Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:29
Static task
static1
Behavioral task
behavioral1
Sample
34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196.exe
Resource
win10v2004-20241007-en
General
-
Target
34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196.exe
-
Size
548KB
-
MD5
fb2970582d8f80d67da1ce73178363ee
-
SHA1
60c1708b06131009577b7d301cd48783128ace8d
-
SHA256
34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196
-
SHA512
e5643791d797dff35a152a18b5821a4b1f439db2b62b063f451f975ad8fd97d11ec5e514c955a4bdb2d4ae567d2bee00f630af1fc62993d3e8c9d8df850d93b4
-
SSDEEP
12288:2MrAy90O4wJHkMkmtrf4/hBZ9Pba7ygGuNnfE5C/IiXjGT:2yX46ATh3Na9GN5CHzGT
Malware Config
Extracted
redline
rouch
193.56.146.11:4162
-
auth_value
1b1735bcfc122c708eae27ca352568de
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58On66bQ13.exe healer behavioral1/memory/2928-15-0x0000000000FC0000-0x0000000000FCA000-memory.dmp healer -
Healer family
-
Processes:
sw58On66bQ13.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sw58On66bQ13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sw58On66bQ13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sw58On66bQ13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sw58On66bQ13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sw58On66bQ13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sw58On66bQ13.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/1856-22-0x0000000004C70000-0x0000000004CB6000-memory.dmp family_redline behavioral1/memory/1856-24-0x00000000077C0000-0x0000000007804000-memory.dmp family_redline behavioral1/memory/1856-62-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-72-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-88-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-86-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-84-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-82-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-78-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-76-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-74-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-70-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-68-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-66-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-64-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-60-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-58-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-57-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-52-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-50-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-48-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-46-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-44-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-42-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-40-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-38-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-36-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-32-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-30-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-28-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-80-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-54-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-34-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-26-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline behavioral1/memory/1856-25-0x00000000077C0000-0x00000000077FE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
vNf4638mF.exesw58On66bQ13.exetOw90YK94.exepid process 4064 vNf4638mF.exe 2928 sw58On66bQ13.exe 1856 tOw90YK94.exe -
Processes:
sw58On66bQ13.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sw58On66bQ13.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196.exevNf4638mF.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vNf4638mF.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 4884 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196.exevNf4638mF.exetOw90YK94.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vNf4638mF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tOw90YK94.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
sw58On66bQ13.exepid process 2928 sw58On66bQ13.exe 2928 sw58On66bQ13.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
sw58On66bQ13.exetOw90YK94.exedescription pid process Token: SeDebugPrivilege 2928 sw58On66bQ13.exe Token: SeDebugPrivilege 1856 tOw90YK94.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196.exevNf4638mF.exedescription pid process target process PID 3700 wrote to memory of 4064 3700 34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196.exe vNf4638mF.exe PID 3700 wrote to memory of 4064 3700 34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196.exe vNf4638mF.exe PID 3700 wrote to memory of 4064 3700 34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196.exe vNf4638mF.exe PID 4064 wrote to memory of 2928 4064 vNf4638mF.exe sw58On66bQ13.exe PID 4064 wrote to memory of 2928 4064 vNf4638mF.exe sw58On66bQ13.exe PID 4064 wrote to memory of 1856 4064 vNf4638mF.exe tOw90YK94.exe PID 4064 wrote to memory of 1856 4064 vNf4638mF.exe tOw90YK94.exe PID 4064 wrote to memory of 1856 4064 vNf4638mF.exe tOw90YK94.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196.exe"C:\Users\Admin\AppData\Local\Temp\34a18231f4a3ae47e7b188ee1618ac2160360cc81e115b9bae8a894c8a197196.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vNf4638mF.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vNf4638mF.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58On66bQ13.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58On66bQ13.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tOw90YK94.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tOw90YK94.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1856
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4884
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
404KB
MD5c0c33cf810fdb47cb4721224d986e7a6
SHA1ccebf3c8038d4dfd16910762e50dff58855c1635
SHA25649df001768c7bd2b08299c34dfff0cc0abf619877895074e1755d8ed40a86246
SHA512a79751661ed9a7a62eabe60a46839240ae3e6374d2530f0baa598416d5981f9267eb23949408794f7c8ed63e60825aa78dc76c3e1bdb18bea41a8574df487573
-
Filesize
12KB
MD554f85f7d6f119c4c6ce62bb6003e0d5d
SHA1e39a4faa69ce89c2f5ceca8c7579fbe9b46f12e0
SHA256d4c2342989b2b4efc2771685d7231e943881c987fb564ce155c32a7e16722d4b
SHA512cfebb160c38ea3ca3e20cec4ac52f69c67fd7ed7e7d2cbcd598c3e0e608a0e397e3b7ca835de1db2c8621da0bcc36643694b484090d1dbee433058439694e543
-
Filesize
380KB
MD5a3da8951bb23f305fd251958e8535aa4
SHA1ef6115e81f6e8a5a7ed3428db8ff7e34619e7e54
SHA256786dcca370472e838015aaff2797f569f05b3fe168087a60e95294354ced715a
SHA512be73e7708641e3d8d8f3f7b9136287bdf4de58798dd98ba5b03d1e486ff97aafcba07f428d135c87cb84098595e711a64d72b3ec43100375049d49d88618fe9d