Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 05:30
Static task
static1
Behavioral task
behavioral1
Sample
d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32.exe
Resource
win10v2004-20241007-en
General
-
Target
d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32.exe
-
Size
1.3MB
-
MD5
abc45cf0900d64b744611c174fd4aa1b
-
SHA1
6c58c49191a277b64bffc192788e1cf8d634cee7
-
SHA256
d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32
-
SHA512
a69957c618b3437f6a80bdf4142d61bd551710e2b1281bb7c1558c00b040ed7d271e38f8997a43d409d38a194afb1771d0603c6257a02b727ae45bb1f7d3122b
-
SSDEEP
24576:zyoYQEVWu7OTjZkibjn2tiBK5j7adtuk2OAwO+pXunYXfHi:GoYQXu7OT1kibbzBkmnt2lypXr
Malware Config
Extracted
redline
rodik
193.233.20.23:4124
-
auth_value
59b6e22e7cfd9b5fa0c99d1942f7c85d
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023cac-33.dat healer behavioral1/memory/1912-35-0x0000000000BE0000-0x0000000000BEA000-memory.dmp healer -
Healer family
-
Processes:
iWi51Cr.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" iWi51Cr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" iWi51Cr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection iWi51Cr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" iWi51Cr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" iWi51Cr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" iWi51Cr.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/5044-41-0x0000000002790000-0x00000000027D6000-memory.dmp family_redline behavioral1/memory/5044-43-0x0000000004B80000-0x0000000004BC4000-memory.dmp family_redline behavioral1/memory/5044-53-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-55-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-107-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-105-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-103-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-101-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-97-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-95-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-93-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-91-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-89-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-87-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-85-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-81-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-79-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-77-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-75-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-73-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-71-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-67-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-65-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-63-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-61-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-60-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-57-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-51-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-49-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-47-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-99-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-83-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-69-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-45-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline behavioral1/memory/5044-44-0x0000000004B80000-0x0000000004BBF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
Processes:
sVG21Im84.exesbW26ql22.exesbu33Im61.exesDa63SW89.exeiWi51Cr.exektI25iS.exepid Process 972 sVG21Im84.exe 3656 sbW26ql22.exe 2684 sbu33Im61.exe 1984 sDa63SW89.exe 1912 iWi51Cr.exe 5044 ktI25iS.exe -
Processes:
iWi51Cr.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" iWi51Cr.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32.exesVG21Im84.exesbW26ql22.exesbu33Im61.exesDa63SW89.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sVG21Im84.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" sbW26ql22.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" sbu33Im61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" sDa63SW89.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 1640 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32.exesVG21Im84.exesbW26ql22.exesbu33Im61.exesDa63SW89.exektI25iS.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sVG21Im84.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sbW26ql22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sbu33Im61.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sDa63SW89.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ktI25iS.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
iWi51Cr.exepid Process 1912 iWi51Cr.exe 1912 iWi51Cr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
iWi51Cr.exektI25iS.exedescription pid Process Token: SeDebugPrivilege 1912 iWi51Cr.exe Token: SeDebugPrivilege 5044 ktI25iS.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32.exesVG21Im84.exesbW26ql22.exesbu33Im61.exesDa63SW89.exedescription pid Process procid_target PID 2920 wrote to memory of 972 2920 d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32.exe 83 PID 2920 wrote to memory of 972 2920 d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32.exe 83 PID 2920 wrote to memory of 972 2920 d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32.exe 83 PID 972 wrote to memory of 3656 972 sVG21Im84.exe 84 PID 972 wrote to memory of 3656 972 sVG21Im84.exe 84 PID 972 wrote to memory of 3656 972 sVG21Im84.exe 84 PID 3656 wrote to memory of 2684 3656 sbW26ql22.exe 86 PID 3656 wrote to memory of 2684 3656 sbW26ql22.exe 86 PID 3656 wrote to memory of 2684 3656 sbW26ql22.exe 86 PID 2684 wrote to memory of 1984 2684 sbu33Im61.exe 88 PID 2684 wrote to memory of 1984 2684 sbu33Im61.exe 88 PID 2684 wrote to memory of 1984 2684 sbu33Im61.exe 88 PID 1984 wrote to memory of 1912 1984 sDa63SW89.exe 89 PID 1984 wrote to memory of 1912 1984 sDa63SW89.exe 89 PID 1984 wrote to memory of 5044 1984 sDa63SW89.exe 98 PID 1984 wrote to memory of 5044 1984 sDa63SW89.exe 98 PID 1984 wrote to memory of 5044 1984 sDa63SW89.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32.exe"C:\Users\Admin\AppData\Local\Temp\d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVG21Im84.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVG21Im84.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sbW26ql22.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sbW26ql22.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sbu33Im61.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sbu33Im61.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sDa63SW89.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sDa63SW89.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iWi51Cr.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iWi51Cr.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ktI25iS.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ktI25iS.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
-
-
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1640
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD56098322f174bde317437c536f5585368
SHA1edc4188f6bf6f7622fe25448978362fe1357ca78
SHA2568972625e6dc6990e28a6851822a449172e7658a26243d199f68e71bbda3d123e
SHA512d2bce279dc111f4587c10fe2729e0f7c705d2508e0cf3959640f9c1aa1812dd98810f353135e127a7215352a58664ea5ed3c49151bcae5216dc33c6af0b88cf1
-
Filesize
964KB
MD5f85a411d807576cf092837b66b116ac3
SHA1b805803379661ee45a2d370a7b8c44bda589d3e8
SHA256cbe2bc9ba71537789e16d6660099e13cb88c496fa46e322573db32b5ecf4bedc
SHA512522d233badd7a7c1f60852ad0cc949976b18670bdf361329b5db14d306dd277bb6e0359fe09c5dd77d1285d21cc7ec91ee5c39882389ca90114826d84c112763
-
Filesize
687KB
MD594423609eb5a78590a7e78ca8493ab98
SHA1c8c51e0956b23395b6acd72a5053a9ef80aebb6a
SHA256d6c6e16d83fe77c10b8682d575449cffab10b9d8ba66a4bea9a907a4221a31af
SHA51283da0091f4ffe250a2b77ea853b1c9ca927251aa6253bc766b9634fbbbb93c2032824afdb0ccfc454dee7b276c51f1650d24422af7442b8eac1080d00906f2e5
-
Filesize
399KB
MD5dbcac4ee3e2af0c6ad285dd8cab1cda0
SHA15021755539081902431f64b5299fecdbec27dab6
SHA256019dbd9d702ba17b0cb338464d9291c911b92e5ecef313e10cfc2937b25c527d
SHA512c3d5553337aad8738949e6e82c63b5ae8e958016c984311531f423cbd705c048ed7b6acf3b1c391b9be4536e0dc893cc02df56374ba56b267e89f4af70ef128e
-
Filesize
11KB
MD58eee712d19bc51693392849d396c050c
SHA11319567429a160bb2fcf44751f93451769970d2b
SHA256ae51c96b2fc1624350c87da82fa3cb54ce2321304611ccd44af6dea6531b35f5
SHA5128a8e9f01b18ba689dc7e4ace3901fee0832eb92b39c628fc9d3c4f2b9d3034958c718bb6f36fb0d8f2c892f5917bc8fab43237f3113d437ded219f8a1377ae3b
-
Filesize
322KB
MD5231430e854c098688aa6848702c5018e
SHA146a9be0ad282ff66b7de6586c6cf86ff5057651d
SHA256c2c7ced4db7b7a5eb5960c2d518179b7798494fe893b5bb22c756a811460cdf9
SHA512202a0ec01cdd18613c8fb423418ec0abf3382f2ea8d957c287324c23d083a7ab61fb5207c0e9c3bfb421a58f821daf81506e2ecb4d08fa2cfa993587e1e44217