Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:46
Static task
static1
Behavioral task
behavioral1
Sample
474ba92b24e39cf2d00b712fac6e5272bcad479c5a59ee88ea52f4db6d24df7f.exe
Resource
win10v2004-20241007-en
General
-
Target
474ba92b24e39cf2d00b712fac6e5272bcad479c5a59ee88ea52f4db6d24df7f.exe
-
Size
556KB
-
MD5
d704ef9671edee148e7bdeffbf24870c
-
SHA1
c444a73f01efa7a98ce5540b8af2bfb80fe6b758
-
SHA256
474ba92b24e39cf2d00b712fac6e5272bcad479c5a59ee88ea52f4db6d24df7f
-
SHA512
1e12a53d595fadcdf6b6373356223383767bb2469c7f1a39e190e0290d6d04129693194324254ae4ff04cbcd7ce1ffb5227d5d28478839d6bfaa1c22e106fc58
-
SSDEEP
12288:8MrGy90OlFGWVvR7RmPDe2L5uHcs2iOd2OAHnM3J:aynlIIR7ojdk82OAqJ
Malware Config
Extracted
redline
ruzhpe
pepunn.com:4162
-
auth_value
f735ced96ae8d01d0bd1d514240e54e0
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cbc-12.dat healer behavioral1/memory/5000-15-0x00000000008F0000-0x00000000008FA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sw05Gn58dZ16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sw05Gn58dZ16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sw05Gn58dZ16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sw05Gn58dZ16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sw05Gn58dZ16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sw05Gn58dZ16.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4996-22-0x0000000007250000-0x0000000007296000-memory.dmp family_redline behavioral1/memory/4996-24-0x00000000072F0000-0x0000000007334000-memory.dmp family_redline behavioral1/memory/4996-32-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-34-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-88-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-86-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-84-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-82-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-80-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-78-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-76-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-74-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-72-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-70-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-68-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-66-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-64-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-62-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-58-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-56-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-54-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-52-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-50-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-48-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-46-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-44-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-42-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-40-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-38-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-36-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-30-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-28-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-60-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-26-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/4996-25-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2700 vkZH8491wf.exe 5000 sw05Gn58dZ16.exe 4996 tkJZ53Qe35RL.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sw05Gn58dZ16.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 474ba92b24e39cf2d00b712fac6e5272bcad479c5a59ee88ea52f4db6d24df7f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vkZH8491wf.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tkJZ53Qe35RL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 474ba92b24e39cf2d00b712fac6e5272bcad479c5a59ee88ea52f4db6d24df7f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vkZH8491wf.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5000 sw05Gn58dZ16.exe 5000 sw05Gn58dZ16.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5000 sw05Gn58dZ16.exe Token: SeDebugPrivilege 4996 tkJZ53Qe35RL.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3996 wrote to memory of 2700 3996 474ba92b24e39cf2d00b712fac6e5272bcad479c5a59ee88ea52f4db6d24df7f.exe 83 PID 3996 wrote to memory of 2700 3996 474ba92b24e39cf2d00b712fac6e5272bcad479c5a59ee88ea52f4db6d24df7f.exe 83 PID 3996 wrote to memory of 2700 3996 474ba92b24e39cf2d00b712fac6e5272bcad479c5a59ee88ea52f4db6d24df7f.exe 83 PID 2700 wrote to memory of 5000 2700 vkZH8491wf.exe 84 PID 2700 wrote to memory of 5000 2700 vkZH8491wf.exe 84 PID 2700 wrote to memory of 4996 2700 vkZH8491wf.exe 90 PID 2700 wrote to memory of 4996 2700 vkZH8491wf.exe 90 PID 2700 wrote to memory of 4996 2700 vkZH8491wf.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\474ba92b24e39cf2d00b712fac6e5272bcad479c5a59ee88ea52f4db6d24df7f.exe"C:\Users\Admin\AppData\Local\Temp\474ba92b24e39cf2d00b712fac6e5272bcad479c5a59ee88ea52f4db6d24df7f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkZH8491wf.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkZH8491wf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw05Gn58dZ16.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw05Gn58dZ16.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkJZ53Qe35RL.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkJZ53Qe35RL.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
411KB
MD5b1fa716c3184b199bd81f720650a1aca
SHA191709a29a81de589a9b477e7c939934f2ef6b213
SHA2562ebf531cffd5977392a20ac105caf1b54329d6025936f6a11eea0d563d07811a
SHA5124e44987917db3b371e6d94f4f9c42893c72e7ee1f781444dccc86b9abe331a34f98aae80c60c89965e342ae58ca0cb2bf46e64208b3ed46726a6b2d79c9b264b
-
Filesize
18KB
MD57625771b5b0383ff369f5aa35b0b5b2d
SHA17663fb5a385b434f7cf410a1846a9b16df54dd26
SHA2563d10942c4270144bcd7f37c59f82a859bea2d3ca7b76a5962974d03158ad3347
SHA512583508d756bb69bac32f49891adbd7e93f75839ef6b208f87f68091baae6e756821e1af266373624591d576db00c0f0d7dad6f0e5168d6dc21077832e481bdca
-
Filesize
410KB
MD597581d18424b6968bffda63f4e27c2b0
SHA1501bc8daae8308a502ceae32244e79e55d2282c3
SHA25699908812a3e7d39049e6a424c5eaed09d067384e8997d55ea8804be915a6df30
SHA512bb82a81e022d658c76192e97266feec3731260ac514f7f0c12ee96a9a81c8947c7ac756969b3671c1eef648a69f3bb39ec0fb3fb4cd4d0de272d3f2aeec2b1ba