Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe
Resource
win10v2004-20241007-en
General
-
Target
d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe
-
Size
1.2MB
-
MD5
343b47797904e4c7bbbce712089ef8ca
-
SHA1
d112832df05afda7cd58f45fa05cd02179f91073
-
SHA256
d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886
-
SHA512
ed6dd9507f4a92de9a8818508508785978d59eb3ba4bc5b06f1169095a5d7804989e8683a8461953b0e0981ccfabe348a4563c19ae189a6c65beadcb27c36581
-
SSDEEP
24576:dyUopVQkwUlpWUk9B85F7Dv6tiuQR+hHNOK7FAHg57xtKLVltc0qtxsSbT:41pBwepWFki57tZmkvyHqV
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe healer behavioral1/memory/3128-35-0x0000000000670000-0x000000000067A000-memory.dmp healer -
Healer family
-
Processes:
buzs11NX83.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buzs11NX83.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buzs11NX83.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buzs11NX83.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buzs11NX83.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buzs11NX83.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buzs11NX83.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/2028-41-0x0000000004D40000-0x0000000004D86000-memory.dmp family_redline behavioral1/memory/2028-43-0x0000000004DC0000-0x0000000004E04000-memory.dmp family_redline behavioral1/memory/2028-55-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-57-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-107-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-105-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-103-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-101-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-99-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-97-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-93-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-91-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-90-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-87-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-85-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-83-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-81-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-79-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-78-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-75-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-73-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-71-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-69-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-67-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-65-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-63-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-61-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-59-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-53-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-51-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-50-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-95-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-47-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-45-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline behavioral1/memory/2028-44-0x0000000004DC0000-0x0000000004DFE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
Processes:
plqj38xY71.exeplzI91tT83.exepluF45LF77.exeplpf85uR70.exebuzs11NX83.execatQ29Bo67.exepid process 4864 plqj38xY71.exe 1624 plzI91tT83.exe 4972 pluF45LF77.exe 1868 plpf85uR70.exe 3128 buzs11NX83.exe 2028 catQ29Bo67.exe -
Processes:
buzs11NX83.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buzs11NX83.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
plzI91tT83.exepluF45LF77.exeplpf85uR70.exed04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exeplqj38xY71.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plzI91tT83.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" pluF45LF77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" plpf85uR70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plqj38xY71.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exeplqj38xY71.exeplzI91tT83.exepluF45LF77.exeplpf85uR70.execatQ29Bo67.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plqj38xY71.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plzI91tT83.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pluF45LF77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plpf85uR70.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language catQ29Bo67.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
buzs11NX83.exepid process 3128 buzs11NX83.exe 3128 buzs11NX83.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
buzs11NX83.execatQ29Bo67.exedescription pid process Token: SeDebugPrivilege 3128 buzs11NX83.exe Token: SeDebugPrivilege 2028 catQ29Bo67.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exeplqj38xY71.exeplzI91tT83.exepluF45LF77.exeplpf85uR70.exedescription pid process target process PID 1844 wrote to memory of 4864 1844 d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe plqj38xY71.exe PID 1844 wrote to memory of 4864 1844 d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe plqj38xY71.exe PID 1844 wrote to memory of 4864 1844 d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe plqj38xY71.exe PID 4864 wrote to memory of 1624 4864 plqj38xY71.exe plzI91tT83.exe PID 4864 wrote to memory of 1624 4864 plqj38xY71.exe plzI91tT83.exe PID 4864 wrote to memory of 1624 4864 plqj38xY71.exe plzI91tT83.exe PID 1624 wrote to memory of 4972 1624 plzI91tT83.exe pluF45LF77.exe PID 1624 wrote to memory of 4972 1624 plzI91tT83.exe pluF45LF77.exe PID 1624 wrote to memory of 4972 1624 plzI91tT83.exe pluF45LF77.exe PID 4972 wrote to memory of 1868 4972 pluF45LF77.exe plpf85uR70.exe PID 4972 wrote to memory of 1868 4972 pluF45LF77.exe plpf85uR70.exe PID 4972 wrote to memory of 1868 4972 pluF45LF77.exe plpf85uR70.exe PID 1868 wrote to memory of 3128 1868 plpf85uR70.exe buzs11NX83.exe PID 1868 wrote to memory of 3128 1868 plpf85uR70.exe buzs11NX83.exe PID 1868 wrote to memory of 2028 1868 plpf85uR70.exe catQ29Bo67.exe PID 1868 wrote to memory of 2028 1868 plpf85uR70.exe catQ29Bo67.exe PID 1868 wrote to memory of 2028 1868 plpf85uR70.exe catQ29Bo67.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe"C:\Users\Admin\AppData\Local\Temp\d04da2f02bd3b4f90ce3e2def12684d50ca1cb61f228d97bd6e3cda7682b9886.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plqj38xY71.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plqj38xY71.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzI91tT83.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plzI91tT83.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pluF45LF77.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pluF45LF77.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpf85uR70.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buzs11NX83.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3128
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catQ29Bo67.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\catQ29Bo67.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5c0053e31c324db2105ab52c26a206594
SHA185d130ea355e8b7ef065853364406e10b2f5e043
SHA25680dfaf2707a30f38656cf44b5750258c4afe9b77bbc6978c32939fed950327e9
SHA512a7e0751e9dc0c42a4da1749320327bcbe1db1308145b729f9c4b7bdb76b61d55e0f7d3adc1683b1a46cd9caadebd33187f68c358c5f58bc0dc5102f9101c8691
-
Filesize
971KB
MD5ead81aab5c72c0008a63cd730fd8ba68
SHA18f808674ff5718bfb625019d30c9c35293b6c8c3
SHA256a6d3b1868954e1f77fd7724f33742f6391c7b2288410bb9d66de3be50393a07a
SHA512bd6df85059194f31e5d51ff2d3ad35d23f8cdf8f1b117d0c8cff4096c23289094d30a86bcc7f0e4e55cbcf02d37dd5e81e08f64fba3b597e9d9725a7467a60a8
-
Filesize
690KB
MD590fa26abbea9e64a4a6166fabd599f67
SHA117385c349ff4f15e1b3cd9851e2e7b6ccf864a3e
SHA2565cecae691a9581f2145d6e9316a16e31d35a80a0908c4677561366081f2f0928
SHA512f35e21946f8c32458a7fe6bf74940887f547a30c06d6213a8589e48a33b532a96b97b7beeb4d0de7b18ce1d5a5c42682b6e95de518eacc96d3c5e64110b42d28
-
Filesize
403KB
MD589085cf8b80e7f334fff4f34050ab249
SHA1f19db77e77f2e3fb247ff6a15a6e04f71f95aa63
SHA256ca202b199ce4628b4ea25c9390b44722eeba99f4b194afa29dd4b6202319f17d
SHA51269406017ffc40eda7891d97980bd164ed6c8709b3e23cb534f13d4074b556b32e7fa9ee21022ad8f9122ee80fe0f19bf0d4a1960b16cb5a3b964df4c731f2aa4
-
Filesize
15KB
MD51d11fb3a60485a4fc8e87ab6b11edf01
SHA182fe9d8c490142692afc8273df8e15828ed9253f
SHA2561556efc221b6b09ac945bf9f586ed4e256cd77b710689a5d7a7f3161ea19d2b5
SHA51280a17be977a596440da6809f1fdf05af08e03fb32dfc297577dda4ce69febc405edb488c860e7070e2207bb881f218a87db2b6254dcc87192c81ea11b168bac4
-
Filesize
378KB
MD50699a3dd8a0bfbef309a3c474b22b56d
SHA18f8218184e8f28b14b8a3d5f828e28b9d8cd40a8
SHA2560fe939fc94b4462887001499c9acd988653938b21d30b6eadfa023629edad178
SHA5126dff28c979b7efeb3b8fccb98102b1adeaa5e31aebf01713c76f8055c7ac520bc8b37857f442e1d0de5d4b77295325b485cf8d53d72fd4d22091211de4ef26cd