Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:39
Static task
static1
Behavioral task
behavioral1
Sample
b181667efb14e7995d6cf06c90459fa8def7691babb0aa63a1ab6cb1ab8b3b3fN.exe
Resource
win10v2004-20241007-en
General
-
Target
b181667efb14e7995d6cf06c90459fa8def7691babb0aa63a1ab6cb1ab8b3b3fN.exe
-
Size
667KB
-
MD5
8fda420dbb77b59ce7d8995d7ce9a6d0
-
SHA1
a76d7e57175cb2168a1333e877a951ee3da7ffbd
-
SHA256
b181667efb14e7995d6cf06c90459fa8def7691babb0aa63a1ab6cb1ab8b3b3f
-
SHA512
9ccdedc09139da0d64efa65c3f99b7dc1ea9e390cab9f95f477164700a5f1d10f7ffed72cb06231257b396a921865e797e71ab9035824f59cec4eaf708c5022b
-
SSDEEP
12288:cMr5y90wNrInfTxnUkpzRV5fTFdHyQpIMTzX+F0SqtvGPwIwcPYXymXF975V/:VyJNrUfT1U2zP5fvHbh6F0Lv2dgBFV/
Malware Config
Extracted
redline
rouch
193.56.146.11:4162
-
auth_value
1b1735bcfc122c708eae27ca352568de
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023cbb-12.dat healer behavioral1/memory/4132-15-0x00000000007D0000-0x00000000007DA000-memory.dmp healer -
Healer family
-
Processes:
budx05Wy04.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection budx05Wy04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" budx05Wy04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" budx05Wy04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" budx05Wy04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" budx05Wy04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" budx05Wy04.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/4220-22-0x0000000004AD0000-0x0000000004B16000-memory.dmp family_redline behavioral1/memory/4220-24-0x0000000005180000-0x00000000051C4000-memory.dmp family_redline behavioral1/memory/4220-32-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-46-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-86-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-85-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-82-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-80-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-78-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-76-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-74-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-72-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-70-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-68-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-66-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-64-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-62-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-60-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-58-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-54-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-52-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-50-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-48-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-44-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-42-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-40-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-38-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-36-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-34-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-30-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-28-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-88-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-56-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-26-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline behavioral1/memory/4220-25-0x0000000005180000-0x00000000051BE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
plUK26eA70.exebudx05Wy04.execaxZ80jN89.exepid Process 2564 plUK26eA70.exe 4132 budx05Wy04.exe 4220 caxZ80jN89.exe -
Processes:
budx05Wy04.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" budx05Wy04.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b181667efb14e7995d6cf06c90459fa8def7691babb0aa63a1ab6cb1ab8b3b3fN.exeplUK26eA70.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b181667efb14e7995d6cf06c90459fa8def7691babb0aa63a1ab6cb1ab8b3b3fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plUK26eA70.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
plUK26eA70.execaxZ80jN89.exeb181667efb14e7995d6cf06c90459fa8def7691babb0aa63a1ab6cb1ab8b3b3fN.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plUK26eA70.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caxZ80jN89.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b181667efb14e7995d6cf06c90459fa8def7691babb0aa63a1ab6cb1ab8b3b3fN.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
budx05Wy04.exepid Process 4132 budx05Wy04.exe 4132 budx05Wy04.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
budx05Wy04.execaxZ80jN89.exedescription pid Process Token: SeDebugPrivilege 4132 budx05Wy04.exe Token: SeDebugPrivilege 4220 caxZ80jN89.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b181667efb14e7995d6cf06c90459fa8def7691babb0aa63a1ab6cb1ab8b3b3fN.exeplUK26eA70.exedescription pid Process procid_target PID 3996 wrote to memory of 2564 3996 b181667efb14e7995d6cf06c90459fa8def7691babb0aa63a1ab6cb1ab8b3b3fN.exe 83 PID 3996 wrote to memory of 2564 3996 b181667efb14e7995d6cf06c90459fa8def7691babb0aa63a1ab6cb1ab8b3b3fN.exe 83 PID 3996 wrote to memory of 2564 3996 b181667efb14e7995d6cf06c90459fa8def7691babb0aa63a1ab6cb1ab8b3b3fN.exe 83 PID 2564 wrote to memory of 4132 2564 plUK26eA70.exe 84 PID 2564 wrote to memory of 4132 2564 plUK26eA70.exe 84 PID 2564 wrote to memory of 4220 2564 plUK26eA70.exe 96 PID 2564 wrote to memory of 4220 2564 plUK26eA70.exe 96 PID 2564 wrote to memory of 4220 2564 plUK26eA70.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\b181667efb14e7995d6cf06c90459fa8def7691babb0aa63a1ab6cb1ab8b3b3fN.exe"C:\Users\Admin\AppData\Local\Temp\b181667efb14e7995d6cf06c90459fa8def7691babb0aa63a1ab6cb1ab8b3b3fN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plUK26eA70.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plUK26eA70.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\budx05Wy04.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\budx05Wy04.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4132
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\caxZ80jN89.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\caxZ80jN89.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4220
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
391KB
MD528dbcb2ca0dda82e440976e397fe4a51
SHA129a95072d9d7d37a652da8a0d1ab22d7b06a5297
SHA256a33a3e86b9043c91897dd5052703be1e36927b13458fde3ea1bb23d8e8d7e0ee
SHA512f5134a91f073c6974d951e0626a6d0967ccdb01cc4583e43791c252a169bdcf468cc16eeec5c2433ec4788847ff0fb6e4db58303dbd21eaf2d69e5250c85e179
-
Filesize
11KB
MD58c6a2fcc91d77b9df88061b10898cd81
SHA14d59ff954ca564efb37fc453f9e5dcb6e89d280d
SHA256859c2085b700c59fcdf0b8f9bd6ac81189b93111f62b08ebe6e622770b2e3af6
SHA5121060b3f1c1496abe1c279d44d68083e3890f07c99e16abd86cad1bc018eb4353f953fed705a4ddee74ab070f5eaf0b08ddd2604e558da99dfe02991bfd84edc4
-
Filesize
303KB
MD5003ebed48d2fda6c315c683d32b6a6dc
SHA1677088017218065e750a178b68fe2388ac74920a
SHA2560fddb3cac884f8ec784d8b989c3be838bab6db5d0c031deffe70950044a1d88c
SHA51226666394d314e9d1ee3e9cbc667fd4905523c8613eded7b399a7a53ee1dc738220414456e7396ed0ad3b4be4206feeca053b83d24005c8090b9c7744125ba72d