Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 06:06
Static task
static1
Behavioral task
behavioral1
Sample
d26bf71541d6237c9a02fc221e8b9177570889cac6e6fd7b48c8e4a59f489b89.exe
Resource
win10v2004-20241007-en
General
-
Target
d26bf71541d6237c9a02fc221e8b9177570889cac6e6fd7b48c8e4a59f489b89.exe
-
Size
546KB
-
MD5
43ca49221c02bd42766ac6dad10702ae
-
SHA1
e4fe1031fe1acc3b08cd17eae967d9531ec6b40e
-
SHA256
d26bf71541d6237c9a02fc221e8b9177570889cac6e6fd7b48c8e4a59f489b89
-
SHA512
e1d6033b5e24acb12fc130251968a38e8fd9a0a0faed596e341824d2740e06b3d57abbdf2d1de3159a3bb894ec233efc1a496f73e7c5e622c333100c03e14816
-
SSDEEP
12288:EMrMy90+NMbTh30OOIU8xHVhncwbhlBR6e5LIQR1/04l:QyJSbTt0Oe+Pn7TTv5nx0k
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c5b-12.dat healer behavioral1/memory/1752-15-0x0000000000D80000-0x0000000000D8A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sw00bT66UN55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sw00bT66UN55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sw00bT66UN55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sw00bT66UN55.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sw00bT66UN55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sw00bT66UN55.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/992-22-0x0000000004CF0000-0x0000000004D36000-memory.dmp family_redline behavioral1/memory/992-24-0x00000000071E0000-0x0000000007224000-memory.dmp family_redline behavioral1/memory/992-32-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-42-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-88-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-86-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-84-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-78-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-76-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-74-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-72-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-70-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-68-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-66-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-64-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-62-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-60-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-58-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-56-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-52-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-50-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-48-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-46-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-44-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-40-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-39-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-36-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-34-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-82-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-81-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-54-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-30-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-28-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-26-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline behavioral1/memory/992-25-0x00000000071E0000-0x000000000721E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1436 vrt6195Oh.exe 1752 sw00bT66UN55.exe 992 tcg54TE59.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sw00bT66UN55.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d26bf71541d6237c9a02fc221e8b9177570889cac6e6fd7b48c8e4a59f489b89.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vrt6195Oh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d26bf71541d6237c9a02fc221e8b9177570889cac6e6fd7b48c8e4a59f489b89.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrt6195Oh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tcg54TE59.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1752 sw00bT66UN55.exe 1752 sw00bT66UN55.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1752 sw00bT66UN55.exe Token: SeDebugPrivilege 992 tcg54TE59.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3992 wrote to memory of 1436 3992 d26bf71541d6237c9a02fc221e8b9177570889cac6e6fd7b48c8e4a59f489b89.exe 83 PID 3992 wrote to memory of 1436 3992 d26bf71541d6237c9a02fc221e8b9177570889cac6e6fd7b48c8e4a59f489b89.exe 83 PID 3992 wrote to memory of 1436 3992 d26bf71541d6237c9a02fc221e8b9177570889cac6e6fd7b48c8e4a59f489b89.exe 83 PID 1436 wrote to memory of 1752 1436 vrt6195Oh.exe 84 PID 1436 wrote to memory of 1752 1436 vrt6195Oh.exe 84 PID 1436 wrote to memory of 992 1436 vrt6195Oh.exe 95 PID 1436 wrote to memory of 992 1436 vrt6195Oh.exe 95 PID 1436 wrote to memory of 992 1436 vrt6195Oh.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\d26bf71541d6237c9a02fc221e8b9177570889cac6e6fd7b48c8e4a59f489b89.exe"C:\Users\Admin\AppData\Local\Temp\d26bf71541d6237c9a02fc221e8b9177570889cac6e6fd7b48c8e4a59f489b89.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vrt6195Oh.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vrt6195Oh.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw00bT66UN55.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw00bT66UN55.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tcg54TE59.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tcg54TE59.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:992
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
401KB
MD502116e2fe0c47772267ebfecc8125103
SHA1c27057ee11099213ee9d7321f0c0b7892579f534
SHA2564869ef0a548f765a483a6adde6266279d636d9ddd4a1cd2e2b0766190f91f4f0
SHA5128424bebc9c6368ae3bacfa38099c2f1afaf45932c9a9e9cdc872fea4b95974be82963f4aadec92c57435a1767bb20d2fc356cc1f09ffac8bb0fc303945e4aba3
-
Filesize
15KB
MD5ac84da1dd3e3d42c347f21b7b99b1bc3
SHA1a85b2953d180fe209d8640eddb215c098acd427b
SHA256701f2f0ca872e5460da2b6b818aae32e9560cb6a7263b08e2d0fd725507048f4
SHA512a866c5c05b375ca2307e7bc1b3a391ca7509b75fb9d30b6894016caccde8e4b203921183732a920a13e9c68af574aa5a4314e5cbcf9f2e176a596b89b28b7f59
-
Filesize
375KB
MD5cd6966060f9f437f1933aba4b8703cca
SHA19f69f3f9317a4a6526c99074bb851bc4a1c30788
SHA25624a0f1a482ffbadb53221d40b7669cfb6352b0ccffb786a595cfeb4d9805b9f0
SHA512d7249fb6f039225e99d30293f69453c0c08a44bf12887d656d4e30fa896aaf51d31fab132ed6840ffe0f305f3ce8cf0be315835bf221745a7b4dac27640c1929