5e32f446659b0baa2c3d7fef87a7aef339433b
SHA51261dbfcedae6259039196942064d62cae0de853c6c5afa3547e6394e789ddf3c0acc6e94cd2c89c090c6f891a77565b0fe332b21da0afa5a5102f1d12d4f3989a