Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:08
Static task
static1
Behavioral task
behavioral1
Sample
adb6e933fdf8fa3748b48f3e79915f18a39c67592b68b44d18138f1ca7831de6.exe
Resource
win10v2004-20241007-en
General
-
Target
adb6e933fdf8fa3748b48f3e79915f18a39c67592b68b44d18138f1ca7831de6.exe
-
Size
546KB
-
MD5
247c9249a9c171a46cd2d2912b7cc0fe
-
SHA1
2f85c61f45086be9a1635a6dbe6d2c7345ba8d35
-
SHA256
adb6e933fdf8fa3748b48f3e79915f18a39c67592b68b44d18138f1ca7831de6
-
SHA512
74db9d2804cc334955dc55100532487a087b41c558051e70a8635da32593e3ab309b6ed36dddf3027cd52e89967f8a7b956e293900ec16c5cbb1b1f84f288f12
-
SSDEEP
12288:GMrXy90M3fEob6FFI1NiJDWn5stqwLtohshATbgK:tyLff6FFWNu9ZAgK
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c8b-12.dat healer behavioral1/memory/3440-15-0x0000000000F20000-0x0000000000F2A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection pro0170.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0170.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0170.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0170.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0170.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0170.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2904-22-0x0000000002940000-0x0000000002986000-memory.dmp family_redline behavioral1/memory/2904-24-0x00000000029C0000-0x0000000002A04000-memory.dmp family_redline behavioral1/memory/2904-34-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-38-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-88-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-86-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-84-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-82-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-80-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-78-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-74-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-72-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-70-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-68-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-66-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-64-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-62-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-60-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-58-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-54-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-52-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-51-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-48-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-46-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-44-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-42-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-36-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-32-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-30-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-28-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-76-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-56-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-40-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-26-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline behavioral1/memory/2904-25-0x00000000029C0000-0x00000000029FE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3748 unio4229.exe 3440 pro0170.exe 2904 qu7983.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0170.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" adb6e933fdf8fa3748b48f3e79915f18a39c67592b68b44d18138f1ca7831de6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio4229.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adb6e933fdf8fa3748b48f3e79915f18a39c67592b68b44d18138f1ca7831de6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio4229.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu7983.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3440 pro0170.exe 3440 pro0170.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3440 pro0170.exe Token: SeDebugPrivilege 2904 qu7983.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 832 wrote to memory of 3748 832 adb6e933fdf8fa3748b48f3e79915f18a39c67592b68b44d18138f1ca7831de6.exe 83 PID 832 wrote to memory of 3748 832 adb6e933fdf8fa3748b48f3e79915f18a39c67592b68b44d18138f1ca7831de6.exe 83 PID 832 wrote to memory of 3748 832 adb6e933fdf8fa3748b48f3e79915f18a39c67592b68b44d18138f1ca7831de6.exe 83 PID 3748 wrote to memory of 3440 3748 unio4229.exe 85 PID 3748 wrote to memory of 3440 3748 unio4229.exe 85 PID 3748 wrote to memory of 2904 3748 unio4229.exe 94 PID 3748 wrote to memory of 2904 3748 unio4229.exe 94 PID 3748 wrote to memory of 2904 3748 unio4229.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\adb6e933fdf8fa3748b48f3e79915f18a39c67592b68b44d18138f1ca7831de6.exe"C:\Users\Admin\AppData\Local\Temp\adb6e933fdf8fa3748b48f3e79915f18a39c67592b68b44d18138f1ca7831de6.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio4229.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio4229.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0170.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0170.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7983.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7983.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
404KB
MD53f6805d52e751bb3896c281c3ae657b5
SHA1823ee3016335d6c45c405c8dcff5b030a116508f
SHA2566969ec2d4292f1319a373fcd538dc05e220562c93d39c43a50478aa67dcf262e
SHA5128795756dbc38f68ef6c2f72ae247d7431dba36651c1b0c1b34316f9ff7888e632131bdc4ee6a6e7353e5608690514255362be5b7e910d7510f6fea5a5d0aecd9
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
358KB
MD52b3aa530547b6f14224cafbba499c283
SHA18f094ff51b70044507d58aac0e71a0310c5948e9
SHA2563298fb1f36c4e1ab513024e4464427c152832b15125b7b9371dd1934727fe0a5
SHA512284bad08b07789c783e54fcbe1b63fe6a095abda9095ffc3e12e86ccc539c9a4d286ebe26668a1806f881c558294dd0bf85cbf689566b9ae5bb04ff9c661e68c