Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:31
Static task
static1
Behavioral task
behavioral1
Sample
891a59f9b3a3b3a6d0875b0d7fffdfd133fede87a8eaec4133e7af6794ee8287.exe
Resource
win10v2004-20241007-en
General
-
Target
891a59f9b3a3b3a6d0875b0d7fffdfd133fede87a8eaec4133e7af6794ee8287.exe
-
Size
544KB
-
MD5
61703f2c906698662b268691376862e8
-
SHA1
aa628f985e6baa918f6caeb679f098c72417685c
-
SHA256
891a59f9b3a3b3a6d0875b0d7fffdfd133fede87a8eaec4133e7af6794ee8287
-
SHA512
845fdfc5c31769aaa0e8e021c6eb004c402dd1fd4943f059ccc324a28e761aec9964203d6a532e620bac48a34796a2f1ebd98b8b46c401627aeeda62036972e3
-
SSDEEP
12288:lMrjy90cxqkdufV2AZA3iLmcqgUnML7wOqoRhf4l531ZY:SyvcqyLn2M/JqOf4rlZY
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c98-12.dat healer behavioral1/memory/3596-15-0x0000000000910000-0x000000000091A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection pro0385.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0385.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0385.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0385.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0385.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0385.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3608-22-0x0000000002640000-0x0000000002686000-memory.dmp family_redline behavioral1/memory/3608-24-0x0000000004D10000-0x0000000004D54000-memory.dmp family_redline behavioral1/memory/3608-28-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-42-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-86-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-84-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-82-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-80-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-76-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-74-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-72-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-70-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-68-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-64-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-62-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-60-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-58-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-56-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-54-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-50-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-48-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-46-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-44-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-40-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-38-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-37-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-34-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-32-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-30-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-88-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-78-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-66-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-52-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-26-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline behavioral1/memory/3608-25-0x0000000004D10000-0x0000000004D4E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1988 unio4397.exe 3596 pro0385.exe 3608 qu8598.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0385.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 891a59f9b3a3b3a6d0875b0d7fffdfd133fede87a8eaec4133e7af6794ee8287.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio4397.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5276 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 891a59f9b3a3b3a6d0875b0d7fffdfd133fede87a8eaec4133e7af6794ee8287.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio4397.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu8598.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3596 pro0385.exe 3596 pro0385.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3596 pro0385.exe Token: SeDebugPrivilege 3608 qu8598.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4452 wrote to memory of 1988 4452 891a59f9b3a3b3a6d0875b0d7fffdfd133fede87a8eaec4133e7af6794ee8287.exe 87 PID 4452 wrote to memory of 1988 4452 891a59f9b3a3b3a6d0875b0d7fffdfd133fede87a8eaec4133e7af6794ee8287.exe 87 PID 4452 wrote to memory of 1988 4452 891a59f9b3a3b3a6d0875b0d7fffdfd133fede87a8eaec4133e7af6794ee8287.exe 87 PID 1988 wrote to memory of 3596 1988 unio4397.exe 88 PID 1988 wrote to memory of 3596 1988 unio4397.exe 88 PID 1988 wrote to memory of 3608 1988 unio4397.exe 95 PID 1988 wrote to memory of 3608 1988 unio4397.exe 95 PID 1988 wrote to memory of 3608 1988 unio4397.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\891a59f9b3a3b3a6d0875b0d7fffdfd133fede87a8eaec4133e7af6794ee8287.exe"C:\Users\Admin\AppData\Local\Temp\891a59f9b3a3b3a6d0875b0d7fffdfd133fede87a8eaec4133e7af6794ee8287.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio4397.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio4397.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0385.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0385.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8598.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8598.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3608
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:5276
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
402KB
MD563fd4feb4161d2c62372641ea73400e6
SHA106e1a669342098b650383314e61daafd039f20e8
SHA2564560252c012e054067db289229f22bb27030deb27d1f1feb3dc41c111cae5864
SHA51277509ef3676a32b182edc210f481b51e8f2ed696a1d317fb4817af189e44df075326ba9229ec3b67c20bd8c8ad8e1e890e9d2ae9a19f2f24606f928d0af43855
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
349KB
MD570ea4dc76acb7bceeadbc90eec519977
SHA1f1107e2f40d19b243d9b3b42424eb29258d72eda
SHA25606a68ae4624b04bde38010ae651b1a68f8c2c81a785180977bf49d548dcb23ed
SHA51277caefd03a36ff98b869b6785be715624bd9400f8998f11fd9be9e57f85bdcddd04a900d93936e01119ac578cc4e9a1cfa0719d3a6208634df6996e3c60935e8