Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 02:27
Static task
static1
Behavioral task
behavioral1
Sample
4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe
Resource
win10v2004-20241007-en
General
-
Target
4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe
-
Size
1.1MB
-
MD5
835d2a229d3cc67784abf39002767623
-
SHA1
41be97d33d570be1e17a0a6bd413bb4d9a309dd8
-
SHA256
4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3
-
SHA512
d89175d4dd4e87d5ec9daaec342aaff864e60b7f4c1fffa0aacc242135d5725d06fe53c336f926c8391ec3ae82ff2c8fc9658d3a79cebfa1fc87b9837d4a0006
-
SSDEEP
24576:sydR07jxqUxg6grv3q17gfX7a8nnBF5cjH55vA1x0X+aSxf:bdaxq16mv3wgfX7a8nX5uHXvAj0XQx
Malware Config
Extracted
redline
rodik
193.233.20.23:4124
-
auth_value
59b6e22e7cfd9b5fa0c99d1942f7c85d
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023ca9-26.dat healer behavioral1/memory/3636-28-0x00000000004E0000-0x00000000004EA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection iHO86rq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" iHO86rq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" iHO86rq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" iHO86rq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" iHO86rq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" iHO86rq.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3184-34-0x0000000004BF0000-0x0000000004C36000-memory.dmp family_redline behavioral1/memory/3184-36-0x0000000004D40000-0x0000000004D84000-memory.dmp family_redline behavioral1/memory/3184-37-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-52-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-100-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-96-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-94-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-92-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-90-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-88-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-86-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-84-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-82-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-80-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-78-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-76-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-72-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-70-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-68-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-66-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-62-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-60-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-58-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-56-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-50-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-48-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-46-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-44-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-42-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-40-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-38-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-98-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-74-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-64-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline behavioral1/memory/3184-54-0x0000000004D40000-0x0000000004D7F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 1920 stC21UM78.exe 464 sEq64AI19.exe 116 szM42Gn92.exe 3636 iHO86rq.exe 3184 kaE74HJ.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" iHO86rq.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" szM42Gn92.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" stC21UM78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" sEq64AI19.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stC21UM78.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sEq64AI19.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language szM42Gn92.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kaE74HJ.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3636 iHO86rq.exe 3636 iHO86rq.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3636 iHO86rq.exe Token: SeDebugPrivilege 3184 kaE74HJ.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2708 wrote to memory of 1920 2708 4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe 83 PID 2708 wrote to memory of 1920 2708 4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe 83 PID 2708 wrote to memory of 1920 2708 4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe 83 PID 1920 wrote to memory of 464 1920 stC21UM78.exe 84 PID 1920 wrote to memory of 464 1920 stC21UM78.exe 84 PID 1920 wrote to memory of 464 1920 stC21UM78.exe 84 PID 464 wrote to memory of 116 464 sEq64AI19.exe 86 PID 464 wrote to memory of 116 464 sEq64AI19.exe 86 PID 464 wrote to memory of 116 464 sEq64AI19.exe 86 PID 116 wrote to memory of 3636 116 szM42Gn92.exe 87 PID 116 wrote to memory of 3636 116 szM42Gn92.exe 87 PID 116 wrote to memory of 3184 116 szM42Gn92.exe 98 PID 116 wrote to memory of 3184 116 szM42Gn92.exe 98 PID 116 wrote to memory of 3184 116 szM42Gn92.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe"C:\Users\Admin\AppData\Local\Temp\4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stC21UM78.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stC21UM78.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sEq64AI19.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sEq64AI19.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kaE74HJ.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kaE74HJ.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
938KB
MD5cda0ba2f46109dff4625c138815333e0
SHA1d53b9d3b75f951209ae60dadb31e169ecb1cc88f
SHA25619cef52d8912f92c2e70466d0239eb8d1ac2de2366a64228bfc459d596a88d9b
SHA512bbae5af7f5bb82cdb2279f05b276cdce11fcdad1635e6020753ffac66fb84343a7eef5b39cdc166cabfbfd7f8213d0a2017a70101785936c252559f7ad452ca1
-
Filesize
667KB
MD54acde0c98110d81a16cc4142ad0768bb
SHA10e8d37d14a1807ff1d7b8919f55fb2f991909f17
SHA25600a08145060b94c2bbcdce4a7991d80f44ad1beb189ade90c28eae356189e54c
SHA512ce287ae4a6fb8128156c5b2754e8168d36c58359aa7112fda2ccd8f7bb3dc3d4a0783a0b868926ff4df80c817806318b0efe5603326a37f14ca857096ee98545
-
Filesize
392KB
MD5ee2972dc9ac93157ba79e2d60eedcf4b
SHA166bba59a4be4d7746434d03d941da65bdc4188b1
SHA25637648268773e03f8f89e732342c31b8c84d32d13ed2017cdcfed22e14448b607
SHA512ecd18c626899e889c34981cb2840d754a9b5ed2868bedcdc083015ac0029dbefb2d95a481cd9afb2ac4983a7a707e126477ed70bdd0336ce032a77f7ea801462
-
Filesize
11KB
MD53f743544178d1d7086fb775f43dcfeeb
SHA17b9c026e578b764614a1bbf3784d24f1598db442
SHA256d08e033389f404907756d12db74080967c5b64473fbef8a309bc1d760f58e16c
SHA51266db004f3c60a8cd093f2df6c71e0248a78645022b1d96aa47f3658ebd9bd26b528339942b9a322ac1529d80f8eae1c4a416a9ae03323e030271239c1a284eaa
-
Filesize
364KB
MD5b907779ac03be51e3fe55c545e16195d
SHA1d39a6ffa3af1153cb920e4fd1a9bd38b99c1f37b
SHA25649c804cc4ef692834971fe93b96777381c9b247ce2f1d49b34b39e01b05d610c
SHA512c72a9fbaad8653f9f2f065c196a8abf5dcf540dd5f52514df72b9668220849d8921cd6b3c9441386bcfbc27e507b578bcf59b31d802279d5141d1c0bcf3b78b7