Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:06
Static task
static1
Behavioral task
behavioral1
Sample
cc7968355d1f27f4c1982fc33751ea232624b4a66c3d4a9d35497cb17d071378.exe
Resource
win10v2004-20241007-en
General
-
Target
cc7968355d1f27f4c1982fc33751ea232624b4a66c3d4a9d35497cb17d071378.exe
-
Size
544KB
-
MD5
187b1082a532e1d6fbcaab405ecf3cfa
-
SHA1
24ba370c99c1df7ac6ba9f1b97df841a7597c5f7
-
SHA256
cc7968355d1f27f4c1982fc33751ea232624b4a66c3d4a9d35497cb17d071378
-
SHA512
9691c1e9c470df3433426c476878e6a83c7b7e4ede336be53119041f984c5ce2bc463ce12f9750b2b34d63f43eedd0e2cd5ec0d41d0b707cef1f9516a8871224
-
SSDEEP
12288:bMrey90bxh54kVDp2VObPoPAFWTUjyNtaTxm3ZeGPO:xyExhikxp2cbPdFWTUj+/JeYO
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c99-12.dat healer behavioral1/memory/4032-15-0x0000000000770000-0x000000000077A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection h44Te36.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" h44Te36.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" h44Te36.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" h44Te36.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" h44Te36.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" h44Te36.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3460-22-0x0000000002820000-0x0000000002866000-memory.dmp family_redline behavioral1/memory/3460-24-0x0000000004CF0000-0x0000000004D34000-memory.dmp family_redline behavioral1/memory/3460-30-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-38-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-88-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-86-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-84-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-82-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-80-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-76-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-74-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-73-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-71-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-68-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-66-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-64-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-62-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-60-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-58-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-56-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-54-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-52-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-50-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-48-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-46-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-42-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-40-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-36-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-34-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-32-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-28-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-78-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-44-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-26-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline behavioral1/memory/3460-25-0x0000000004CF0000-0x0000000004D2E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 696 niba6731.exe 4032 h44Te36.exe 3460 iqtKv67.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" h44Te36.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cc7968355d1f27f4c1982fc33751ea232624b4a66c3d4a9d35497cb17d071378.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" niba6731.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language niba6731.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iqtKv67.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cc7968355d1f27f4c1982fc33751ea232624b4a66c3d4a9d35497cb17d071378.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4032 h44Te36.exe 4032 h44Te36.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4032 h44Te36.exe Token: SeDebugPrivilege 3460 iqtKv67.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1244 wrote to memory of 696 1244 cc7968355d1f27f4c1982fc33751ea232624b4a66c3d4a9d35497cb17d071378.exe 83 PID 1244 wrote to memory of 696 1244 cc7968355d1f27f4c1982fc33751ea232624b4a66c3d4a9d35497cb17d071378.exe 83 PID 1244 wrote to memory of 696 1244 cc7968355d1f27f4c1982fc33751ea232624b4a66c3d4a9d35497cb17d071378.exe 83 PID 696 wrote to memory of 4032 696 niba6731.exe 84 PID 696 wrote to memory of 4032 696 niba6731.exe 84 PID 696 wrote to memory of 3460 696 niba6731.exe 96 PID 696 wrote to memory of 3460 696 niba6731.exe 96 PID 696 wrote to memory of 3460 696 niba6731.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc7968355d1f27f4c1982fc33751ea232624b4a66c3d4a9d35497cb17d071378.exe"C:\Users\Admin\AppData\Local\Temp\cc7968355d1f27f4c1982fc33751ea232624b4a66c3d4a9d35497cb17d071378.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6731.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6731.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h44Te36.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h44Te36.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iqtKv67.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iqtKv67.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3460
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
403KB
MD52ca9b15137fdf65665cd26e6d15b07cf
SHA107aea4891f370d18e7af54aad6307c4eedf1a047
SHA256959ba1da00f831c8a9b667575b63e4349d4e88babb50644e838306d1083276bd
SHA51273a94bb7dbbda46fddbccef4811a91d92ae4449fa10557e29b915b899d235d6c153c744334ea5eaf624617a73da8639922b1b251318734cd7b9c37f3f9aec0d8
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
351KB
MD50a6d9dcf4be626615970069d1c91365a
SHA1879f3d501b8328ce3e77dcd9826eea139c02219a
SHA25618d68d93c4bd08b010c5ded449b4e89d7c56d85081a91c8276c9c595886314cf
SHA5121a9335a9a199f6984214e07d053f739288497359b5799a395a6d51518f6c5b549f2804e116dac36ac30779ecec8232be982354e0314e697f83b9262155a3edbf