Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:34
Static task
static1
Behavioral task
behavioral1
Sample
4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe
Resource
win10v2004-20241007-en
General
-
Target
4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe
-
Size
1.2MB
-
MD5
2176a763c96dd2f0398afea4c0568178
-
SHA1
14cafb1456b8c5c9e6523c8979919956e5323a23
-
SHA256
4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16
-
SHA512
2e1bb2c97f88e2ff5af95803f9ec9dccc474383819179f7cb211434768cff9e224cf8d0be9265f18763cc91f4bd3c5ef0c7064142af605579dc2a1051f708628
-
SSDEEP
24576:CyTYnX4FJq4cLqeduZfrujFBpdguSKZqV5hzSa9jQNOXB67LC:po47UWfL9V5hFlQNOXg/
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe healer behavioral1/memory/1872-35-0x0000000000770000-0x000000000077A000-memory.dmp healer -
Healer family
-
Processes:
buPV92tZ96.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buPV92tZ96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buPV92tZ96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buPV92tZ96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buPV92tZ96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buPV92tZ96.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buPV92tZ96.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/3732-41-0x0000000004AF0000-0x0000000004B36000-memory.dmp family_redline behavioral1/memory/3732-43-0x0000000004CB0000-0x0000000004CF4000-memory.dmp family_redline behavioral1/memory/3732-47-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-61-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-107-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-105-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-101-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-99-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-98-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-95-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-94-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-91-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-90-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-87-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-86-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-83-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-82-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-79-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-78-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-75-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-73-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-71-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-69-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-67-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-65-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-64-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-59-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-58-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-55-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-53-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-51-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-49-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-103-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-45-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/3732-44-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
Processes:
plIU29XD06.exeplLP13qt01.exeplEt10Ra62.exeplZA95Ow98.exebuPV92tZ96.execasX13jF11.exepid process 4128 plIU29XD06.exe 3972 plLP13qt01.exe 1764 plEt10Ra62.exe 3300 plZA95Ow98.exe 1872 buPV92tZ96.exe 3732 casX13jF11.exe -
Processes:
buPV92tZ96.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buPV92tZ96.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
plIU29XD06.exeplLP13qt01.exeplEt10Ra62.exeplZA95Ow98.exe4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plIU29XD06.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plLP13qt01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plEt10Ra62.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" plZA95Ow98.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
plIU29XD06.exeplLP13qt01.exeplEt10Ra62.exeplZA95Ow98.execasX13jF11.exe4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plIU29XD06.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plLP13qt01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plEt10Ra62.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plZA95Ow98.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language casX13jF11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
buPV92tZ96.exepid process 1872 buPV92tZ96.exe 1872 buPV92tZ96.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
buPV92tZ96.execasX13jF11.exedescription pid process Token: SeDebugPrivilege 1872 buPV92tZ96.exe Token: SeDebugPrivilege 3732 casX13jF11.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exeplIU29XD06.exeplLP13qt01.exeplEt10Ra62.exeplZA95Ow98.exedescription pid process target process PID 4524 wrote to memory of 4128 4524 4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe plIU29XD06.exe PID 4524 wrote to memory of 4128 4524 4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe plIU29XD06.exe PID 4524 wrote to memory of 4128 4524 4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe plIU29XD06.exe PID 4128 wrote to memory of 3972 4128 plIU29XD06.exe plLP13qt01.exe PID 4128 wrote to memory of 3972 4128 plIU29XD06.exe plLP13qt01.exe PID 4128 wrote to memory of 3972 4128 plIU29XD06.exe plLP13qt01.exe PID 3972 wrote to memory of 1764 3972 plLP13qt01.exe plEt10Ra62.exe PID 3972 wrote to memory of 1764 3972 plLP13qt01.exe plEt10Ra62.exe PID 3972 wrote to memory of 1764 3972 plLP13qt01.exe plEt10Ra62.exe PID 1764 wrote to memory of 3300 1764 plEt10Ra62.exe plZA95Ow98.exe PID 1764 wrote to memory of 3300 1764 plEt10Ra62.exe plZA95Ow98.exe PID 1764 wrote to memory of 3300 1764 plEt10Ra62.exe plZA95Ow98.exe PID 3300 wrote to memory of 1872 3300 plZA95Ow98.exe buPV92tZ96.exe PID 3300 wrote to memory of 1872 3300 plZA95Ow98.exe buPV92tZ96.exe PID 3300 wrote to memory of 3732 3300 plZA95Ow98.exe casX13jF11.exe PID 3300 wrote to memory of 3732 3300 plZA95Ow98.exe casX13jF11.exe PID 3300 wrote to memory of 3732 3300 plZA95Ow98.exe casX13jF11.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe"C:\Users\Admin\AppData\Local\Temp\4ecff3dc18d6506e10f68491d58fc1ba31faf9493133c4279cd4fbb7e7929b16.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIU29XD06.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIU29XD06.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLP13qt01.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plLP13qt01.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt10Ra62.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt10Ra62.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plZA95Ow98.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPV92tZ96.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\casX13jF11.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\casX13jF11.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3732
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5048f771b4353aa5fdbe6c7955373103c
SHA138ecfce70ebbed9eff0663ae03bf2d04c0fe6bb6
SHA256c7714b31c9949bb74db0c3b827a4ce92e09d11079e060cab51bfa63eb5bb2e32
SHA512f1aa442dcc3d38541f23b3d152c8ac34be546339d76f3e2cd73c79ac30e6e90828f4376889159b1c19901a8a933ffa753d08ff6937cdbff286435cf717800cd4
-
Filesize
955KB
MD50e2f5e078648c4f512c20edac192bdde
SHA1a38c856089eef1e57a896201eaef9f935efd66fb
SHA2565ae1550cc463ec85b1f03764851d71d20d4c6504d543d7c54421f864ab3a095c
SHA512d93de06d5eccd547702247b3cfc97dffaf4935ec92d1cb48a7f18253bba2a439f1e133ca6078735f6036e1ff84d62250bad1de238b218516c754c97dbb6f2a0c
-
Filesize
679KB
MD5967a6efc047ce2bfedd58205b16eb856
SHA1f0631d821537eac91fc8acf9c9e164d1ebc385ac
SHA25625899231646e6f9901c9ac86943c2332d92dd28bd333b409e2387f18e0a8d5a3
SHA5125683eafe53188f65669a7c609273381699b1538d7904dd4fc76a7b93a45004cdb1887ac161c211f0578e53e6ca8e2db08b64502bc252b7087c4eab037b33a31a
-
Filesize
398KB
MD535eec148d062727beca64806452f66f2
SHA15b7a974b429d5104051f4f7ab17f4da9cdae87e9
SHA256390d2fc4089b2666bfa9e5fc26c6006496a0fa16ba855dc251abf3de9103ad1a
SHA5120687a63c853ee4a75fa3811550c92431c16443bfaa040fca1f5b2c02584856989aced5fef379c5ddf4b4bbaa222e3bd6e46b792c724c232a7ec7050fd90892fe
-
Filesize
14KB
MD5606f1523d611ae09f551005f77292f89
SHA1898e7b0d71b8c3dc5cf76300ff7ab34d8179103f
SHA25615707a4830f66bdef3567108793cdacb17a240955f8210d44bd6e1d6e9f5600d
SHA5126cc318274ac9e74b0e52b7d6593b69c33043c192733ba158fddb70047e831b678d74687a3cc9d80ff3325c58c4190ad1a7461243de0acdb8c38b0aba487d3ec9
-
Filesize
367KB
MD51d723ff94958004611f8d9036d32a484
SHA1494b2b1df04dd00bd4a6582ca026b45ed1e26f5e
SHA256ce58c79e2d8396ebc000387ba86ec87273d28bd7dfa8310c49c59b22c7de42af
SHA5129738bf0e92ad9b1f526a48a4262410186a961e0aa9e04ef1ecc4769b29d92339f46e331a65810ce72b27df319260ac8aba0636742690e95bc34f6d59fbf2ff61