Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:45
Static task
static1
Behavioral task
behavioral1
Sample
57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe
Resource
win10v2004-20241007-en
General
-
Target
57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe
-
Size
1.0MB
-
MD5
a59f74335dba2ee3784a912fb95c99ad
-
SHA1
390606afc93c98c64584780673cd0d63911aff3a
-
SHA256
57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b
-
SHA512
c52e229dbf9aa290e6729da3d7f71550d772b54e90c62883e73b1c21f2f7fceab9c7860b27c4fdf193b314aeb1223694015e9e78cfdce710beeb845a6f7e4690
-
SSDEEP
24576:gyAPTegi+wo5VsOapuol7vAjg6OAL67MhxSWA8:nAPyg/wQVvIhSapH
Malware Config
Extracted
redline
ramon
193.233.20.23:4123
-
auth_value
3197576965d9513f115338c233015b40
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe healer behavioral1/memory/3896-28-0x0000000000F00000-0x0000000000F0A000-memory.dmp healer -
Healer family
-
Processes:
bTV34RD30.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bTV34RD30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bTV34RD30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bTV34RD30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bTV34RD30.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection bTV34RD30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bTV34RD30.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/4132-34-0x00000000024C0000-0x0000000002506000-memory.dmp family_redline behavioral1/memory/4132-36-0x0000000004CB0000-0x0000000004CF4000-memory.dmp family_redline behavioral1/memory/4132-38-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-61-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-100-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-98-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-96-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-94-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-90-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-88-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-86-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-84-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-82-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-80-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-78-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-76-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-74-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-70-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-68-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-64-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-62-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-58-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-56-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-54-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-52-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-50-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-48-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-47-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-44-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-42-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-40-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-92-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-72-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-66-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/4132-37-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
Processes:
pTJ31jO62.exeptd85Or28.exepZm47bK52.exebTV34RD30.execyg96SF31.exepid process 3256 pTJ31jO62.exe 4600 ptd85Or28.exe 1708 pZm47bK52.exe 3896 bTV34RD30.exe 4132 cyg96SF31.exe -
Processes:
bTV34RD30.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" bTV34RD30.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exepTJ31jO62.exeptd85Or28.exepZm47bK52.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" pTJ31jO62.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ptd85Or28.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" pZm47bK52.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cyg96SF31.exe57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exepTJ31jO62.exeptd85Or28.exepZm47bK52.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cyg96SF31.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pTJ31jO62.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptd85Or28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pZm47bK52.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
bTV34RD30.exepid process 3896 bTV34RD30.exe 3896 bTV34RD30.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bTV34RD30.execyg96SF31.exedescription pid process Token: SeDebugPrivilege 3896 bTV34RD30.exe Token: SeDebugPrivilege 4132 cyg96SF31.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exepTJ31jO62.exeptd85Or28.exepZm47bK52.exedescription pid process target process PID 404 wrote to memory of 3256 404 57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe pTJ31jO62.exe PID 404 wrote to memory of 3256 404 57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe pTJ31jO62.exe PID 404 wrote to memory of 3256 404 57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe pTJ31jO62.exe PID 3256 wrote to memory of 4600 3256 pTJ31jO62.exe ptd85Or28.exe PID 3256 wrote to memory of 4600 3256 pTJ31jO62.exe ptd85Or28.exe PID 3256 wrote to memory of 4600 3256 pTJ31jO62.exe ptd85Or28.exe PID 4600 wrote to memory of 1708 4600 ptd85Or28.exe pZm47bK52.exe PID 4600 wrote to memory of 1708 4600 ptd85Or28.exe pZm47bK52.exe PID 4600 wrote to memory of 1708 4600 ptd85Or28.exe pZm47bK52.exe PID 1708 wrote to memory of 3896 1708 pZm47bK52.exe bTV34RD30.exe PID 1708 wrote to memory of 3896 1708 pZm47bK52.exe bTV34RD30.exe PID 1708 wrote to memory of 4132 1708 pZm47bK52.exe cyg96SF31.exe PID 1708 wrote to memory of 4132 1708 pZm47bK52.exe cyg96SF31.exe PID 1708 wrote to memory of 4132 1708 pZm47bK52.exe cyg96SF31.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe"C:\Users\Admin\AppData\Local\Temp\57894dc585c12b582e6dfa1116fa65b16ed1f85819d26a224fd1202c1c915f4b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pTJ31jO62.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptd85Or28.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pZm47bK52.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bTV34RD30.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cyg96SF31.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4132
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
932KB
MD50cc645bfebbee83ae73f2ac67a44e234
SHA14458ddc13d90bc8399e5cc547e14a2845a9dcaf5
SHA2567420260bf221aa05d429e7f4bd9ce6b0b4070baa410944869dbb17d3b6f8e10f
SHA512d8b32d5550f147b703dc86600de7c2bc6cec826d37a7dce71770dcc03b38622988710eb613fc08fd246d2d81517c239d9c1d78b09a091f8782d187fa9251e557
-
Filesize
664KB
MD53eb3cccf02026e0dd174dac928d3a81d
SHA17a7048c147a524452ea36c86286b77e3564cfd32
SHA256454ede7721a8519b453335674e0f18bbcd9b7c2202cc0391d8880aca37af3752
SHA5129a016e66b13bfe5d13d177b26b49dfa1ca6322551b9aa78c5d7da442b3c55911dace26237226ab4e9704062471066491306dfeb8d0ed20d4b01bf36e2c554a6c
-
Filesize
390KB
MD58312e11efc3b3e96080fd917e04a70a7
SHA10e7d59876755c8891cbf706748d0abde231b97fa
SHA2561c9b912ec71b43c46f45cd154e27b8cb3edd93f44a49a1b9f02d594bad6d2da2
SHA512ae62ced526d11d0c6f2c93962834a7ddd92a9b8b2b045bee17213515a7edc614880940943b66854ae0ed989ba3ab03ea33543bdea00bdc4d62c57203797ad4e8
-
Filesize
11KB
MD54759c87cb8aae3b368ce489ed3888406
SHA1428b9a715af61d129a9a86145884f344a557f1aa
SHA25648ebc806315e6f54059fd03b98c5c853e0e3a457b1f1d8dc6fa61f57470b7f62
SHA512e8b16bbc37b67efcbee78d2085487f57d909e4e84160e6fbef838a403f5642d86b330db35ea0887b89629176ed684a8d2c4ef76a32724dbb4b35aead6ef16d04
-
Filesize
309KB
MD543808d4cb75be409d7906b2dd00a55cb
SHA17c05ec44a25709bbf577a9a2b64305148267a461
SHA2566376d0c48599313b92671dd50ea2d30842c10ac8e3a7943d4f4e6d017fb5a4c7
SHA51244f4232365eb392b55cd0bbdcdd1f4dc4c9f5f2a9b2f698258b26a5f25dfdbaf422498c0f21a8dc7a2fb2a81611e8c9b192c2c2db2486f8240f28809ae3f9609