Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:47
Static task
static1
Behavioral task
behavioral1
Sample
2b91b557c9707e6725848d11c1f251b377eee548edf010a2cb4dcf130b85d49e.exe
Resource
win10v2004-20241007-en
General
-
Target
2b91b557c9707e6725848d11c1f251b377eee548edf010a2cb4dcf130b85d49e.exe
-
Size
545KB
-
MD5
2a983266f8f056fb335e04f8dbf2f2e5
-
SHA1
dd05af90db9ac6ced413c0ac2204c71b678f87f9
-
SHA256
2b91b557c9707e6725848d11c1f251b377eee548edf010a2cb4dcf130b85d49e
-
SHA512
ba9205d38c8458d1b9c233c96545368e79b2f2dc634f5a22f42cac7d91da0dba31dce2f902c04ff0fb6126ec2857aff5f7b33cc1e1994b066b3a52ca50920d84
-
SSDEEP
12288:6Mray90c6puXCvjVRGXo99/ABAXy+orcyQY1:oyB6puX0OX0iWC+a/1
Malware Config
Extracted
redline
stek
melevv.eu:4162
-
auth_value
4205381daf6946b2df5fe3bc7eacc918
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000d000000023a9f-12.dat healer behavioral1/memory/2932-15-0x00000000004F0000-0x00000000004FA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sw12iS70fy41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sw12iS70fy41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sw12iS70fy41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sw12iS70fy41.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sw12iS70fy41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sw12iS70fy41.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1872-22-0x00000000072B0000-0x00000000072F6000-memory.dmp family_redline behavioral1/memory/1872-24-0x00000000078E0000-0x0000000007924000-memory.dmp family_redline behavioral1/memory/1872-28-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-36-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-88-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-86-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-84-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-80-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-78-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-76-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-74-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-72-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-70-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-68-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-64-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-62-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-60-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-58-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-56-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-54-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-52-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-50-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-48-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-44-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-42-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-40-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-38-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-34-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-32-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-30-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-82-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-66-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-46-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-26-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline behavioral1/memory/1872-25-0x00000000078E0000-0x000000000791E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 5088 vLD3381DM.exe 2932 sw12iS70fy41.exe 1872 tTs82ji75.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sw12iS70fy41.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2b91b557c9707e6725848d11c1f251b377eee548edf010a2cb4dcf130b85d49e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vLD3381DM.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b91b557c9707e6725848d11c1f251b377eee548edf010a2cb4dcf130b85d49e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vLD3381DM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tTs82ji75.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2932 sw12iS70fy41.exe 2932 sw12iS70fy41.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2932 sw12iS70fy41.exe Token: SeDebugPrivilege 1872 tTs82ji75.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3848 wrote to memory of 5088 3848 2b91b557c9707e6725848d11c1f251b377eee548edf010a2cb4dcf130b85d49e.exe 84 PID 3848 wrote to memory of 5088 3848 2b91b557c9707e6725848d11c1f251b377eee548edf010a2cb4dcf130b85d49e.exe 84 PID 3848 wrote to memory of 5088 3848 2b91b557c9707e6725848d11c1f251b377eee548edf010a2cb4dcf130b85d49e.exe 84 PID 5088 wrote to memory of 2932 5088 vLD3381DM.exe 85 PID 5088 wrote to memory of 2932 5088 vLD3381DM.exe 85 PID 5088 wrote to memory of 1872 5088 vLD3381DM.exe 97 PID 5088 wrote to memory of 1872 5088 vLD3381DM.exe 97 PID 5088 wrote to memory of 1872 5088 vLD3381DM.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b91b557c9707e6725848d11c1f251b377eee548edf010a2cb4dcf130b85d49e.exe"C:\Users\Admin\AppData\Local\Temp\2b91b557c9707e6725848d11c1f251b377eee548edf010a2cb4dcf130b85d49e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vLD3381DM.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vLD3381DM.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw12iS70fy41.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw12iS70fy41.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tTs82ji75.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tTs82ji75.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
401KB
MD5df49db6d633ec7bf1c0bd85d7d4ca873
SHA182a7930fbb3274fa2fc31d129751f2495c3c1f92
SHA256aa1d694af1a25ad7c2a4e6031e8e97a16eb37600d7a263d9962416e627bcc139
SHA512abd5f988e812df852857f060a95fc7f8a04130d2f01b4a744dbf2433a8a5b0e991ab920299423be76b1e6cfd23cd6ba938fbdd44946db26938b985caaaafe861
-
Filesize
17KB
MD5a9adc4efcbc6c0615f4361a3ec789222
SHA1f4197f043f30642f70a9e389291079434b361412
SHA25689f21fe981acbcd25223af667029a321d9e16e9052db55588c41119d54adb52d
SHA512b550990b9da7d9c606cecd06af3e75a7fb51f7a9427097e7cddd9442653902dcb7a7dca46b4736fcf3ff824a450f06cee2cda60e24dc205c35b295eaae329e92
-
Filesize
376KB
MD5d59f82338e5d937f8762de73d2fe5bfd
SHA1405e65a38c7677eaed8a28a9b9ef72a0ad7bdacb
SHA256138b6143c345a24a8f866d24f461d19ce4c9ed06204f12eb4d09207baff6ebf1
SHA512bf1cfe667b92ecdfd20625a50245e2640ddcc7f0320ae842b28ebd9e48582a437ed68360745d997d0cb5064926b84ec7de4450bf9f3d89692ea5f1ddf4775e75