Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:42
Static task
static1
Behavioral task
behavioral1
Sample
3cc24255119898c597ee385a4fc41ffbd307af8fbdf620481a3245d750867de0N.exe
Resource
win10v2004-20241007-en
General
-
Target
3cc24255119898c597ee385a4fc41ffbd307af8fbdf620481a3245d750867de0N.exe
-
Size
686KB
-
MD5
89d694aa6f006317627e1f8052380c40
-
SHA1
01ad9e29c96169996bb0c56f5f729c742f15fb9d
-
SHA256
3cc24255119898c597ee385a4fc41ffbd307af8fbdf620481a3245d750867de0
-
SHA512
c649a8bf4d361a5ec7103e024a01062f4ff8ce23603b978ccc9536664c2710415adda9405a5f9cf4ee9238a11c65660b24c8025d3c591d1680eb7c04cf7bca16
-
SSDEEP
12288:sMr9y90apXLQFNQiq4UyxRNObLvRPvHG5Bije5c6BUcIrTuLQgdkzsJXk0tfNB:xy/7QTQ+lObNPG5Ea5c6BUvTuLQgCQBH
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b70-12.dat healer behavioral1/memory/1240-15-0x0000000000740000-0x000000000074A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buBz51dW88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buBz51dW88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buBz51dW88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buBz51dW88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buBz51dW88.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buBz51dW88.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3128-22-0x00000000070F0000-0x0000000007136000-memory.dmp family_redline behavioral1/memory/3128-24-0x00000000071A0000-0x00000000071E4000-memory.dmp family_redline behavioral1/memory/3128-28-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-38-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-88-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-84-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-82-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-80-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-78-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-76-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-74-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-72-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-68-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-66-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-64-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-62-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-61-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-58-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-56-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-52-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-50-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-48-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-46-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-42-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-41-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-36-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-34-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-32-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-30-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-86-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-70-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-54-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-44-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-26-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline behavioral1/memory/3128-25-0x00000000071A0000-0x00000000071DE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4400 plDL80Tc41.exe 1240 buBz51dW88.exe 3128 caNF32bK19.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buBz51dW88.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3cc24255119898c597ee385a4fc41ffbd307af8fbdf620481a3245d750867de0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plDL80Tc41.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3cc24255119898c597ee385a4fc41ffbd307af8fbdf620481a3245d750867de0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plDL80Tc41.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caNF32bK19.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1240 buBz51dW88.exe 1240 buBz51dW88.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1240 buBz51dW88.exe Token: SeDebugPrivilege 3128 caNF32bK19.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4144 wrote to memory of 4400 4144 3cc24255119898c597ee385a4fc41ffbd307af8fbdf620481a3245d750867de0N.exe 83 PID 4144 wrote to memory of 4400 4144 3cc24255119898c597ee385a4fc41ffbd307af8fbdf620481a3245d750867de0N.exe 83 PID 4144 wrote to memory of 4400 4144 3cc24255119898c597ee385a4fc41ffbd307af8fbdf620481a3245d750867de0N.exe 83 PID 4400 wrote to memory of 1240 4400 plDL80Tc41.exe 84 PID 4400 wrote to memory of 1240 4400 plDL80Tc41.exe 84 PID 4400 wrote to memory of 3128 4400 plDL80Tc41.exe 96 PID 4400 wrote to memory of 3128 4400 plDL80Tc41.exe 96 PID 4400 wrote to memory of 3128 4400 plDL80Tc41.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cc24255119898c597ee385a4fc41ffbd307af8fbdf620481a3245d750867de0N.exe"C:\Users\Admin\AppData\Local\Temp\3cc24255119898c597ee385a4fc41ffbd307af8fbdf620481a3245d750867de0N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plDL80Tc41.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plDL80Tc41.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buBz51dW88.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buBz51dW88.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\caNF32bK19.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\caNF32bK19.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3128
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
401KB
MD5686d037984e28dfaec2c2743cc3c7c38
SHA1bcb4302739e7b398adb50fa6a7d1bf60dbf39714
SHA256f9800ae7d69ddaef12fecabb3ca418f3555c632c950140672c814494b4222d12
SHA512e2e42ac8890441f2d6d71fd38a38e912c2dea5826ed05be379885fc0d721ea3ae41a48617ca6d85b9f3eb2f7fd133d5f287badab9b860a2033a752def077061b
-
Filesize
15KB
MD5cc7d5c61afdbd0705a987c5ed6602712
SHA1b12346828865ab520a024dac07e56ea332581202
SHA25662e51cd11bb633cbd9d9225c0ea966043618c2eadcf7f2e41a626dca1acf27e8
SHA51279db4dca2d4bd80e233c6e0f1f49b59a2bfa06ecd731f06e9531a37ab0b6a89402fa3ec3103e61052cbe7ba0611f1232591c067f81f0694080bd9340d8c633e7
-
Filesize
375KB
MD5cd6966060f9f437f1933aba4b8703cca
SHA19f69f3f9317a4a6526c99074bb851bc4a1c30788
SHA25624a0f1a482ffbadb53221d40b7669cfb6352b0ccffb786a595cfeb4d9805b9f0
SHA512d7249fb6f039225e99d30293f69453c0c08a44bf12887d656d4e30fa896aaf51d31fab132ed6840ffe0f305f3ce8cf0be315835bf221745a7b4dac27640c1929