Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:53
Static task
static1
Behavioral task
behavioral1
Sample
18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42.exe
Resource
win10v2004-20241007-en
General
-
Target
18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42.exe
-
Size
525KB
-
MD5
c3a05fa2c254b0c4f235bb5a9dd0fd11
-
SHA1
913ec8e5045cd1c8debb036b236c53fb77028f77
-
SHA256
18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42
-
SHA512
c4b24da09a86fbfa223397e146df43a71df3c81948943e944059cae8087a90339ee6c4f417f6f6c15edaa68a51816bbb498635bd448165ab64662080c6e7232c
-
SSDEEP
12288:VMrWy90h+Oea7Vyp8klt8eKVy2fch2C7hVPJX7JP2cc:Dyu+OTZyp8kj8eqyT5XlP2cc
Malware Config
Extracted
redline
fud
193.233.20.27:4123
-
auth_value
cddc991efd6918ad5321d80dac884b40
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023ca9-12.dat healer behavioral1/memory/1064-14-0x00000000002F0000-0x00000000002FA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sf05BY60eM07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sf05BY60eM07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sf05BY60eM07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sf05BY60eM07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sf05BY60eM07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sf05BY60eM07.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4568-21-0x0000000002710000-0x0000000002756000-memory.dmp family_redline behavioral1/memory/4568-23-0x0000000004CA0000-0x0000000004CE4000-memory.dmp family_redline behavioral1/memory/4568-81-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-87-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-85-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-83-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-79-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-77-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-75-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-74-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-71-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-69-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-67-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-65-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-63-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-61-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-59-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-55-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-53-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-51-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-49-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-47-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-45-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-43-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-41-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-39-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-37-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-33-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-31-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-29-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-57-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-35-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-27-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-25-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4568-24-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 548 vhvw3541Jg.exe 1064 sf05BY60eM07.exe 4568 tf19hp48dQ24.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sf05BY60eM07.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vhvw3541Jg.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tf19hp48dQ24.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vhvw3541Jg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1064 sf05BY60eM07.exe 1064 sf05BY60eM07.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1064 sf05BY60eM07.exe Token: SeDebugPrivilege 4568 tf19hp48dQ24.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4876 wrote to memory of 548 4876 18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42.exe 83 PID 4876 wrote to memory of 548 4876 18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42.exe 83 PID 4876 wrote to memory of 548 4876 18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42.exe 83 PID 548 wrote to memory of 1064 548 vhvw3541Jg.exe 84 PID 548 wrote to memory of 1064 548 vhvw3541Jg.exe 84 PID 548 wrote to memory of 4568 548 vhvw3541Jg.exe 93 PID 548 wrote to memory of 4568 548 vhvw3541Jg.exe 93 PID 548 wrote to memory of 4568 548 vhvw3541Jg.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42.exe"C:\Users\Admin\AppData\Local\Temp\18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhvw3541Jg.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhvw3541Jg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf19hp48dQ24.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf19hp48dQ24.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD57c45d2af19d7d2df103bf8f5b2d998c6
SHA10d0926970d9c1f69e4680bd66ff05c54e91e490e
SHA256510797b333d7c78b8768085664399e7def03c85ab4901a3ac9038452ad69978a
SHA51261318989d9e8ab1ce5f365a63d696713e36629c0db398429c504aa243f1b880dc268534a27b93ae20b0bfb80c2c578799dba0aa369e719b7232b9a573bb40fdc
-
Filesize
12KB
MD57e3e91c47e76d39d1538a776ddf60a97
SHA113c80493883115b4caec7c829fdf61ea94abef5a
SHA256945c12d10118478481fcabf0431ac8c6cf5ad91298f1838ef4705e0fe2bafcb5
SHA512548c8465c0aead82426299ccd107b35764f506c8d83afe0572c0664c180ae1cb76658019a1200eb929b22f3d606333ea0c26dfbac61c9c7037a07066394ff926
-
Filesize
291KB
MD5249978248eadf5f91425671a026f54a0
SHA180596f205182dcbeb05b93e5cdb77a067c723cf1
SHA2560acc998717f3d96cb94c3160c2f07c54c5244d4d29df38db9ca0b5a71f219682
SHA512aadc502c62ada1e529b0a11a335694cba325cb4d3ae1b85fac8d110238314b4f2bb6f4cae21bb15183a0252835bbc02a0d094c5911d0d7f1c74c4a1ba1167a14