Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe
Resource
win10v2004-20241007-en
General
-
Target
9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe
-
Size
1.2MB
-
MD5
d1a8ead64a222476165403d3cede9d81
-
SHA1
0795bf8c252a142309afb1e1d65e46a30a216c47
-
SHA256
9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c
-
SHA512
2100e4c7df88d2e14b4c8173b55f113f9157752d91da233306e7bdec00b5d1cdb020b0c1576f8910614a38bf9ce7b3e5b0797d61fc42a5e220a95a650ca8c9ea
-
SSDEEP
24576:tyoG8BjoXj9UEl5NYph2kM4o1guMCYajyV:IH4g9UEpihJMN14Yy
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe healer behavioral1/memory/3788-35-0x0000000000230000-0x000000000023A000-memory.dmp healer -
Healer family
-
Processes:
buTw07oK35.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buTw07oK35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buTw07oK35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buTw07oK35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buTw07oK35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buTw07oK35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buTw07oK35.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/2176-41-0x0000000002630000-0x0000000002676000-memory.dmp family_redline behavioral1/memory/2176-43-0x00000000027F0000-0x0000000002834000-memory.dmp family_redline behavioral1/memory/2176-45-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-44-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-107-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-105-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-103-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-101-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-99-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-97-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-95-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-93-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-91-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-89-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-85-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-83-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-81-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-79-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-77-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-73-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-71-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-69-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-67-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-65-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-61-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-59-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-57-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-55-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-53-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-87-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-75-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-63-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-51-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-49-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline behavioral1/memory/2176-47-0x00000000027F0000-0x000000000282E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
Processes:
plgp58Id36.exeplbB10BC11.exeplbY91pz79.exeplsB18am25.exebuTw07oK35.execanr55Pp31.exepid process 4600 plgp58Id36.exe 1436 plbB10BC11.exe 4460 plbY91pz79.exe 3992 plsB18am25.exe 3788 buTw07oK35.exe 2176 canr55Pp31.exe -
Processes:
buTw07oK35.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buTw07oK35.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
plgp58Id36.exeplbB10BC11.exeplbY91pz79.exeplsB18am25.exe9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plgp58Id36.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plbB10BC11.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plbY91pz79.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" plsB18am25.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
canr55Pp31.exe9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exeplgp58Id36.exeplbB10BC11.exeplbY91pz79.exeplsB18am25.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language canr55Pp31.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plgp58Id36.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plbB10BC11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plbY91pz79.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plsB18am25.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
buTw07oK35.exepid process 3788 buTw07oK35.exe 3788 buTw07oK35.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
buTw07oK35.execanr55Pp31.exedescription pid process Token: SeDebugPrivilege 3788 buTw07oK35.exe Token: SeDebugPrivilege 2176 canr55Pp31.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exeplgp58Id36.exeplbB10BC11.exeplbY91pz79.exeplsB18am25.exedescription pid process target process PID 1892 wrote to memory of 4600 1892 9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe plgp58Id36.exe PID 1892 wrote to memory of 4600 1892 9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe plgp58Id36.exe PID 1892 wrote to memory of 4600 1892 9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe plgp58Id36.exe PID 4600 wrote to memory of 1436 4600 plgp58Id36.exe plbB10BC11.exe PID 4600 wrote to memory of 1436 4600 plgp58Id36.exe plbB10BC11.exe PID 4600 wrote to memory of 1436 4600 plgp58Id36.exe plbB10BC11.exe PID 1436 wrote to memory of 4460 1436 plbB10BC11.exe plbY91pz79.exe PID 1436 wrote to memory of 4460 1436 plbB10BC11.exe plbY91pz79.exe PID 1436 wrote to memory of 4460 1436 plbB10BC11.exe plbY91pz79.exe PID 4460 wrote to memory of 3992 4460 plbY91pz79.exe plsB18am25.exe PID 4460 wrote to memory of 3992 4460 plbY91pz79.exe plsB18am25.exe PID 4460 wrote to memory of 3992 4460 plbY91pz79.exe plsB18am25.exe PID 3992 wrote to memory of 3788 3992 plsB18am25.exe buTw07oK35.exe PID 3992 wrote to memory of 3788 3992 plsB18am25.exe buTw07oK35.exe PID 3992 wrote to memory of 2176 3992 plsB18am25.exe canr55Pp31.exe PID 3992 wrote to memory of 2176 3992 plsB18am25.exe canr55Pp31.exe PID 3992 wrote to memory of 2176 3992 plsB18am25.exe canr55Pp31.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe"C:\Users\Admin\AppData\Local\Temp\9f50af425d17247d4d3d98131add501fa0982dcb37295df361b44b80866c841c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgp58Id36.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plgp58Id36.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbB10BC11.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbB10BC11.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plbY91pz79.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plbY91pz79.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsB18am25.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buTw07oK35.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3788 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\canr55Pp31.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\canr55Pp31.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2176
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5da3ea7e226940fee5fc7178bb492d9ce
SHA1bdcc29815955aa75078117af70fe36bc5b55d3b6
SHA256206d34102b5b967c2a7849aa8a15366b9ff75d71461e8aa345ee1719e3aa1bd0
SHA5122ce624302868ba2a47153ab300a690b40f04c180f18f158c0766ffd3463179e94c5af6d18f296c21051cc6f49fce350e20bf14cc10c5dc549160c91fe8ee3355
-
Filesize
957KB
MD584bd9e160f5016a9b104a0f8034a37d5
SHA1727c79bf87d56065b1921753951eef050536ae17
SHA25663f2f5ec4968f5f7ed0c81dbab413304619dbe579e7bcf4be8ce58341f4654cf
SHA5124cb0b837dee1a3647bea72f9cad52b8412cf84d6239a33daa737e88a0d24949949682f83f7093d1106e0a48eed46aa4f1d304d191cd163cbb3b19d95b97cdefc
-
Filesize
681KB
MD512b2f87d938dec3998886646b2cb07c9
SHA159ebda704fdcf6cc57599fd40bf8677748a87d5c
SHA2562b857239536a2a13240f9f9b677810208080db204aa13642cc9334a2b4049920
SHA51264d8374af979ea249dd00e7ebb23b4ef281466360df97984e50afd432b9a71e9915391ace619dd6167e2953db693dba921319cf223ebdc2f0456e94b7a5ec154
-
Filesize
398KB
MD514fa9adf5dbe2ffb322f454764fbb83d
SHA190493b4527a3bed3b3b9d60fb36ee94cb54cdfbc
SHA2561f04765ff4dbcced5b11791811c7aec4748fed97ebb4c072264284cce14cf82d
SHA51276b1cfe51335cb1a9d5adb5b1b26d0ad953d890e6a488ed946b4f694a242b3f8e193942a4d9fd0c09135b90e9e1b6a63d3d950c6f23a21d6423befee915f3b59
-
Filesize
13KB
MD5afae7443f98357568ac8c737e126de85
SHA147589a3dbf97c4e156b924cc23073c6eeb35b4d8
SHA256a1f11bec33d19ceb9bc84ec09cb169f7da9234ec13b6c944f697139bc03869f4
SHA512ee5437c4f8ad201ded0ffdc9745ad903beb34fb3daebdf16bc35b1bd7f4a4724a2ef8d21c2dfc4a52dad22bf9442486c1e98e95ae4a69eaed53977fd06393b9f
-
Filesize
311KB
MD5df8b658ff430e07a3083de9d55e38d9f
SHA1a1c69254ba895096f75660ca5c9c09f46486e65f
SHA256885045b17ae6220ea794be50c2290b1c771323b5ff3680879e7d2bd8d1576a74
SHA512ce534ec18d6e3f3f30a21c0749818ae89895281164262fe118610f4609d98d78f3164659cc8114d2d4767eff56cb446a118b72488982989c0e722fff8bcdae8a