Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 10:31
Static task
static1
Behavioral task
behavioral1
Sample
31ddcd95038098cf79eff2ae7671ce946151af7459c0dd4dd31d4e3346432d45.exe
Resource
win10v2004-20241007-en
General
-
Target
31ddcd95038098cf79eff2ae7671ce946151af7459c0dd4dd31d4e3346432d45.exe
-
Size
725KB
-
MD5
5ae0ae494016835c1c53be0d886cf320
-
SHA1
41df11f8764849e6479b58182a8228e75fbbb4bf
-
SHA256
31ddcd95038098cf79eff2ae7671ce946151af7459c0dd4dd31d4e3346432d45
-
SHA512
b4771b06f9b5f90f0a21154fc86c6b3e0d2c0319cdc15e220a099e72a75714550ac014a0f9cb313827c1a80e97b0981a7fc432fcef62066bc3ad48a74fee8846
-
SSDEEP
12288:6MrMy90J2Pr0MCe1ILHePQ3WHlwx8XkyAjn+9Pmbkbd1HHw:2yK2geh12wjSoPmUHQ
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cb3-19.dat healer behavioral1/memory/3696-22-0x0000000000430000-0x000000000043A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection foD01CW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" foD01CW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" foD01CW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" foD01CW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" foD01CW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" foD01CW.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cb4-26.dat family_redline behavioral1/memory/4456-28-0x00000000009F0000-0x0000000000A22000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 3912 siH16JW.exe 2196 sbM48hF.exe 3696 foD01CW.exe 4456 hyL51Id.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" foD01CW.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 31ddcd95038098cf79eff2ae7671ce946151af7459c0dd4dd31d4e3346432d45.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" siH16JW.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" sbM48hF.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 31ddcd95038098cf79eff2ae7671ce946151af7459c0dd4dd31d4e3346432d45.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language siH16JW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sbM48hF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hyL51Id.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3696 foD01CW.exe 3696 foD01CW.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3696 foD01CW.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1680 wrote to memory of 3912 1680 31ddcd95038098cf79eff2ae7671ce946151af7459c0dd4dd31d4e3346432d45.exe 83 PID 1680 wrote to memory of 3912 1680 31ddcd95038098cf79eff2ae7671ce946151af7459c0dd4dd31d4e3346432d45.exe 83 PID 1680 wrote to memory of 3912 1680 31ddcd95038098cf79eff2ae7671ce946151af7459c0dd4dd31d4e3346432d45.exe 83 PID 3912 wrote to memory of 2196 3912 siH16JW.exe 84 PID 3912 wrote to memory of 2196 3912 siH16JW.exe 84 PID 3912 wrote to memory of 2196 3912 siH16JW.exe 84 PID 2196 wrote to memory of 3696 2196 sbM48hF.exe 85 PID 2196 wrote to memory of 3696 2196 sbM48hF.exe 85 PID 2196 wrote to memory of 4456 2196 sbM48hF.exe 97 PID 2196 wrote to memory of 4456 2196 sbM48hF.exe 97 PID 2196 wrote to memory of 4456 2196 sbM48hF.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\31ddcd95038098cf79eff2ae7671ce946151af7459c0dd4dd31d4e3346432d45.exe"C:\Users\Admin\AppData\Local\Temp\31ddcd95038098cf79eff2ae7671ce946151af7459c0dd4dd31d4e3346432d45.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\siH16JW.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\siH16JW.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sbM48hF.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sbM48hF.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\foD01CW.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\foD01CW.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hyL51Id.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hyL51Id.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4456
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
538KB
MD5951e2db92b015d49fecfe9acfae847f2
SHA1fae8bde7557a504d5791b0953eb41cd7b2413e3c
SHA256155c06245605efc722178e5e880a5963e1bf692cbaf063a8ee38fc3cc4295363
SHA5128f6e24ea538b91dbd6610cd58540f00e7440263d35b8af49e4cd2f4b15c7950adb8047fff0eb4bbfd89ef1f1991c0dbef9e97cd39e0c927a9cba660e64a136d1
-
Filesize
202KB
MD5857e08a32f132e82fe3e0b21cdf50780
SHA1f3a8b111811aeb6e2d4ec8e5b41094d695c9ca2b
SHA256f42acf07a3107974608042659e959a538addb5662f593fb0c246830f0063c885
SHA512f874906e23468ca89dd8b3996d9ad1103459fc23745e698a48c7729498e502b0379d8586505494c37cbabdb6ddc42c9e39d01aaaf79221cab0a56ea8666e74ea
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2