Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:16
Static task
static1
Behavioral task
behavioral1
Sample
e90adcdb1f3cd3d10dd8573e3b2b60967969b8d61c86e3ca423454358086061c.exe
Resource
win10v2004-20241007-en
General
-
Target
e90adcdb1f3cd3d10dd8573e3b2b60967969b8d61c86e3ca423454358086061c.exe
-
Size
536KB
-
MD5
15eef11bbfee05902fe0aaa1e80ca5b7
-
SHA1
06bc71e146703c01507d334c3d46fed5ebf19767
-
SHA256
e90adcdb1f3cd3d10dd8573e3b2b60967969b8d61c86e3ca423454358086061c
-
SHA512
1fe4dc809cbb98dd92f40d1ec72968c9d931239b9273f1c4bbc25108970a1e9373f9318ec4460069cb94c9c49c61e8f7378ee6eb1d767170c7c4548b4be5191f
-
SSDEEP
12288:TMrCy90pdGAwcdPqDu4RkQsMh84b6IDg/MVw4:5yGwyPqDuBwhR++g/I
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c74-12.dat healer behavioral1/memory/4868-15-0x0000000000980000-0x000000000098A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sw67Bf58CM49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sw67Bf58CM49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sw67Bf58CM49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sw67Bf58CM49.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sw67Bf58CM49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sw67Bf58CM49.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1124-22-0x00000000025D0000-0x0000000002616000-memory.dmp family_redline behavioral1/memory/1124-24-0x0000000004BC0000-0x0000000004C04000-memory.dmp family_redline behavioral1/memory/1124-86-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-88-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-84-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-82-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-80-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-78-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-76-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-74-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-72-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-68-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-66-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-64-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-62-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-61-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-58-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-54-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-52-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-50-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-48-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-46-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-42-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-70-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-56-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-44-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-40-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-38-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-36-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-25-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-34-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-32-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-30-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-28-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/1124-26-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3608 vmi6887ih.exe 4868 sw67Bf58CM49.exe 1124 tez61Lm66.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sw67Bf58CM49.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e90adcdb1f3cd3d10dd8573e3b2b60967969b8d61c86e3ca423454358086061c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vmi6887ih.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e90adcdb1f3cd3d10dd8573e3b2b60967969b8d61c86e3ca423454358086061c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmi6887ih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tez61Lm66.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4868 sw67Bf58CM49.exe 4868 sw67Bf58CM49.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4868 sw67Bf58CM49.exe Token: SeDebugPrivilege 1124 tez61Lm66.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4464 wrote to memory of 3608 4464 e90adcdb1f3cd3d10dd8573e3b2b60967969b8d61c86e3ca423454358086061c.exe 82 PID 4464 wrote to memory of 3608 4464 e90adcdb1f3cd3d10dd8573e3b2b60967969b8d61c86e3ca423454358086061c.exe 82 PID 4464 wrote to memory of 3608 4464 e90adcdb1f3cd3d10dd8573e3b2b60967969b8d61c86e3ca423454358086061c.exe 82 PID 3608 wrote to memory of 4868 3608 vmi6887ih.exe 84 PID 3608 wrote to memory of 4868 3608 vmi6887ih.exe 84 PID 3608 wrote to memory of 1124 3608 vmi6887ih.exe 94 PID 3608 wrote to memory of 1124 3608 vmi6887ih.exe 94 PID 3608 wrote to memory of 1124 3608 vmi6887ih.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\e90adcdb1f3cd3d10dd8573e3b2b60967969b8d61c86e3ca423454358086061c.exe"C:\Users\Admin\AppData\Local\Temp\e90adcdb1f3cd3d10dd8573e3b2b60967969b8d61c86e3ca423454358086061c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmi6887ih.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmi6887ih.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw67Bf58CM49.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw67Bf58CM49.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tez61Lm66.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tez61Lm66.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
391KB
MD523345435faf00a3238208ca8b35d0e5e
SHA186c26c7c380de5edf6177fc74733eb2fe2be381f
SHA256070e05520a8fd71ae64233ea93dfd79e28874630a54e87ebd6bee8d3bb7e540b
SHA512f40954399b2b05768206647faf2daaee1e36930ced09ea72fe3b7f48a0b5d882409ac38442dee181a193d1dca027d19295b925cbe9dfe2bb7ab8194af09253b7
-
Filesize
17KB
MD57f1bb8303e10f6ed91659f73f6ae9689
SHA1e66944594ba0e30a5570069bf677c9a3ce8f3063
SHA256e14d054624eed1cf405c797b10b12f4095efa2d0dcb3ed3f13032f12fc6ca7cf
SHA512b8173e705481683ee0d187ae2878ec3eedd18291f7738b2a371f0560c1e7f87156300a4d6292aeee08fe50daf8637a5f3ffc290697eaad00c88e37ed8b834ad2
-
Filesize
303KB
MD512a07204bf4c65efdd968689ed260c4e
SHA18430e5110448dc962c4191a1a06b05c4e3c1a140
SHA256e4666bb9e57296f0140b125a1c5e32f446659b0baa2c3d7fef87a7aef339433b
SHA51261dbfcedae6259039196942064d62cae0de853c6c5afa3547e6394e789ddf3c0acc6e94cd2c89c090c6f891a77565b0fe332b21da0afa5a5102f1d12d4f3989a