Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 00:22
Static task
static1
Behavioral task
behavioral1
Sample
1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe
Resource
win10v2004-20241007-en
General
-
Target
1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe
-
Size
1.1MB
-
MD5
623923850e2cec0eb5ed36f57ea3b7dd
-
SHA1
768ffd99d40f14a0ff1fd1522ad5830f1578539e
-
SHA256
1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71
-
SHA512
45d1df1dd026f0c551991bf49ea415307256ca9882e518ec49f8ff2b66e49343a99f7ec8a90f5e9a3f7168f0cfe5954a486956ccacfe10b9c0999f86728512e7
-
SSDEEP
24576:0y9XV6kfek+QZ/BTs76j0COHWpb2QWUkB0ecwC7nfOfvtnNCQ:DlR2HmBTs7jChp7WPDC7fOfv90
Malware Config
Extracted
redline
rodik
193.233.20.23:4124
-
auth_value
59b6e22e7cfd9b5fa0c99d1942f7c85d
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0017000000023c6a-26.dat healer behavioral1/memory/1360-28-0x0000000000A10000-0x0000000000A1A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" iDm49Vi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection iDm49Vi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" iDm49Vi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" iDm49Vi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" iDm49Vi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" iDm49Vi.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4060-34-0x00000000049D0000-0x0000000004A16000-memory.dmp family_redline behavioral1/memory/4060-36-0x0000000004D70000-0x0000000004DB4000-memory.dmp family_redline behavioral1/memory/4060-44-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-46-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-66-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-70-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-100-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-98-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-96-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-94-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-92-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-90-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-88-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-86-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-84-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-82-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-80-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-78-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-76-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-74-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-72-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-68-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-64-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-62-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-60-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-58-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-56-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-54-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-52-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-50-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-48-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-42-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-40-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-38-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline behavioral1/memory/4060-37-0x0000000004D70000-0x0000000004DAF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 2044 sdA44Bz60.exe 5024 slF63FV67.exe 380 sOu06Dv99.exe 1360 iDm49Vi.exe 4060 kTq73gj.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" iDm49Vi.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sdA44Bz60.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" slF63FV67.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" sOu06Dv99.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sdA44Bz60.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language slF63FV67.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sOu06Dv99.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kTq73gj.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1360 iDm49Vi.exe 1360 iDm49Vi.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1360 iDm49Vi.exe Token: SeDebugPrivilege 4060 kTq73gj.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4884 wrote to memory of 2044 4884 1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe 87 PID 4884 wrote to memory of 2044 4884 1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe 87 PID 4884 wrote to memory of 2044 4884 1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe 87 PID 2044 wrote to memory of 5024 2044 sdA44Bz60.exe 88 PID 2044 wrote to memory of 5024 2044 sdA44Bz60.exe 88 PID 2044 wrote to memory of 5024 2044 sdA44Bz60.exe 88 PID 5024 wrote to memory of 380 5024 slF63FV67.exe 89 PID 5024 wrote to memory of 380 5024 slF63FV67.exe 89 PID 5024 wrote to memory of 380 5024 slF63FV67.exe 89 PID 380 wrote to memory of 1360 380 sOu06Dv99.exe 90 PID 380 wrote to memory of 1360 380 sOu06Dv99.exe 90 PID 380 wrote to memory of 4060 380 sOu06Dv99.exe 100 PID 380 wrote to memory of 4060 380 sOu06Dv99.exe 100 PID 380 wrote to memory of 4060 380 sOu06Dv99.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe"C:\Users\Admin\AppData\Local\Temp\1c544e672b97e1609b2b419b3fff4913fbf8368a937ae31d1dcd74448cc4ef71.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sdA44Bz60.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sdA44Bz60.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\slF63FV67.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\slF63FV67.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sOu06Dv99.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDm49Vi.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kTq73gj.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kTq73gj.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4060
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
961KB
MD56460267f9295a18d677fb2f5b558ed7c
SHA178eb4c5f1043b3b8eae80fb73d3083c75d09516c
SHA256ccc74947c79a707e67452eb08f0a567018fc9b72438133808b40b5668e5885a5
SHA512a877806aa102cff46a3bf0c18a3841f288aa6087d18ed3f03e0306bc9f89b0ea6d644c60f463528c8fef81a22e0dad6300f7db2ab348a151d26745bb024db43d
-
Filesize
683KB
MD56e639fb4dd2b20f2b3e46a0d9930fdf6
SHA1232ced981959a4cfb0d639ff0f94e6ce2c599ca4
SHA25682e358692e5f29f1fab7f61741eebb77c29134310c06c9b001c72ec58c25c937
SHA51275dda6cbf4fd73520a5c79fc532c5fa4931d19338c13527b7ab177e16ee682961b806a2e40ce2eb1e72b0276d9f698dc46211734942d4712c9dee2e5deddd9dc
-
Filesize
399KB
MD5122607517a0ee805086508e65ef2c3a7
SHA1dedacf4c77a5655f0da38f0ca2ffbc9ca1429846
SHA2567d7ff7365a006eebdab189c3c4d17e67c2080b27f4ba8d6eecb553fbcf27b57b
SHA512ee02dcf38ee2ed58844e7442bf254838a843a3eeeea7c9dce6b80be464691ae9b59198cd8d0002aa6cd8878bd6ed330010a95ee4093df4ae82f3e29b2a1ec9cf
-
Filesize
11KB
MD52d573d483075cfa25385b0cc73af87bd
SHA10c68fc1baa8e2b15c72ed4d4a6e4a6d618318196
SHA2569b742919671663d980f9471d1f2b2891602d919182ae1909d4f00dba5e0f3ed1
SHA512158f2b046df4cb29a4d17c4454cf73c4bd12ba5654d4bffe21813abba5b39e3bb12929b9d1bc78dd812c786129b42bbb559f8a19d444266a56be744c0d7bbe58
-
Filesize
352KB
MD5b0b94e2c2b7fcb269bf95b62cc9b065b
SHA1538d87b1ccae12796ed59ee2b407a5e19fce17ed
SHA256b99491d4afd199d95ff54c83be16a8e91f7a25299ac3b592e0e563b7798dd578
SHA512ee8c0a033e9decaae0f9de9e67907feca5de84f3ef300e34e8de8871bf37fe1d21b4e1922c1989cece049e988aa2c1410953a1951277466daf572723e4c42b25