Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:27
Static task
static1
Behavioral task
behavioral1
Sample
3f0c513879a2305ff78a4cac3b77d39790d007a418452115485b258894a94a3e.exe
Resource
win10v2004-20241007-en
General
-
Target
3f0c513879a2305ff78a4cac3b77d39790d007a418452115485b258894a94a3e.exe
-
Size
1.3MB
-
MD5
cfdb853d39290853fc5e1d519117ba57
-
SHA1
7a27f02fa637fde74e451007e31c5119b0fff854
-
SHA256
3f0c513879a2305ff78a4cac3b77d39790d007a418452115485b258894a94a3e
-
SHA512
75526f6cd15155622e9fa4863cfe77deb3765f3207d72108f7fba2a44a0b12ce37eaf224607ec04d6574fb42f3c5c4b8df8ed6cbc610ef7da16d596f876c7618
-
SSDEEP
24576:1yL3+dueA7n2+HWZJCV48YC0dcIZtBUdMyYwvkMp7k:Qz+NK/2ZJCVFGdzZtq3YGko7
Malware Config
Extracted
redline
ronur
193.233.20.20:4134
-
auth_value
f88f86755a528d4b25f6f3628c460965
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\aNm13Ek.exe healer behavioral1/memory/3616-35-0x00000000009C0000-0x00000000009CA000-memory.dmp healer -
Healer family
-
Processes:
aNm13Ek.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" aNm13Ek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" aNm13Ek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" aNm13Ek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" aNm13Ek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection aNm13Ek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" aNm13Ek.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/3820-41-0x0000000004AE0000-0x0000000004B26000-memory.dmp family_redline behavioral1/memory/3820-43-0x0000000004B60000-0x0000000004BA4000-memory.dmp family_redline behavioral1/memory/3820-47-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-59-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-107-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-105-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-103-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-101-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-99-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-97-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-95-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-93-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-91-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-89-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-85-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-83-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-81-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-79-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-77-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-75-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-73-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-69-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-67-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-63-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-61-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-57-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-55-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-53-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-51-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-49-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-87-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-71-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-65-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-45-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/3820-44-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
Processes:
nLX85Ex.exenDu61WN.exenPA11AG.exenaC79ft.exeaNm13Ek.exebBM79mq16.exepid process 2564 nLX85Ex.exe 2084 nDu61WN.exe 4388 nPA11AG.exe 3560 naC79ft.exe 3616 aNm13Ek.exe 3820 bBM79mq16.exe -
Processes:
aNm13Ek.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" aNm13Ek.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
3f0c513879a2305ff78a4cac3b77d39790d007a418452115485b258894a94a3e.exenLX85Ex.exenDu61WN.exenPA11AG.exenaC79ft.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3f0c513879a2305ff78a4cac3b77d39790d007a418452115485b258894a94a3e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nLX85Ex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" nDu61WN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" nPA11AG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" naC79ft.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3f0c513879a2305ff78a4cac3b77d39790d007a418452115485b258894a94a3e.exenLX85Ex.exenDu61WN.exenPA11AG.exenaC79ft.exebBM79mq16.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f0c513879a2305ff78a4cac3b77d39790d007a418452115485b258894a94a3e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nLX85Ex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nDu61WN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nPA11AG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language naC79ft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bBM79mq16.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
aNm13Ek.exepid process 3616 aNm13Ek.exe 3616 aNm13Ek.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
aNm13Ek.exebBM79mq16.exedescription pid process Token: SeDebugPrivilege 3616 aNm13Ek.exe Token: SeDebugPrivilege 3820 bBM79mq16.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
3f0c513879a2305ff78a4cac3b77d39790d007a418452115485b258894a94a3e.exenLX85Ex.exenDu61WN.exenPA11AG.exenaC79ft.exedescription pid process target process PID 2348 wrote to memory of 2564 2348 3f0c513879a2305ff78a4cac3b77d39790d007a418452115485b258894a94a3e.exe nLX85Ex.exe PID 2348 wrote to memory of 2564 2348 3f0c513879a2305ff78a4cac3b77d39790d007a418452115485b258894a94a3e.exe nLX85Ex.exe PID 2348 wrote to memory of 2564 2348 3f0c513879a2305ff78a4cac3b77d39790d007a418452115485b258894a94a3e.exe nLX85Ex.exe PID 2564 wrote to memory of 2084 2564 nLX85Ex.exe nDu61WN.exe PID 2564 wrote to memory of 2084 2564 nLX85Ex.exe nDu61WN.exe PID 2564 wrote to memory of 2084 2564 nLX85Ex.exe nDu61WN.exe PID 2084 wrote to memory of 4388 2084 nDu61WN.exe nPA11AG.exe PID 2084 wrote to memory of 4388 2084 nDu61WN.exe nPA11AG.exe PID 2084 wrote to memory of 4388 2084 nDu61WN.exe nPA11AG.exe PID 4388 wrote to memory of 3560 4388 nPA11AG.exe naC79ft.exe PID 4388 wrote to memory of 3560 4388 nPA11AG.exe naC79ft.exe PID 4388 wrote to memory of 3560 4388 nPA11AG.exe naC79ft.exe PID 3560 wrote to memory of 3616 3560 naC79ft.exe aNm13Ek.exe PID 3560 wrote to memory of 3616 3560 naC79ft.exe aNm13Ek.exe PID 3560 wrote to memory of 3820 3560 naC79ft.exe bBM79mq16.exe PID 3560 wrote to memory of 3820 3560 naC79ft.exe bBM79mq16.exe PID 3560 wrote to memory of 3820 3560 naC79ft.exe bBM79mq16.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f0c513879a2305ff78a4cac3b77d39790d007a418452115485b258894a94a3e.exe"C:\Users\Admin\AppData\Local\Temp\3f0c513879a2305ff78a4cac3b77d39790d007a418452115485b258894a94a3e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nLX85Ex.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nLX85Ex.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nDu61WN.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nDu61WN.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nPA11AG.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nPA11AG.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\naC79ft.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\naC79ft.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\aNm13Ek.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\aNm13Ek.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3616
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bBM79mq16.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bBM79mq16.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3820
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5e2e6cfcfbe6c288523c7f6092e2acd95
SHA15d49f9720d403293cfa22b870b56c4170d6dc9fb
SHA256a2f5c0644225430a90d203aeef472bba61f6f91c7c627ab85402ad9db7741452
SHA5129c02657242f8d5186a44039670d9669807043c37b702a6b55b9be476ee9c8ecf3c9010f2e3a5100967c8c1351c13557d2c6cc361e103495815a1293d19657a53
-
Filesize
951KB
MD5743541b0b7adb9e8583d29f79068ee98
SHA1fe331669f47bc9a8dd0361fefe59945ee01227de
SHA256f15c91c2e0ba89e237f03aa3dfd814e215d890e50b89846c17b9055af37a090d
SHA51276a2668fe3ce0cb43e75a740f41af9ddcdef515c2268f70e75bb9b4ad03ebe7f6afbc9d8a0fc88a67e6e1479b1e7d53dd68bb1733839a57713e40a99de3e7085
-
Filesize
677KB
MD539c97082a1cac7826931395ef18d240a
SHA12ba240e638ba824752523a084d4a1bf3a967a95c
SHA2564685ad071c6f45243a665d8cfb5335bc629fa004c33a885a025df697c47d6948
SHA512c37ab8ae04039eae2d506e7327956275099c873dcf7ae4686ae0d68ec521f9659133a8eca170981f5227273ada593f8536749e60d3c2fe772df55c078c06c38c
-
Filesize
396KB
MD51c8eea7bbf3b1f9758555b8a7221326b
SHA17932477c3fa13fb40e54656a851ed4f6dd86242a
SHA256426a4ac670be9707498713ae792057c6281b56e1b6f9e627e33bfc62faebe327
SHA512e3bfb59e0f633d32a59896b5e6e7f7fa1484d42a359da2fb219b130427c5a4578a606829255636a0e5518f877f7694cafa87272145b13f1a1a84e1bdbc8e127a
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
318KB
MD565dcd6c4a79771cc1a5b6c0f31fa91f4
SHA1511c4b0699569cb11b979ac3e0a826cdd917beef
SHA256b2c2e9d2cebc9f189795f075454b9f1a67f0b64c1069906aa951b9aa7e0db7a6
SHA5125b27499e14591db81baf10afd6203dec7954227dbfe85fc0753911e7657e98a0a9ecca5d17053b4feb0efb238232e36fa55a2bb6aadd36cd1490d93e0a239e54