Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 06:05
Static task
static1
Behavioral task
behavioral1
Sample
1a0257c30d749e80a4a8d4545ac2c74d0f74c2d7c012813b83d89f924e3d53ea.exe
Resource
win10v2004-20241007-en
General
-
Target
1a0257c30d749e80a4a8d4545ac2c74d0f74c2d7c012813b83d89f924e3d53ea.exe
-
Size
538KB
-
MD5
ec6d06c0c3128572c51d9cd366ff58b4
-
SHA1
fb67e4e0d5058edeeb5d3ad4ea3ce686a1e79ed8
-
SHA256
1a0257c30d749e80a4a8d4545ac2c74d0f74c2d7c012813b83d89f924e3d53ea
-
SHA512
d315bf48186a312183c20375a72a3b123e121759fd939bf99d8a153c4093a42c5909be1440eec9b5fa9862ed715dafc8b258f5897ca82a998aa2c9effb6baeb9
-
SSDEEP
12288:aMrky905/aw6hxN6OvNBrrxTRaSnjPNbjRn7x7xTC:myu/4hxAqfLaSjPN/Rn7TW
Malware Config
Extracted
redline
rosto
hueref.eu:4162
-
auth_value
07d81eba8cad42bbd0ae60042d48eac6
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023bd2-12.dat healer behavioral1/memory/3412-15-0x0000000000330000-0x000000000033A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sw14bT89KC77.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sw14bT89KC77.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sw14bT89KC77.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sw14bT89KC77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sw14bT89KC77.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sw14bT89KC77.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4540-22-0x00000000026D0000-0x0000000002716000-memory.dmp family_redline behavioral1/memory/4540-24-0x0000000004BE0000-0x0000000004C24000-memory.dmp family_redline behavioral1/memory/4540-28-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-36-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-34-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-32-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-30-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-88-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-62-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-46-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-38-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-26-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-25-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-86-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-84-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-82-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-80-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-79-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-76-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-74-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-72-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-70-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-68-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-66-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-64-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-60-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-58-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-56-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-54-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-52-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-50-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-48-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-44-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-42-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline behavioral1/memory/4540-41-0x0000000004BE0000-0x0000000004C1E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 756 vkNX8973nK.exe 3412 sw14bT89KC77.exe 4540 tkMD84EW92Cz.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sw14bT89KC77.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1a0257c30d749e80a4a8d4545ac2c74d0f74c2d7c012813b83d89f924e3d53ea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vkNX8973nK.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a0257c30d749e80a4a8d4545ac2c74d0f74c2d7c012813b83d89f924e3d53ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vkNX8973nK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tkMD84EW92Cz.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3412 sw14bT89KC77.exe 3412 sw14bT89KC77.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3412 sw14bT89KC77.exe Token: SeDebugPrivilege 4540 tkMD84EW92Cz.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5032 wrote to memory of 756 5032 1a0257c30d749e80a4a8d4545ac2c74d0f74c2d7c012813b83d89f924e3d53ea.exe 83 PID 5032 wrote to memory of 756 5032 1a0257c30d749e80a4a8d4545ac2c74d0f74c2d7c012813b83d89f924e3d53ea.exe 83 PID 5032 wrote to memory of 756 5032 1a0257c30d749e80a4a8d4545ac2c74d0f74c2d7c012813b83d89f924e3d53ea.exe 83 PID 756 wrote to memory of 3412 756 vkNX8973nK.exe 84 PID 756 wrote to memory of 3412 756 vkNX8973nK.exe 84 PID 756 wrote to memory of 4540 756 vkNX8973nK.exe 93 PID 756 wrote to memory of 4540 756 vkNX8973nK.exe 93 PID 756 wrote to memory of 4540 756 vkNX8973nK.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a0257c30d749e80a4a8d4545ac2c74d0f74c2d7c012813b83d89f924e3d53ea.exe"C:\Users\Admin\AppData\Local\Temp\1a0257c30d749e80a4a8d4545ac2c74d0f74c2d7c012813b83d89f924e3d53ea.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkNX8973nK.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkNX8973nK.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw14bT89KC77.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw14bT89KC77.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkMD84EW92Cz.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkMD84EW92Cz.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4540
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
393KB
MD5654fd0bec230e0e835e505e3c7ed66ef
SHA1a612c5a00a88a805fb9b32133ebcd4eb40988ee1
SHA2569498cd725c2ca2324a218ae5e65e63b36811ed7fbc0e2dcba768d6085b8a5313
SHA51212c3e81c124c13cb6425e74d956653c239bb6bc339065908f7c37b34bd75683addd25943ce46afbcdfe89b056756db841d985b1c264191175159e6a194029a7b
-
Filesize
18KB
MD57734e8a50aae54a1291b3963737652b0
SHA172278d509514fcb94287072eb7254e8abc59d868
SHA2564acdafbbad4576cc920a2311c78fd508fd6dc778d5525ce34e3a0432f137dbad
SHA512ef587f1aa3d08d778a99425469fb19617fd762bafc3a1390c818c29a337ef07ceb09b32174ac7eee19f3e1ed6bcf4957a812e3c0d1787bb76deda3a88cfd55d4
-
Filesize
308KB
MD5c08ea92c1d03fb367226765e9271415b
SHA1a7446c05eb491cbaeb1d528f96b4d6ba70017c2a
SHA2565687174289cc28ecf2025e0aec313a18151361200f818a8e6d83123e4ad40388
SHA512a975c487c656bd35704a3a2da42c2cae28aa72c234295ffc4d4c87f2aa4f05889bc5bed1d6e41c4b5c7390808cc0fae7241577cbf538694eb0167de089400a1d