Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:38
Static task
static1
Behavioral task
behavioral1
Sample
70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe
Resource
win10v2004-20241007-en
General
-
Target
70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe
-
Size
1.2MB
-
MD5
8d20a27a86ed0c526ff4b794dfef2081
-
SHA1
f3f4adca073d2f14564aed8fb4f1943d146ae1bf
-
SHA256
70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250
-
SHA512
67625f800f80a9dc5d520e6ab1957722a5954e7c9921a84ad4a2f1bbc0c58a246be04570835252d375e792ec2b9b74ac3626de39a376634199855391216f3710
-
SSDEEP
24576:RyRo3bk5cV2qvFSCjLn6NvaAcxOUi85DuK4R5OxrQ:EREbk5I13665bQjR5Cr
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b3d-32.dat healer behavioral1/memory/2028-35-0x0000000000100000-0x000000000010A000-memory.dmp healer -
Healer family
-
Processes:
buDv25sm57.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buDv25sm57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buDv25sm57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buDv25sm57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buDv25sm57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buDv25sm57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buDv25sm57.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/468-41-0x0000000004C00000-0x0000000004C46000-memory.dmp family_redline behavioral1/memory/468-43-0x0000000007200000-0x0000000007244000-memory.dmp family_redline behavioral1/memory/468-53-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-59-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-105-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-103-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-101-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-99-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-97-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-95-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-93-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-91-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-87-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-85-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-83-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-81-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-79-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-77-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-75-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-71-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-69-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-67-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-65-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-63-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-61-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-57-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-55-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-51-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-49-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-107-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-89-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-73-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-47-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-45-0x0000000007200000-0x000000000723E000-memory.dmp family_redline behavioral1/memory/468-44-0x0000000007200000-0x000000000723E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
Processes:
plyN02bs41.exeplMm51FR13.exeplKv25bP68.exeplph32cs45.exebuDv25sm57.execaCs31BO17.exepid Process 4072 plyN02bs41.exe 2916 plMm51FR13.exe 1368 plKv25bP68.exe 2684 plph32cs45.exe 2028 buDv25sm57.exe 468 caCs31BO17.exe -
Processes:
buDv25sm57.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buDv25sm57.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exeplyN02bs41.exeplMm51FR13.exeplKv25bP68.exeplph32cs45.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plyN02bs41.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plMm51FR13.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plKv25bP68.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" plph32cs45.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exeplyN02bs41.exeplMm51FR13.exeplKv25bP68.exeplph32cs45.execaCs31BO17.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plyN02bs41.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plMm51FR13.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plKv25bP68.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plph32cs45.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caCs31BO17.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
buDv25sm57.exepid Process 2028 buDv25sm57.exe 2028 buDv25sm57.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
buDv25sm57.execaCs31BO17.exedescription pid Process Token: SeDebugPrivilege 2028 buDv25sm57.exe Token: SeDebugPrivilege 468 caCs31BO17.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exeplyN02bs41.exeplMm51FR13.exeplKv25bP68.exeplph32cs45.exedescription pid Process procid_target PID 4532 wrote to memory of 4072 4532 70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe 83 PID 4532 wrote to memory of 4072 4532 70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe 83 PID 4532 wrote to memory of 4072 4532 70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe 83 PID 4072 wrote to memory of 2916 4072 plyN02bs41.exe 84 PID 4072 wrote to memory of 2916 4072 plyN02bs41.exe 84 PID 4072 wrote to memory of 2916 4072 plyN02bs41.exe 84 PID 2916 wrote to memory of 1368 2916 plMm51FR13.exe 85 PID 2916 wrote to memory of 1368 2916 plMm51FR13.exe 85 PID 2916 wrote to memory of 1368 2916 plMm51FR13.exe 85 PID 1368 wrote to memory of 2684 1368 plKv25bP68.exe 86 PID 1368 wrote to memory of 2684 1368 plKv25bP68.exe 86 PID 1368 wrote to memory of 2684 1368 plKv25bP68.exe 86 PID 2684 wrote to memory of 2028 2684 plph32cs45.exe 88 PID 2684 wrote to memory of 2028 2684 plph32cs45.exe 88 PID 2684 wrote to memory of 468 2684 plph32cs45.exe 97 PID 2684 wrote to memory of 468 2684 plph32cs45.exe 97 PID 2684 wrote to memory of 468 2684 plph32cs45.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe"C:\Users\Admin\AppData\Local\Temp\70a43af38d2e6a88a61517343c7d551da214f8adfaf0e84fa23c4cdce2149250.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plyN02bs41.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plyN02bs41.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plMm51FR13.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plMm51FR13.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKv25bP68.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plKv25bP68.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plph32cs45.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buDv25sm57.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caCs31BO17.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caCs31BO17.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:468
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5e0c35602be7da19803cb89c11e4c6e39
SHA1aa7566ee524b765bb787a396a949ffcbbadf5b23
SHA25698b512fca8b1ad10b9d8fa9e1b2499048a7e9130052b9be6574ad5e60219b7df
SHA5125d2c4b28631670482bbabd627b71569d42efc5bd70c2ee32e75e39b9e8795718b570face65ae36a3dc78b2624a6b257eb8ec0203cafefd454fcbc31ed5d55415
-
Filesize
960KB
MD591a3839a7ac86cc0104916d1e9f6fc24
SHA125f621d58d798d4487b847b8e64b91e5235a36a2
SHA2567271dc29643f1752c641ab335d895ac3c33b478c1cbc330bd101a70d35eb3258
SHA512106d13a1e7378474a9dbd842f09f193adc90f53f3a42c272d760d624f612d98fbcdbb96420ed2b57412c03b99ac0ca630bf295d54b0066484b1672972dc9ae10
-
Filesize
683KB
MD544aee835bf016de29e3dc03dfbb3ed2c
SHA17e6b255d0991ead4926726771fbff85abcb31229
SHA256fb1811659550bb0ccc6d8cbf027b6bd3bc17db5503cee776ae6c9d1b3436851b
SHA512ac7ea9d8d531402ba7914e6d18a4cc96013d93aef3d347af0b47ce3d6c6a2990e3fa1ff11af609fadc743b073dac767e0f57ef701f3385f7bdbe5b716a29c446
-
Filesize
399KB
MD51dc7c8e54178cd0538ba61b01087affe
SHA110376dcd765f0450fc488de4e14cfd36ec6406af
SHA2566943ab5b1d4a95bf1de8d82907b49e7a8da793e24765273b6eaf693a62519cf1
SHA5122f6e85e1b08d25ef45c62d426ea43b84125324c107204de2f7ac4d1696b83f3f4fcc14c0a041eee58b921b13d06472a0544f3d8947a2fe866c2ed880128970f0
-
Filesize
14KB
MD5cdabe16419916af7392f3c86e413e9eb
SHA1e70006f38cee3304a5fdb83b4ac23e5b99a1dd79
SHA2560a3f2e1c58f4948d8d41c202cfd80757f988cef7a2cfe2a88bcc7f0e5ea4d352
SHA51250d50c1454227de4fdc7b527b62ed5d378fbeccfbdcb1a7d929495ecb0dc87479dd51fcaf6a53c40fc218c3dc8a0d4a543da1a1ea30dcf511ee4c11e161000cb
-
Filesize
375KB
MD547b1a20db297f70b1d9db60ea51d14d9
SHA1b55664710122138d23e0e295dcade2b9aea41120
SHA25680aab4a4c16d1ab74369c2914ab0348c3ab3b600ee7d40eda315a18bda1cd287
SHA512e9924f8f89b8268c2d88d427727cacecffee75358583934131150fd73a1372ca65e0159cb221f718a19f2386cfa2905f46d58cd19a4ed63b5f98f073c3753288