Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:38
Static task
static1
Behavioral task
behavioral1
Sample
4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed.exe
Resource
win10v2004-20241007-en
General
-
Target
4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed.exe
-
Size
526KB
-
MD5
aec5aa7361363e04942ee3ae2f165359
-
SHA1
eccf66a4fcc849bbe8025b3a13f327a514791dbb
-
SHA256
4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed
-
SHA512
644cdb87b6079671947f01e3c15fff1cf26ab1640a6110bdbc909914427831ef4f26b2f8101571276b7a1d685a7b05c29279c0f28a02a25368429279f53a330c
-
SSDEEP
12288:QMr+y901f4eKeaHg8YBLKfKX7QVtI78DI5:+y2fMgQKK5I
Malware Config
Extracted
redline
fud
193.233.20.27:4123
-
auth_value
cddc991efd6918ad5321d80dac884b40
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b99-12.dat healer behavioral1/memory/3096-14-0x0000000000170000-0x000000000017A000-memory.dmp healer -
Healer family
-
Processes:
sf78aR01nm25.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sf78aR01nm25.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sf78aR01nm25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sf78aR01nm25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sf78aR01nm25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sf78aR01nm25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sf78aR01nm25.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/3244-22-0x0000000004C40000-0x0000000004C86000-memory.dmp family_redline behavioral1/memory/3244-24-0x0000000004CC0000-0x0000000004D04000-memory.dmp family_redline behavioral1/memory/3244-40-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-44-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-88-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-86-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-84-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-82-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-80-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-78-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-76-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-74-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-70-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-68-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-66-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-64-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-62-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-60-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-58-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-54-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-52-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-50-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-48-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-46-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-42-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-38-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-36-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-34-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-32-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-30-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-72-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-56-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-28-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-26-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/3244-25-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
vhuC3623xy.exesf78aR01nm25.exetf63Yo43Rm45.exepid Process 1636 vhuC3623xy.exe 3096 sf78aR01nm25.exe 3244 tf63Yo43Rm45.exe -
Processes:
sf78aR01nm25.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sf78aR01nm25.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed.exevhuC3623xy.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vhuC3623xy.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 4344 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed.exevhuC3623xy.exetf63Yo43Rm45.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vhuC3623xy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tf63Yo43Rm45.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
sf78aR01nm25.exepid Process 3096 sf78aR01nm25.exe 3096 sf78aR01nm25.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
sf78aR01nm25.exetf63Yo43Rm45.exedescription pid Process Token: SeDebugPrivilege 3096 sf78aR01nm25.exe Token: SeDebugPrivilege 3244 tf63Yo43Rm45.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed.exevhuC3623xy.exedescription pid Process procid_target PID 3108 wrote to memory of 1636 3108 4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed.exe 83 PID 3108 wrote to memory of 1636 3108 4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed.exe 83 PID 3108 wrote to memory of 1636 3108 4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed.exe 83 PID 1636 wrote to memory of 3096 1636 vhuC3623xy.exe 84 PID 1636 wrote to memory of 3096 1636 vhuC3623xy.exe 84 PID 1636 wrote to memory of 3244 1636 vhuC3623xy.exe 95 PID 1636 wrote to memory of 3244 1636 vhuC3623xy.exe 95 PID 1636 wrote to memory of 3244 1636 vhuC3623xy.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed.exe"C:\Users\Admin\AppData\Local\Temp\4d1a005e00413abeaa4f32646bf83cddd5a94ddef86dc7abb25cc1649e3e02ed.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhuC3623xy.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhuC3623xy.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf78aR01nm25.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf78aR01nm25.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf63Yo43Rm45.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf63Yo43Rm45.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3244
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4344
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
382KB
MD59149d5a0bd1737ba1f6381f4fae4667d
SHA17fe21301e9209e1d28e91d99e39ec11067fadc8b
SHA2564c2dae1c8dcc0b1abf4947699b3ff8e4a5eb1e0204f2899d6cb9940f0a732e57
SHA5129e32a96699327b76076af15e15b4c9e50c7eb355477de00fa0863eaafa88b794d0f4997950e84f20c9af5014d8737baffac7c1075cd6cf645e5d8548f481d2b8
-
Filesize
11KB
MD5d92b91121dea7658c75a880b913c6800
SHA123b4816c2f4abea3b2e6b7731d523929fe6ddaf5
SHA256911c52a04a16d446067dfcfe52d33012d6716cf369eb5db3503854a76acfa5cd
SHA512c41b724241a1796b965d0a1533da486bffb6cdf8ccac54ca2c4a3b7016f9d45c18bc4baf7816e5271869cff71111734ffb970510969b91c328a330ce43ad353f
-
Filesize
364KB
MD50fb36e6dfd2286b0bb7e48c476a3f73b
SHA138801c7ea1faf291cb471397c38630a305518828
SHA256edb3b7633dd16579b23dc83d9950c525d7a9c2bec60785c04dc3b63ea3eaba8e
SHA51295c334ce7bae2ccdff2bf4f288c544a2d87946405b723367df421de635a8037167aaeb9b655dd48f8ed9a10a5cfad6b25b4bfd5dc88e99c26ded8e4d694de64d