Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 01:17
Static task
static1
Behavioral task
behavioral1
Sample
6b1d690f55b1056bfc224a6d70dcfe61b3756d077cb8e69fd96b0d9443210874.exe
Resource
win10v2004-20241007-en
General
-
Target
6b1d690f55b1056bfc224a6d70dcfe61b3756d077cb8e69fd96b0d9443210874.exe
-
Size
1.1MB
-
MD5
c827563ae9b3d4a294348ea3a9848c23
-
SHA1
1e1482f7b5b7cc4f7d4c6f9b78008002dbbc699e
-
SHA256
6b1d690f55b1056bfc224a6d70dcfe61b3756d077cb8e69fd96b0d9443210874
-
SHA512
fb7ad4f1e79e2b4037ca9d78d7a71093dd7275e330865a80f226e9a061da56db30c1fd6c18af46d734a41e9aa2850d8c192152955b4c3d91e79855f4980d7e70
-
SSDEEP
24576:lyvnf4uQ6NWKnc1F5jdwC7AgKotch+woXWC5HG5+88:Avf4zfvFVmC739tc0wodE5+8
Malware Config
Extracted
redline
rodik
193.233.20.23:4124
-
auth_value
59b6e22e7cfd9b5fa0c99d1942f7c85d
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023ca4-26.dat healer behavioral1/memory/3540-28-0x0000000000E10000-0x0000000000E1A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" biG26Ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" biG26Ee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection biG26Ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" biG26Ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" biG26Ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" biG26Ee.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1664-34-0x0000000004C40000-0x0000000004C86000-memory.dmp family_redline behavioral1/memory/1664-36-0x00000000071E0000-0x0000000007224000-memory.dmp family_redline behavioral1/memory/1664-46-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-48-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-100-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-98-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-96-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-94-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-92-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-90-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-88-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-84-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-82-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-80-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-78-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-76-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-74-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-72-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-70-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-68-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-66-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-62-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-60-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-58-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-56-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-54-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-52-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-50-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-44-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-42-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-86-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-64-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-40-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-38-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline behavioral1/memory/1664-37-0x00000000071E0000-0x000000000721F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 2332 nmx56RB.exe 4664 nWE35Lo.exe 4804 nYR65eD.exe 3540 biG26Ee.exe 1664 blp15OW71.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" biG26Ee.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" nWE35Lo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" nYR65eD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6b1d690f55b1056bfc224a6d70dcfe61b3756d077cb8e69fd96b0d9443210874.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nmx56RB.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4548 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6b1d690f55b1056bfc224a6d70dcfe61b3756d077cb8e69fd96b0d9443210874.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmx56RB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nWE35Lo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nYR65eD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blp15OW71.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3540 biG26Ee.exe 3540 biG26Ee.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3540 biG26Ee.exe Token: SeDebugPrivilege 1664 blp15OW71.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4008 wrote to memory of 2332 4008 6b1d690f55b1056bfc224a6d70dcfe61b3756d077cb8e69fd96b0d9443210874.exe 84 PID 4008 wrote to memory of 2332 4008 6b1d690f55b1056bfc224a6d70dcfe61b3756d077cb8e69fd96b0d9443210874.exe 84 PID 4008 wrote to memory of 2332 4008 6b1d690f55b1056bfc224a6d70dcfe61b3756d077cb8e69fd96b0d9443210874.exe 84 PID 2332 wrote to memory of 4664 2332 nmx56RB.exe 86 PID 2332 wrote to memory of 4664 2332 nmx56RB.exe 86 PID 2332 wrote to memory of 4664 2332 nmx56RB.exe 86 PID 4664 wrote to memory of 4804 4664 nWE35Lo.exe 87 PID 4664 wrote to memory of 4804 4664 nWE35Lo.exe 87 PID 4664 wrote to memory of 4804 4664 nWE35Lo.exe 87 PID 4804 wrote to memory of 3540 4804 nYR65eD.exe 88 PID 4804 wrote to memory of 3540 4804 nYR65eD.exe 88 PID 4804 wrote to memory of 1664 4804 nYR65eD.exe 95 PID 4804 wrote to memory of 1664 4804 nYR65eD.exe 95 PID 4804 wrote to memory of 1664 4804 nYR65eD.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b1d690f55b1056bfc224a6d70dcfe61b3756d077cb8e69fd96b0d9443210874.exe"C:\Users\Admin\AppData\Local\Temp\6b1d690f55b1056bfc224a6d70dcfe61b3756d077cb8e69fd96b0d9443210874.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nmx56RB.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nmx56RB.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nWE35Lo.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nWE35Lo.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nYR65eD.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nYR65eD.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\biG26Ee.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\biG26Ee.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3540
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\blp15OW71.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\blp15OW71.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4548
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
940KB
MD540465d1949343f9e5ce691b75dde373e
SHA1a910c1a157b8667e07e99d496f1943461faffecf
SHA2564eee119494cd0aabe778c8efdeb9afcf53174a57a2b433fc47a4172a1254317f
SHA5127d57d0c65d8c1a9433a21da6aad5d7a9075e124d312973ddfa6221e408412c4d8d4482e134aac30cdeb037fca66b3592c218f931c4eb75d462f8267e1d4e52ca
-
Filesize
682KB
MD5d82f86bd2a73f22ecf13057c7a9a1b25
SHA1ca1e7dfd8c81628599cbb3e94577d501cfbb46d5
SHA2568fe97fe804885021ff611cc722263201d37d95310ab5e26006e5dc802b655410
SHA5121482e3cc14639c3cc073ce7bbc01b9373f40545e88527d95c7933bd5009ad4b968531d8b5e587c32229e4a13b8e7a44b075243e8d4b5ceec2d721eb836aa3f02
-
Filesize
399KB
MD5c9df8ab1e190414909f9ccd9de238ef1
SHA1989ebfd34d46a67dd5493ef6539018cfa4810cef
SHA2566c1e9cef0745f51c5f94b26f94940da1c53a4443dad393f71800faa2034fe37a
SHA5123e2522898bb4d00223b845bf2a476df1de12c2eef1222eb27ade1e5718565b7a77ff67f9b61f6d03ef8e22279197c27b6032da6817ceef06f66270352a6c748f
-
Filesize
11KB
MD58b59b609a0bd8a2cfb13198649775d15
SHA17871b03695b68c7aad01f980fcef9cec56d0be7a
SHA2569b26204b4ac04b30a3a8f74b62e7d1a7315a2fad93b7a8a8dbff063e02d73bd6
SHA512d79201c7c4b2ac6400f9c32652eafd28f1ca863b5edf7e5b7b2d3bb0c6f690464c7076357b7a67bb800e500e7e1d2a6eba651a1f39356ebaffcb5b5fcdd53649
-
Filesize
362KB
MD589043a2a2ea21c3bd2a007ecd51c585f
SHA18a69615923db088e06a0ea0e6b9c0c910275573d
SHA256f412aef193eb688eeac1e9cf396e0cc888d3be7ff19c9ce07f815b6a1bff3ecf
SHA512206203bb26173099ceb68ad16a0da6565181b9fc841bec240652f8d7c4f53325a6a1a4af0d33de1d77ad6c27a127189b4f6e4c0f6b354c378e995ce80f1527bd