Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:54
Static task
static1
Behavioral task
behavioral1
Sample
061d9dff039ee5b9ec579a40414c3a2d99079b57e9dbaf7ac17701bcc8274913.exe
Resource
win10v2004-20241007-en
General
-
Target
061d9dff039ee5b9ec579a40414c3a2d99079b57e9dbaf7ac17701bcc8274913.exe
-
Size
536KB
-
MD5
4011c31e75f149437bd7e81673f5deb0
-
SHA1
ea7acc5a4cc862c397d9442bde32cb90f85524a3
-
SHA256
061d9dff039ee5b9ec579a40414c3a2d99079b57e9dbaf7ac17701bcc8274913
-
SHA512
7cf1fe4c072698d9b99427b261e2000081431d91c9f4abe7df42ec1af9238ec16f0506433cd3d70e93848abaa29d8b674fd502e6dfefe9250a3d10730056d3f0
-
SSDEEP
12288:vMrzy90CxuWI2q/psv1+h6ilHEKfihYL0kU:gyvxuWInpsv9RK+YIV
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c67-12.dat healer behavioral1/memory/4672-15-0x0000000000710000-0x000000000071A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sw30jj96hY34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sw30jj96hY34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sw30jj96hY34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sw30jj96hY34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sw30jj96hY34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sw30jj96hY34.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4944-22-0x0000000002360000-0x00000000023A6000-memory.dmp family_redline behavioral1/memory/4944-24-0x0000000002600000-0x0000000002644000-memory.dmp family_redline behavioral1/memory/4944-26-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-30-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-28-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-82-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-78-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-68-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-60-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-58-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-88-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-86-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-84-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-80-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-76-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-74-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-72-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-70-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-66-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-64-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-62-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-56-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-54-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-52-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-50-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-48-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-46-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-44-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-42-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-40-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-36-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-34-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-32-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-38-0x0000000002600000-0x000000000263E000-memory.dmp family_redline behavioral1/memory/4944-25-0x0000000002600000-0x000000000263E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 628 vGn8315Om.exe 4672 sw30jj96hY34.exe 4944 trI32mI00.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sw30jj96hY34.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vGn8315Om.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 061d9dff039ee5b9ec579a40414c3a2d99079b57e9dbaf7ac17701bcc8274913.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5524 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 061d9dff039ee5b9ec579a40414c3a2d99079b57e9dbaf7ac17701bcc8274913.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vGn8315Om.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trI32mI00.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4672 sw30jj96hY34.exe 4672 sw30jj96hY34.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4672 sw30jj96hY34.exe Token: SeDebugPrivilege 4944 trI32mI00.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2356 wrote to memory of 628 2356 061d9dff039ee5b9ec579a40414c3a2d99079b57e9dbaf7ac17701bcc8274913.exe 83 PID 2356 wrote to memory of 628 2356 061d9dff039ee5b9ec579a40414c3a2d99079b57e9dbaf7ac17701bcc8274913.exe 83 PID 2356 wrote to memory of 628 2356 061d9dff039ee5b9ec579a40414c3a2d99079b57e9dbaf7ac17701bcc8274913.exe 83 PID 628 wrote to memory of 4672 628 vGn8315Om.exe 84 PID 628 wrote to memory of 4672 628 vGn8315Om.exe 84 PID 628 wrote to memory of 4944 628 vGn8315Om.exe 95 PID 628 wrote to memory of 4944 628 vGn8315Om.exe 95 PID 628 wrote to memory of 4944 628 vGn8315Om.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\061d9dff039ee5b9ec579a40414c3a2d99079b57e9dbaf7ac17701bcc8274913.exe"C:\Users\Admin\AppData\Local\Temp\061d9dff039ee5b9ec579a40414c3a2d99079b57e9dbaf7ac17701bcc8274913.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGn8315Om.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGn8315Om.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw30jj96hY34.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw30jj96hY34.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\trI32mI00.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\trI32mI00.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4944
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:5524
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
391KB
MD50993e95ae27882da0c7787a5db5cf739
SHA1aa48344d457967d5b5db8862ef982a28bbc31225
SHA2562066536fbd0f156307ae62373db2cd9def0c636ccc4657d6ef1108af1b3ea7ae
SHA512352b3f19f02776e10f6a4f69c925928e309917bf73575a454257f656ed118711426480c9c4e02a4fddd7bd78f62faf57aeea13c1618d104636b53eb51a135888
-
Filesize
16KB
MD5596e04282e3a029549517d998b641bc9
SHA137695102540deddbc8f076ebf9e593cafad73ad3
SHA256c6d07a2afcc66999fbbac2811e4906479d1a335885a55ea1b875659d870bc064
SHA5120310991ddf36481d80a44c3d6ab2bcd984ba96e2ecc4c7fda34617866d759c348b2b533c065c15de2f482028a0d4bbcf731a4bc428fbbceeea95d11ec4f32c5a
-
Filesize
302KB
MD51c5a86f75232313703fab93a198cfae7
SHA1ecf2d10a917811db5f5da1e29c929ab6a2866a0e
SHA2566c5ec3126e35491fe8716e34691036a2cd0a24c110ad9080ecc4b1130ba92b71
SHA512fd6d22ad3c16dcfa708a2e04ca73946046867a18c10ddfda030f04bc7f77373284c043d433997c27ba7e186e814573a26e11cd0a939467b7ec7683b919f9eb0f