Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:40
Static task
static1
Behavioral task
behavioral1
Sample
984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe
Resource
win10v2004-20241007-en
General
-
Target
984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe
-
Size
1.1MB
-
MD5
b6cd3facadb987fd507fba64b6098e78
-
SHA1
f153459f99f1fc4ab7e11030050701180e3e7e29
-
SHA256
984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca
-
SHA512
e4d4fb81dac520a500dc2915fc46bd84f8135b810c9ef0645c6cff7417114e8e4eaeb38e5b241b481cefd8474e4d45dbd6fe55d21c8d1cfa59efc61a73c2826c
-
SSDEEP
24576:8yvT3ArusVvUb5l/NvjqMg+0aNCRRjY/+1Owt90atFOl4o:rvrArusVc5Rpv0mCbjHDt90a3D
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023c7e-32.dat healer behavioral1/memory/3212-35-0x0000000000760000-0x000000000076A000-memory.dmp healer -
Healer family
-
Processes:
bucI62hj56.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bucI62hj56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bucI62hj56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bucI62hj56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bucI62hj56.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection bucI62hj56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bucI62hj56.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/4672-41-0x0000000004AA0000-0x0000000004AE6000-memory.dmp family_redline behavioral1/memory/4672-43-0x0000000004B60000-0x0000000004BA4000-memory.dmp family_redline behavioral1/memory/4672-49-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-59-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-107-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-105-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-103-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-101-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-99-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-95-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-93-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-91-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-89-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-87-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-85-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-83-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-81-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-79-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-77-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-75-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-73-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-71-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-69-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-67-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-65-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-63-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-57-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-55-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-53-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-51-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-97-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-61-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-47-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-45-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4672-44-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
Processes:
plVX40lV62.exeplzP30pV87.exeplER26Go57.exeplel48DI47.exebucI62hj56.execaNf14GV61.exepid Process 4304 plVX40lV62.exe 1080 plzP30pV87.exe 2192 plER26Go57.exe 1560 plel48DI47.exe 3212 bucI62hj56.exe 4672 caNf14GV61.exe -
Processes:
bucI62hj56.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" bucI62hj56.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
plER26Go57.exeplel48DI47.exe984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exeplVX40lV62.exeplzP30pV87.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plER26Go57.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" plel48DI47.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plVX40lV62.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plzP30pV87.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exeplVX40lV62.exeplzP30pV87.exeplER26Go57.exeplel48DI47.execaNf14GV61.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plVX40lV62.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plzP30pV87.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plER26Go57.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plel48DI47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caNf14GV61.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
bucI62hj56.exepid Process 3212 bucI62hj56.exe 3212 bucI62hj56.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bucI62hj56.execaNf14GV61.exedescription pid Process Token: SeDebugPrivilege 3212 bucI62hj56.exe Token: SeDebugPrivilege 4672 caNf14GV61.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exeplVX40lV62.exeplzP30pV87.exeplER26Go57.exeplel48DI47.exedescription pid Process procid_target PID 4848 wrote to memory of 4304 4848 984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe 83 PID 4848 wrote to memory of 4304 4848 984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe 83 PID 4848 wrote to memory of 4304 4848 984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe 83 PID 4304 wrote to memory of 1080 4304 plVX40lV62.exe 84 PID 4304 wrote to memory of 1080 4304 plVX40lV62.exe 84 PID 4304 wrote to memory of 1080 4304 plVX40lV62.exe 84 PID 1080 wrote to memory of 2192 1080 plzP30pV87.exe 86 PID 1080 wrote to memory of 2192 1080 plzP30pV87.exe 86 PID 1080 wrote to memory of 2192 1080 plzP30pV87.exe 86 PID 2192 wrote to memory of 1560 2192 plER26Go57.exe 87 PID 2192 wrote to memory of 1560 2192 plER26Go57.exe 87 PID 2192 wrote to memory of 1560 2192 plER26Go57.exe 87 PID 1560 wrote to memory of 3212 1560 plel48DI47.exe 89 PID 1560 wrote to memory of 3212 1560 plel48DI47.exe 89 PID 1560 wrote to memory of 4672 1560 plel48DI47.exe 99 PID 1560 wrote to memory of 4672 1560 plel48DI47.exe 99 PID 1560 wrote to memory of 4672 1560 plel48DI47.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe"C:\Users\Admin\AppData\Local\Temp\984f8e6c7ad7ac4c89d98cd6946b5630369246a738492e160377a40b6780afca.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plVX40lV62.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plVX40lV62.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzP30pV87.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzP30pV87.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plER26Go57.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plER26Go57.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plel48DI47.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bucI62hj56.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caNf14GV61.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caNf14GV61.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
997KB
MD5774ec1b85e2464f6dd976f5b6d45b951
SHA16e4b495016df3bcc506f381aaff6f9c0db0349dc
SHA2564f63b81561c55d2c60e6f1f817c98ac047c030f2601ea0680e09a58afd4d303c
SHA512d5694da3dbc49085ff15f484ef2cf972f78023737d3f13602accd38d2d4cf96086056e66fe7abed5ae47719fa20da59bc68ac517640a8e91e9c2c46ce6aa1651
-
Filesize
894KB
MD51670fe2dbe107a0ba3686654fae3a45e
SHA1116d8089e6f90247c212873f19e5aad458796628
SHA256033ee569e3c02d815de203af44e906d6689e4450c0c6884544be6da7945aa778
SHA5124d11865d0365c84236e88f36ff12abd0b1229b82b3d897b67fd20ace3497d3c4a1cf9bc16230a00027f2a2863e44ca9cb8f6744997dd920f19012baaa7613b9f
-
Filesize
667KB
MD5b3276b3addc278a3dd6ab5202a90ecf9
SHA1e0accbc721bd261e1dd5f7ac9f33452312db9538
SHA25610ae59c17e79537fa44eb36f1bd02a577e020019e5bb4c9446189c8b08457534
SHA512e07c1b25f2e940600ee4c121bfca2e45f26db4000acaf42cb45ddba5b5f8a9a59c43faccf55d9d96f2015f3e65ee8f1403be859b86709042f18c0342dce60eb3
-
Filesize
391KB
MD51adfa2e21a1b14455f10c6bdb3b5b7c8
SHA1a64cd7a61ce216e6124d5e8515068db67041da93
SHA25667c3953eb171e68d650a29107070cf67108f67fa540ac2a2a35796d074994404
SHA512eb9662c30bad9d5481558660e5f1078e7851ee674744496164c97019129aeeea7ed040ab59f3b32f3ca7e5d69b2fff47f695b5b2b2326fcbef069385bd012ca2
-
Filesize
16KB
MD57a509dfc2f1613b8abb6a38067f5e702
SHA166a278d414da14ee48086943733e5f2090cdc50a
SHA256079a657f4163edff371bfd164a82e0e02d2aae7efabd0967ea1437c4c608686c
SHA5123d6a9438787e7e135def1877efe883b1e7542559b166925e30c8b8088a737d496ddc2cf68b96a8dc88988bc3a2d08f7b8a97c8227efc558418195a4594b8afb3
-
Filesize
302KB
MD547edc698fb60063cef4e63ee2d5d05bc
SHA18f7bc644d7a378df490ab77d7b3b9b2a25a870fa
SHA2562561279e13e55b30c371c6d72c72bf9124697eec6395f1c1dfbbdd8ac3f5557f
SHA512b6c7b5288217bd01efe5ee9ec396dc7471240749a9f8998ddec34f7a2a073bfaa062e4a72986d0dcb73e283dc60e0cfcd0885a2e68014598e86277dd80082715