Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:28
Static task
static1
Behavioral task
behavioral1
Sample
4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe
Resource
win10v2004-20241007-en
General
-
Target
4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe
-
Size
1.1MB
-
MD5
dbaa8e4b4433c3fc22ad1ac43b8261fe
-
SHA1
0c6ee36bf3d00d52891424b16fc486d8a79fad5f
-
SHA256
4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3
-
SHA512
666b2a83f52070c8ca7d01d9ee7248b59c381aa8ee47efada709600662fb11653977a04edf232a04c2d04dfa113683963d1a47c4d87e14f6a4072ea6b5aea32a
-
SSDEEP
24576:AyLnccy0pb+ggRA5u9feiy6PzNK2TZCKVl75s07DAW2XfwuAV:HLccy0p4lcKXTZF375s075Yfe
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b8c-33.dat healer behavioral1/memory/1284-35-0x00000000009B0000-0x00000000009BA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ijq28CK70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ijq28CK70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ijq28CK70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ijq28CK70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection ijq28CK70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ijq28CK70.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2716-41-0x0000000004AB0000-0x0000000004AF6000-memory.dmp family_redline behavioral1/memory/2716-43-0x0000000004B70000-0x0000000004BB4000-memory.dmp family_redline behavioral1/memory/2716-55-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-59-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-107-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-105-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-103-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-101-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-99-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-97-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-95-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-91-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-90-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-87-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-83-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-81-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-80-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-75-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-73-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-71-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-69-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-67-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-65-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-63-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-61-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-57-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-53-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-51-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-50-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-48-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-93-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-85-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-77-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-45-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/2716-44-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 2212 vmxj11GD85.exe 380 vmuZ57MA69.exe 4968 vmXk06gx55.exe 924 vmhZ99Jv09.exe 1284 ijq28CK70.exe 2716 ken45nJ33.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" ijq28CK70.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vmxj11GD85.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vmuZ57MA69.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" vmXk06gx55.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" vmhZ99Jv09.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmhZ99Jv09.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ken45nJ33.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmxj11GD85.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmuZ57MA69.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmXk06gx55.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1284 ijq28CK70.exe 1284 ijq28CK70.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1284 ijq28CK70.exe Token: SeDebugPrivilege 2716 ken45nJ33.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 756 wrote to memory of 2212 756 4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe 83 PID 756 wrote to memory of 2212 756 4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe 83 PID 756 wrote to memory of 2212 756 4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe 83 PID 2212 wrote to memory of 380 2212 vmxj11GD85.exe 84 PID 2212 wrote to memory of 380 2212 vmxj11GD85.exe 84 PID 2212 wrote to memory of 380 2212 vmxj11GD85.exe 84 PID 380 wrote to memory of 4968 380 vmuZ57MA69.exe 87 PID 380 wrote to memory of 4968 380 vmuZ57MA69.exe 87 PID 380 wrote to memory of 4968 380 vmuZ57MA69.exe 87 PID 4968 wrote to memory of 924 4968 vmXk06gx55.exe 88 PID 4968 wrote to memory of 924 4968 vmXk06gx55.exe 88 PID 4968 wrote to memory of 924 4968 vmXk06gx55.exe 88 PID 924 wrote to memory of 1284 924 vmhZ99Jv09.exe 89 PID 924 wrote to memory of 1284 924 vmhZ99Jv09.exe 89 PID 924 wrote to memory of 2716 924 vmhZ99Jv09.exe 98 PID 924 wrote to memory of 2716 924 vmhZ99Jv09.exe 98 PID 924 wrote to memory of 2716 924 vmhZ99Jv09.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe"C:\Users\Admin\AppData\Local\Temp\4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxj11GD85.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxj11GD85.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmuZ57MA69.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmuZ57MA69.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXk06gx55.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXk06gx55.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ken45nJ33.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ken45nJ33.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
984KB
MD50b2cd96a8200c53cdb3444f20beab59c
SHA17cb02f5bdf1c09e092811ac4694e901bb615185c
SHA2563fcbe17a70708e176220b4cea32d6d943b4a9d0ad0e377faac9aaa61b511e1b3
SHA51229b5a7a79487c382be028546ab2ee117131790376b9b17fc3d218387957ec1c127c07c90dfbab0093b8b0d052af6efa00107a692f2d2a21e827af77b59697559
-
Filesize
888KB
MD55b8e2d4a66a2ce0212ed8aa69dcea885
SHA1ff7e32af36ab17cb7975715149f3fd8015d7cb35
SHA2560a3a17c7a2810b6170217452f3620cd03dc73b057a7b84add77e4483134bfc95
SHA512d8bc3c060563973adc3fb6100bef2f53cde2dca22a7097a910d32a237246a9f2c06d49d5ea0ebcef746c3596d20abd4a28cc47abe3e5e20f699fdb6dd049639c
-
Filesize
665KB
MD5930edad88617c23a2131799e6a09fb1e
SHA19bf42e57bded7bd008f7eb00a440081791362948
SHA2564c38db1995815b5ac1d563c3f7d7f1008fb03fac172fda4e0199c60959f185e7
SHA512e0316b63c8f64b9ed7c6f32648c514a0693551bbddafecaf315b19a51f2fe80c14e0c043b24fcefe4680b3c3c425c609ad389beddc9b8c12384d6500944ec869
-
Filesize
386KB
MD5a680c007f6adb5517d70e62e24c71530
SHA1da1155c9b7a9f3aa4f54f24572ca91ffe8a92323
SHA2563e55fd01e3a6b3a900a823224e17d65ac5d2ded159a9d3a1c83c0f0f796d4138
SHA51261a153d55962e44f11b0711a6400a6403594c479d2c13b85367c40e48dab903578104819258e02940c61f3ff982007e759d3938ca92a1e81eaf4a98bc54cbf98
-
Filesize
11KB
MD598d9c461a70cb5acc16ae75961d0772b
SHA1f394f68605824023ad32202edbc52f48d53722b3
SHA2565648925fdaf06007f0bb809d4f1d75156f13931af1ec48f5bf7b61b3b39b1a22
SHA5120536e0526ead22e4165bc93efaecc714652fca896daf418df644b1dc242cf4e71122193c4ee3ac1860982dc841808c2a81fc948db29b8369761e9c4544e94be9
-
Filesize
300KB
MD5bc06501e2cbbcfd5b533d51c6a5ef3fb
SHA17caa42a1b56383b958098d71bdffbe0b69b1ba93
SHA2561ea5e787e9d231e9e5c0ebc4a058e587a9b37057469fc949d6458acef78a6c16
SHA51298da782c0b87b2b6dca516a98a86a0bd90966be55b40ed55cb61975277efbb366d3fb7d3ef8fbbb841cf62d2c39c842db8180013667193caff98285dd3769970