Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
66a8f069d915989d1a6d9c34ac617e97928567dee2f52d2725d9d4d3c385a1ce.exe
Resource
win10v2004-20241007-en
General
-
Target
66a8f069d915989d1a6d9c34ac617e97928567dee2f52d2725d9d4d3c385a1ce.exe
-
Size
556KB
-
MD5
beefd852bd36260e61d7666a54e62fbd
-
SHA1
8b91d3f5027c6d09903d2885c52b63c5c4bfdeb4
-
SHA256
66a8f069d915989d1a6d9c34ac617e97928567dee2f52d2725d9d4d3c385a1ce
-
SHA512
6fc0dfa11bc504d98505f793006f2d2e137b03324988d6757ce79f197671c06fe348e71b0a582d85cdd98c3c79770d94f30674e43051186c2cb533af65498ca5
-
SSDEEP
12288:0Mrgy90PySK4ei1dwaCVAzFTibf2rSGlG2dUsINkQ:syeei1aai8Ti7dGlGiUsINd
Malware Config
Extracted
redline
fud
193.233.20.27:4123
-
auth_value
cddc991efd6918ad5321d80dac884b40
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82Dn34Ui28.exe healer behavioral1/memory/4212-15-0x00000000006B0000-0x00000000006BA000-memory.dmp healer -
Healer family
-
Processes:
sf82Dn34Ui28.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sf82Dn34Ui28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sf82Dn34Ui28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sf82Dn34Ui28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sf82Dn34Ui28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sf82Dn34Ui28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sf82Dn34Ui28.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/4268-22-0x0000000007280000-0x00000000072C6000-memory.dmp family_redline behavioral1/memory/4268-24-0x00000000078B0000-0x00000000078F4000-memory.dmp family_redline behavioral1/memory/4268-38-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-50-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-88-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-86-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-84-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-80-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-78-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-76-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-74-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-72-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-70-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-68-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-66-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-64-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-62-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-58-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-56-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-54-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-52-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-48-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-46-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-44-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-42-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-40-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-34-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-32-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-30-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-82-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-60-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-36-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-28-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-26-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline behavioral1/memory/4268-25-0x00000000078B0000-0x00000000078EE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
vhxR2885tf.exesf82Dn34Ui28.exetf73yu14Hs68.exepid process 3308 vhxR2885tf.exe 4212 sf82Dn34Ui28.exe 4268 tf73yu14Hs68.exe -
Processes:
sf82Dn34Ui28.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sf82Dn34Ui28.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
66a8f069d915989d1a6d9c34ac617e97928567dee2f52d2725d9d4d3c385a1ce.exevhxR2885tf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 66a8f069d915989d1a6d9c34ac617e97928567dee2f52d2725d9d4d3c385a1ce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vhxR2885tf.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
vhxR2885tf.exetf73yu14Hs68.exe66a8f069d915989d1a6d9c34ac617e97928567dee2f52d2725d9d4d3c385a1ce.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vhxR2885tf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tf73yu14Hs68.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66a8f069d915989d1a6d9c34ac617e97928567dee2f52d2725d9d4d3c385a1ce.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
sf82Dn34Ui28.exepid process 4212 sf82Dn34Ui28.exe 4212 sf82Dn34Ui28.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
sf82Dn34Ui28.exetf73yu14Hs68.exedescription pid process Token: SeDebugPrivilege 4212 sf82Dn34Ui28.exe Token: SeDebugPrivilege 4268 tf73yu14Hs68.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
66a8f069d915989d1a6d9c34ac617e97928567dee2f52d2725d9d4d3c385a1ce.exevhxR2885tf.exedescription pid process target process PID 2432 wrote to memory of 3308 2432 66a8f069d915989d1a6d9c34ac617e97928567dee2f52d2725d9d4d3c385a1ce.exe vhxR2885tf.exe PID 2432 wrote to memory of 3308 2432 66a8f069d915989d1a6d9c34ac617e97928567dee2f52d2725d9d4d3c385a1ce.exe vhxR2885tf.exe PID 2432 wrote to memory of 3308 2432 66a8f069d915989d1a6d9c34ac617e97928567dee2f52d2725d9d4d3c385a1ce.exe vhxR2885tf.exe PID 3308 wrote to memory of 4212 3308 vhxR2885tf.exe sf82Dn34Ui28.exe PID 3308 wrote to memory of 4212 3308 vhxR2885tf.exe sf82Dn34Ui28.exe PID 3308 wrote to memory of 4268 3308 vhxR2885tf.exe tf73yu14Hs68.exe PID 3308 wrote to memory of 4268 3308 vhxR2885tf.exe tf73yu14Hs68.exe PID 3308 wrote to memory of 4268 3308 vhxR2885tf.exe tf73yu14Hs68.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\66a8f069d915989d1a6d9c34ac617e97928567dee2f52d2725d9d4d3c385a1ce.exe"C:\Users\Admin\AppData\Local\Temp\66a8f069d915989d1a6d9c34ac617e97928567dee2f52d2725d9d4d3c385a1ce.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhxR2885tf.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhxR2885tf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82Dn34Ui28.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf82Dn34Ui28.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf73yu14Hs68.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf73yu14Hs68.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4268
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
412KB
MD557e03981222c9768f83c577d04fda2f4
SHA15b5d48ffc94d1ad9adf2a58dee1d973df86aee08
SHA2568e793a1eba35e111a02fd5786faee133a26217540010efebbba52eea9eed1879
SHA5127857feb6b030488bd6a58c5e34e1cfc7d405f82665eb09652fbe14f2285a4823b24bcfe59a58c0c578c1f567257cc90c53f0f2ada271559541a0856d10d307d2
-
Filesize
11KB
MD504e0291e7375ab4d75e1f27ebb29c325
SHA1d9a645fb94b5a43a835ddd88b3f741a311e383f8
SHA256b6df3fd706c1066082087ca0c9fb699f83042b1714a31d1e4121e3768ed6d6ab
SHA512f3a3c67b529a4b1ffb7191ff6012b6b67181463a8317610f2c32fa4fd176c2d52111e04acf93986896b4ef440085385b14b023a1f442b04f16d3e3fdfc25503e
-
Filesize
409KB
MD5d918db9077504212d04e97bc5857b710
SHA1cbac3bfca65f8dfe4efd408bcf480f3d603f1d06
SHA256ab46765a44c015f420a104a2ffee2d036dc0cb4ce25e72be2540eed2cd521bb3
SHA512f00800d9c2616090029632b5fea54abacc92e9c323feda1ea3c50a2ffdacd0f047d4da66b185b75d4570bee869c9684a3746b1daf58cc66278cbb09a0946f187