Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:54
Static task
static1
Behavioral task
behavioral1
Sample
c1b1cade1bfbcc08e52182389900b6a3fbd187390d158ed4189a0007d6fd6495.exe
Resource
win10v2004-20241007-en
General
-
Target
c1b1cade1bfbcc08e52182389900b6a3fbd187390d158ed4189a0007d6fd6495.exe
-
Size
705KB
-
MD5
50a6ee18ab91583bec2938c5388e6f9b
-
SHA1
c3d42970ca1b1a16a3e2d7f20455006852424c54
-
SHA256
c1b1cade1bfbcc08e52182389900b6a3fbd187390d158ed4189a0007d6fd6495
-
SHA512
aae1b6ad3b91b4493a8ef5933ff58ee35d5614c71869c786e967e9f0e3cd8775c465a784023f2e16a4909a208df8b5fda8d59a8a54ead4917d7faaad9d22462a
-
SSDEEP
12288:jMrjy907hQxAdVYtrKe2ERHxG/SYn9Kr9BYkLHOG76o/ZIFfWfGEWbYTzQKgr+Ip:0yaKSVcrKe2ERIZn9KBOGf/efSEYTzQZ
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000c000000023bae-19.dat healer behavioral1/memory/32-22-0x00000000006C0000-0x00000000006CA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection dOs02bb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" dOs02bb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" dOs02bb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" dOs02bb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" dOs02bb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" dOs02bb.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3116-28-0x0000000004B60000-0x0000000004BA6000-memory.dmp family_redline behavioral1/memory/3116-30-0x0000000005190000-0x00000000051D4000-memory.dmp family_redline behavioral1/memory/3116-36-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-34-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-32-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-31-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-48-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-94-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-92-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-90-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-88-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-84-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-82-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-81-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-76-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-74-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-72-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-70-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-68-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-66-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-64-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-62-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-60-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-58-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-54-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-52-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-50-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-46-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-44-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-42-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-40-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-38-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-86-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-78-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline behavioral1/memory/3116-56-0x0000000005190000-0x00000000051CE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 3472 nXJ90vq77.exe 2284 nLi28VQ85.exe 32 dOs02bb.exe 3116 eMp56Bo.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" dOs02bb.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" nLi28VQ85.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c1b1cade1bfbcc08e52182389900b6a3fbd187390d158ed4189a0007d6fd6495.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nXJ90vq77.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c1b1cade1bfbcc08e52182389900b6a3fbd187390d158ed4189a0007d6fd6495.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nXJ90vq77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nLi28VQ85.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eMp56Bo.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 32 dOs02bb.exe 32 dOs02bb.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 32 dOs02bb.exe Token: SeDebugPrivilege 3116 eMp56Bo.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 624 wrote to memory of 3472 624 c1b1cade1bfbcc08e52182389900b6a3fbd187390d158ed4189a0007d6fd6495.exe 83 PID 624 wrote to memory of 3472 624 c1b1cade1bfbcc08e52182389900b6a3fbd187390d158ed4189a0007d6fd6495.exe 83 PID 624 wrote to memory of 3472 624 c1b1cade1bfbcc08e52182389900b6a3fbd187390d158ed4189a0007d6fd6495.exe 83 PID 3472 wrote to memory of 2284 3472 nXJ90vq77.exe 84 PID 3472 wrote to memory of 2284 3472 nXJ90vq77.exe 84 PID 3472 wrote to memory of 2284 3472 nXJ90vq77.exe 84 PID 2284 wrote to memory of 32 2284 nLi28VQ85.exe 86 PID 2284 wrote to memory of 32 2284 nLi28VQ85.exe 86 PID 2284 wrote to memory of 3116 2284 nLi28VQ85.exe 97 PID 2284 wrote to memory of 3116 2284 nLi28VQ85.exe 97 PID 2284 wrote to memory of 3116 2284 nLi28VQ85.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1b1cade1bfbcc08e52182389900b6a3fbd187390d158ed4189a0007d6fd6495.exe"C:\Users\Admin\AppData\Local\Temp\c1b1cade1bfbcc08e52182389900b6a3fbd187390d158ed4189a0007d6fd6495.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nXJ90vq77.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nXJ90vq77.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLi28VQ85.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nLi28VQ85.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dOs02bb.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dOs02bb.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:32
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eMp56Bo.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eMp56Bo.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3116
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
560KB
MD55212d8df7c90789bbb5123b7710fb0ba
SHA1fab699dc58e096558d7cae4b085fb3e50bda20d9
SHA256d5a2c0424330341faea1bde834334f33eeec7398d7764c7ef789ac680c127cd1
SHA5122986a3b03018bdc0df66db68839fe6425216190c3d95c8adb72453c5ae8857bd010f5a9584a784d64e5081e60e1c382d8b79fe134bed8df94faf1f8a7d51e504
-
Filesize
416KB
MD55db00c84551f95ee4b3dbd4e6199230b
SHA1b827421a0b43d69c2e9df5b607034daf15136604
SHA256473f6d74ed19662da39ebf09626ae73d8c4a1387e3ff65379f4255ab3c842f1d
SHA5127f10fd20ffae2bd702d54f1114de34e9074adbf71a1cb4dcbb3b488e268b5ecc99e7adc08ca37b6654ae60cd26c4c9e44058feba058aa54851b69ffc492bd116
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
349KB
MD5407c655442bf0385813016cf2f68c831
SHA1a62f5550562ad758a08e320642b0a78d48811be0
SHA2564eb31835198f0b6c97ef9a6061c7aa1db3d4be1d04813cbd9e35c03c29219147
SHA5120032fe8fc69655930027c075718446f26a8985a97c8a9fed69f31479a9346876522f9fdb4c42824de8bc7e176e2fe9cb88f5c1dd9f9518054816e795b5951161