Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:29
Static task
static1
Behavioral task
behavioral1
Sample
8cef5c3cae70c0ca19368de4ab2b94426ec8eb2b5df49dda6b89bc954c457282.exe
Resource
win10v2004-20241007-en
General
-
Target
8cef5c3cae70c0ca19368de4ab2b94426ec8eb2b5df49dda6b89bc954c457282.exe
-
Size
526KB
-
MD5
12a34e963d3620745fc33d5bcbcbcc26
-
SHA1
c8444dd1e6fc3502df7f4988c0d0dd5f57907f95
-
SHA256
8cef5c3cae70c0ca19368de4ab2b94426ec8eb2b5df49dda6b89bc954c457282
-
SHA512
407641c25c5db0965a665bd0c063a1d94cd574abfd3e1f99a433468ca22eb81823d00c80194d11e8dd57e10e1f555b1e6317c0c43423c8979474a2bfc735cd82
-
SSDEEP
12288:4MrLy90UmTJiG367NUZUCVtmnD1daye8eVWa1:DypkdT9sayefW2
Malware Config
Extracted
redline
fud
193.233.20.27:4123
-
auth_value
cddc991efd6918ad5321d80dac884b40
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf62FC75Uc93.exe healer behavioral1/memory/2032-15-0x00000000006A0000-0x00000000006AA000-memory.dmp healer -
Healer family
-
Processes:
sf62FC75Uc93.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sf62FC75Uc93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sf62FC75Uc93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sf62FC75Uc93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sf62FC75Uc93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sf62FC75Uc93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sf62FC75Uc93.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/704-21-0x0000000002680000-0x00000000026C6000-memory.dmp family_redline behavioral1/memory/704-23-0x0000000004B70000-0x0000000004BB4000-memory.dmp family_redline behavioral1/memory/704-35-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-37-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-87-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-85-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-81-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-79-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-77-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-73-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-71-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-69-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-68-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-65-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-63-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-61-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-59-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-57-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-53-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-51-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-49-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-47-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-45-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-43-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-41-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-39-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-33-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-31-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-29-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-83-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-75-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-55-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-27-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-25-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline behavioral1/memory/704-24-0x0000000004B70000-0x0000000004BAE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
vhyL5650tt.exesf62FC75Uc93.exetf99UC18ZD75.exepid process 3116 vhyL5650tt.exe 2032 sf62FC75Uc93.exe 704 tf99UC18ZD75.exe -
Processes:
sf62FC75Uc93.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sf62FC75Uc93.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
8cef5c3cae70c0ca19368de4ab2b94426ec8eb2b5df49dda6b89bc954c457282.exevhyL5650tt.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8cef5c3cae70c0ca19368de4ab2b94426ec8eb2b5df49dda6b89bc954c457282.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vhyL5650tt.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 3064 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
vhyL5650tt.exetf99UC18ZD75.exe8cef5c3cae70c0ca19368de4ab2b94426ec8eb2b5df49dda6b89bc954c457282.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vhyL5650tt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tf99UC18ZD75.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8cef5c3cae70c0ca19368de4ab2b94426ec8eb2b5df49dda6b89bc954c457282.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
sf62FC75Uc93.exepid process 2032 sf62FC75Uc93.exe 2032 sf62FC75Uc93.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
sf62FC75Uc93.exetf99UC18ZD75.exedescription pid process Token: SeDebugPrivilege 2032 sf62FC75Uc93.exe Token: SeDebugPrivilege 704 tf99UC18ZD75.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8cef5c3cae70c0ca19368de4ab2b94426ec8eb2b5df49dda6b89bc954c457282.exevhyL5650tt.exedescription pid process target process PID 4500 wrote to memory of 3116 4500 8cef5c3cae70c0ca19368de4ab2b94426ec8eb2b5df49dda6b89bc954c457282.exe vhyL5650tt.exe PID 4500 wrote to memory of 3116 4500 8cef5c3cae70c0ca19368de4ab2b94426ec8eb2b5df49dda6b89bc954c457282.exe vhyL5650tt.exe PID 4500 wrote to memory of 3116 4500 8cef5c3cae70c0ca19368de4ab2b94426ec8eb2b5df49dda6b89bc954c457282.exe vhyL5650tt.exe PID 3116 wrote to memory of 2032 3116 vhyL5650tt.exe sf62FC75Uc93.exe PID 3116 wrote to memory of 2032 3116 vhyL5650tt.exe sf62FC75Uc93.exe PID 3116 wrote to memory of 704 3116 vhyL5650tt.exe tf99UC18ZD75.exe PID 3116 wrote to memory of 704 3116 vhyL5650tt.exe tf99UC18ZD75.exe PID 3116 wrote to memory of 704 3116 vhyL5650tt.exe tf99UC18ZD75.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cef5c3cae70c0ca19368de4ab2b94426ec8eb2b5df49dda6b89bc954c457282.exe"C:\Users\Admin\AppData\Local\Temp\8cef5c3cae70c0ca19368de4ab2b94426ec8eb2b5df49dda6b89bc954c457282.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhyL5650tt.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhyL5650tt.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf62FC75Uc93.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf62FC75Uc93.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf99UC18ZD75.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf99UC18ZD75.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:704
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3064
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
382KB
MD5413300fe45450c0f77b42b0d22add65f
SHA14d78a008d73e938cc40bcfff05fe8f7ac82331c2
SHA2561b6032d8755bb82ea8e6fa007ee5ae17202eafeeae70b5fa88350829cac3d361
SHA51248f87974a705171b1d8cd221618553048f18a9e75047399f85ab2b8df4fcda0162c01920a108570650a22a3440879115df664b02baaf8be6ca351c76bd2adb95
-
Filesize
11KB
MD53cb1768049acea810f774e5322411bc2
SHA1e04d19f0127e366611919b226a2e34b7b655299c
SHA256df99b1482b471387ab39fd89a701dd9a7027d1ca8e6970b7e46329d257df369a
SHA512caf238337af1288f8fbf76ba8fa9dfe788828cf1a1185355cdfb7c890fd28be00b02ab923b1d294a8aac3a08ec615d8e9e2e87f44ef6c651d7cd7ea151f6cb76
-
Filesize
364KB
MD50fb36e6dfd2286b0bb7e48c476a3f73b
SHA138801c7ea1faf291cb471397c38630a305518828
SHA256edb3b7633dd16579b23dc83d9950c525d7a9c2bec60785c04dc3b63ea3eaba8e
SHA51295c334ce7bae2ccdff2bf4f288c544a2d87946405b723367df421de635a8037167aaeb9b655dd48f8ed9a10a5cfad6b25b4bfd5dc88e99c26ded8e4d694de64d