Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:53
Static task
static1
Behavioral task
behavioral1
Sample
139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61.exe
Resource
win10v2004-20241007-en
General
-
Target
139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61.exe
-
Size
1.3MB
-
MD5
49b947ec1b0c77d5a9d45b78da369e1a
-
SHA1
1405dfdbca0d25e98660ff3105a5be7c3ded82d7
-
SHA256
139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61
-
SHA512
664f1b4df8413697104d4a2b06ef4a3fa8d006ae5b83fdcd5943a92605d693107b0f87e24b0e78ffb9ad6e3a84970c74d3b5db10e0cef77359388d35989a61f2
-
SSDEEP
24576:Ayd7VzCzRd3+72tPCiSRXizvqY10LilWync0EyDW6NV:HxtcT+72tPCNXiG00Llyncfg
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cc8-40.dat healer behavioral1/memory/3460-42-0x0000000000F40000-0x0000000000F4A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bewB15mC16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bewB15mC16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bewB15mC16.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection bewB15mC16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bewB15mC16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bewB15mC16.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4408-48-0x0000000002360000-0x00000000023A6000-memory.dmp family_redline behavioral1/memory/4408-50-0x0000000005180000-0x00000000051C4000-memory.dmp family_redline behavioral1/memory/4408-54-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-76-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-114-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-112-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-110-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-108-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-106-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-104-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-102-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-98-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-96-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-95-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-90-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-88-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-86-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-84-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-82-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-80-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-74-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-72-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-70-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-69-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-66-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-62-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-60-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-58-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-56-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-100-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-92-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-78-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-64-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-52-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4408-51-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 7 IoCs
pid Process 4040 ptDY2294wa.exe 3936 pthX6564hG.exe 1680 ptaQ8092CN.exe 4464 ptfk1015pq.exe 2808 ptnS7798oU.exe 3460 bewB15mC16.exe 4408 cuoB11ue25.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" bewB15mC16.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" ptnS7798oU.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ptDY2294wa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" pthX6564hG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" ptaQ8092CN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" ptfk1015pq.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4636 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptDY2294wa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pthX6564hG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptaQ8092CN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptfk1015pq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptnS7798oU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cuoB11ue25.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3460 bewB15mC16.exe 3460 bewB15mC16.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3460 bewB15mC16.exe Token: SeDebugPrivilege 4408 cuoB11ue25.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1164 wrote to memory of 4040 1164 139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61.exe 83 PID 1164 wrote to memory of 4040 1164 139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61.exe 83 PID 1164 wrote to memory of 4040 1164 139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61.exe 83 PID 4040 wrote to memory of 3936 4040 ptDY2294wa.exe 85 PID 4040 wrote to memory of 3936 4040 ptDY2294wa.exe 85 PID 4040 wrote to memory of 3936 4040 ptDY2294wa.exe 85 PID 3936 wrote to memory of 1680 3936 pthX6564hG.exe 87 PID 3936 wrote to memory of 1680 3936 pthX6564hG.exe 87 PID 3936 wrote to memory of 1680 3936 pthX6564hG.exe 87 PID 1680 wrote to memory of 4464 1680 ptaQ8092CN.exe 88 PID 1680 wrote to memory of 4464 1680 ptaQ8092CN.exe 88 PID 1680 wrote to memory of 4464 1680 ptaQ8092CN.exe 88 PID 4464 wrote to memory of 2808 4464 ptfk1015pq.exe 89 PID 4464 wrote to memory of 2808 4464 ptfk1015pq.exe 89 PID 4464 wrote to memory of 2808 4464 ptfk1015pq.exe 89 PID 2808 wrote to memory of 3460 2808 ptnS7798oU.exe 90 PID 2808 wrote to memory of 3460 2808 ptnS7798oU.exe 90 PID 2808 wrote to memory of 4408 2808 ptnS7798oU.exe 97 PID 2808 wrote to memory of 4408 2808 ptnS7798oU.exe 97 PID 2808 wrote to memory of 4408 2808 ptnS7798oU.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61.exe"C:\Users\Admin\AppData\Local\Temp\139cdff08abe107267389a525c0eb81c523275d4905dbf6d056f9669f5946f61.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptDY2294wa.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptDY2294wa.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pthX6564hG.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pthX6564hG.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptaQ8092CN.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptaQ8092CN.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptfk1015pq.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptfk1015pq.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptnS7798oU.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptnS7798oU.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\bewB15mC16.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\bewB15mC16.exe7⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuoB11ue25.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuoB11ue25.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4408
-
-
-
-
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4636
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD59ec28288a452d28e3b9b1721a9c366e8
SHA17d4b46ddfcb2e56d01600a527a3308818d83054f
SHA25644665130e48a60c62681a56ba03f16e8755199a3680201d6425b34e3322bdfa5
SHA512d13ade32bf374fc5d7114e02509b008190f35bb116718e15080ac0f96c9216fdf76c0c24f36190e2b1fc9cf1e862446ffdd8e42f93c764df454dcc16fd1c1ce1
-
Filesize
1.0MB
MD5dbb925f32f311649c157a115ba4763e7
SHA1797a8f94e839e1af374635fe4fa71186dd9a7cbe
SHA2563048a4f56790aa35929d1ab5491915cc32ccde7508027bc43c3c131340319f68
SHA5129364da51dedf514796882282fe97ab2462419425c81e2c546ad7d8f5a16286fb578918dd7555080607e3b3bedf0c6d61947bb5330029ff260573a62d5b48f4d5
-
Filesize
936KB
MD59ed43ee098e799be311164e5b94e834f
SHA13decd7930db9cd0b3f803dfb737bda08b5e66767
SHA256830973dd7b19620a994aa3af654fadee994f05f2630aa5b805d0a7943aaeaa70
SHA512529400699854751468f9dfc933ade2f7a618e7b1bb1800204fa65a1b95a6cb2f01b1dbcb458a4c4f4c9a4768754f478c6b98b66659508ba338b9c72b2919066e
-
Filesize
667KB
MD5e752f5d93b5fb47a2591bc57fbc8153c
SHA1699d3a0e3304eb60d323f658c9a6d196da7b0b52
SHA2561a9761d4d8d1ee59556906a918e95bec483c1738a250878b9d3504ac456c38a2
SHA5120a75ad924c8dce7b7c5f8d7668da46ffafde7857c0be4650d55544b0e724d0c2f02154b5fabb83f27ed433eb12931b5cc9043a9afdaf630c0c3d48d003b367d6
-
Filesize
392KB
MD5ac42ad32f401a681b4a6e4a26bde7fde
SHA136e2ccdc82a4a2c06308e0032d5e6a0a843c4c10
SHA256cd2b3d902a992a9520d64a58cf2633d8e0cb6e9716dbdc958f72523d9666f43e
SHA512136c3001065182c527ad3ece05ec82b0924bbd654ebfb569f7fbce72a7ff8add50468202faebb6caed5571039aa6d9c6721d9a0e9135278d3fd2ab486dfc028c
-
Filesize
16KB
MD509b7c2264158ec822921cc6b633c559f
SHA14913d6311d2c2c79ef8cee2e016e1272f77b67ea
SHA2568a54f5f06d157051fe85d25b41c9f8376431ad199071fa5599f448977a6fcb26
SHA512c1b71e09a3558fd1ba3d5683afc3e9f7f237a3f36c0cbf7cc52067add84e4de00307d142b5f02a7e8b483fc7ea5e32d4222fc06d5d1096d1a7c5113e4b248897
-
Filesize
302KB
MD51c5a86f75232313703fab93a198cfae7
SHA1ecf2d10a917811db5f5da1e29c929ab6a2866a0e
SHA2566c5ec3126e35491fe8716e34691036a2cd0a24c110ad9080ecc4b1130ba92b71
SHA512fd6d22ad3c16dcfa708a2e04ca73946046867a18c10ddfda030f04bc7f77373284c043d433997c27ba7e186e814573a26e11cd0a939467b7ec7683b919f9eb0f