Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:46
Static task
static1
Behavioral task
behavioral1
Sample
e7566432abd920c36fc36ebc4439fe4242a4e03233e9d783f0f2dbf018be9753.exe
Resource
win10v2004-20241007-en
General
-
Target
e7566432abd920c36fc36ebc4439fe4242a4e03233e9d783f0f2dbf018be9753.exe
-
Size
541KB
-
MD5
e74383c1a727ae34cfdad5d248daae95
-
SHA1
77991a82576b63698005a0963d6bb8793843c143
-
SHA256
e7566432abd920c36fc36ebc4439fe4242a4e03233e9d783f0f2dbf018be9753
-
SHA512
8dd681606fc162a75d2284171879712d4d11f3217c005a95790390d0b3afc1ee10a2b0722d27401c3594f0c507afccd754b30cde9247992051748690431ebec2
-
SSDEEP
12288:DMrYy905rWGf6P63q8HtJ3fCt2jVqcCwATHjl4a:ry4Lf6PMNJPCtqIcCwATHL
Malware Config
Extracted
redline
boris
193.233.20.32:4125
-
auth_value
766b5bdf6dbefcf7ca223351952fc38f
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c88-13.dat healer behavioral1/memory/4232-15-0x0000000000D00000-0x0000000000D0A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro1128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection pro1128.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro1128.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro1128.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro1128.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro1128.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/760-22-0x00000000049A0000-0x00000000049E6000-memory.dmp family_redline behavioral1/memory/760-24-0x0000000004D80000-0x0000000004DC4000-memory.dmp family_redline behavioral1/memory/760-26-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-28-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-86-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-84-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-82-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-80-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-78-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-76-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-72-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-70-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-68-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-66-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-64-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-62-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-58-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-56-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-54-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-52-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-50-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-48-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-44-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-42-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-40-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-39-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-36-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-34-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-30-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-88-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-74-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-60-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-46-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-32-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline behavioral1/memory/760-25-0x0000000004D80000-0x0000000004DBF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1132 unio2365.exe 4232 pro1128.exe 760 qu4258.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" pro1128.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e7566432abd920c36fc36ebc4439fe4242a4e03233e9d783f0f2dbf018be9753.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio2365.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e7566432abd920c36fc36ebc4439fe4242a4e03233e9d783f0f2dbf018be9753.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio2365.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu4258.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4232 pro1128.exe 4232 pro1128.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4232 pro1128.exe Token: SeDebugPrivilege 760 qu4258.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1524 wrote to memory of 1132 1524 e7566432abd920c36fc36ebc4439fe4242a4e03233e9d783f0f2dbf018be9753.exe 83 PID 1524 wrote to memory of 1132 1524 e7566432abd920c36fc36ebc4439fe4242a4e03233e9d783f0f2dbf018be9753.exe 83 PID 1524 wrote to memory of 1132 1524 e7566432abd920c36fc36ebc4439fe4242a4e03233e9d783f0f2dbf018be9753.exe 83 PID 1132 wrote to memory of 4232 1132 unio2365.exe 84 PID 1132 wrote to memory of 4232 1132 unio2365.exe 84 PID 1132 wrote to memory of 760 1132 unio2365.exe 95 PID 1132 wrote to memory of 760 1132 unio2365.exe 95 PID 1132 wrote to memory of 760 1132 unio2365.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7566432abd920c36fc36ebc4439fe4242a4e03233e9d783f0f2dbf018be9753.exe"C:\Users\Admin\AppData\Local\Temp\e7566432abd920c36fc36ebc4439fe4242a4e03233e9d783f0f2dbf018be9753.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio2365.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio2365.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1128.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1128.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4232
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4258.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4258.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:760
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
399KB
MD5de2698a6a9e4e2b1a3f6c5bc1cbb24ce
SHA148ef3f82e296ed4a3b37f7ed74882b185231f344
SHA25661d21f879214d01c690cc1899659177b3833ba90035dd174dfb6b02b763d347d
SHA512577891bd8059f59758fc9975c4025dc6eee4d91f50882effd4b91a69283c347f7b423d733a5583fcdcb2b1eb363b6d00aa07c9b12793c10507796f6a2d5f9f7b
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
357KB
MD5f1958ef2bad93af6e75e698ad6529d4d
SHA1ce435e346996255fcfffb12d7a7f5a87580bf27b
SHA256d7345a710023e2a474a032cc7fb721b4af0f53a7408b99f04768108ac290d3d6
SHA512f833247de66a8970ab4d6c5175541f08cf03885eaf9f488f3d2fe6b1c78288fc4ae21f0f17f766f0244fbfc14b6c4dbe3d2bf10281dc38022bdff645191238ac