Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:53
Static task
static1
Behavioral task
behavioral1
Sample
54472595e5d1dc5a72981da5bfb6750ea31ee37f17f8438e412b61cdec0e2ca8.exe
Resource
win10v2004-20241007-en
General
-
Target
54472595e5d1dc5a72981da5bfb6750ea31ee37f17f8438e412b61cdec0e2ca8.exe
-
Size
531KB
-
MD5
ee833c9c36e44866e927c3cb63a2b506
-
SHA1
19b79e8324365211411bb8d3d4103da2374b4f2a
-
SHA256
54472595e5d1dc5a72981da5bfb6750ea31ee37f17f8438e412b61cdec0e2ca8
-
SHA512
411060d6a060439b380db677ce016e7baeccbaa4d8bcfa2a3782aa04e91a32f185be2d14d77ddae7dd7da18d36659bca4c94141fa4278ee47230b4fba9c17326
-
SSDEEP
12288:1Mrhy90X+GP4T5w6rV0ZnJIpBhqq/umB02XMY:wy8t4feZJ4hp/u00+MY
Malware Config
Extracted
redline
rosto
hueref.eu:4162
-
auth_value
07d81eba8cad42bbd0ae60042d48eac6
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c85-12.dat healer behavioral1/memory/4184-15-0x00000000007E0000-0x00000000007EA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sw12aZ36RG51.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sw12aZ36RG51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sw12aZ36RG51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sw12aZ36RG51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sw12aZ36RG51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sw12aZ36RG51.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4712-22-0x00000000026C0000-0x0000000002706000-memory.dmp family_redline behavioral1/memory/4712-24-0x0000000005150000-0x0000000005194000-memory.dmp family_redline behavioral1/memory/4712-28-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-26-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-25-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-42-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-88-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-84-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-82-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-80-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-78-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-76-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-74-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-72-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-68-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-66-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-64-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-62-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-60-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-58-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-56-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-54-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-52-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-50-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-46-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-44-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-40-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-38-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-36-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-34-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-32-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-30-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-86-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-70-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/4712-48-0x0000000005150000-0x000000000518E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4172 vkTP0937xX.exe 4184 sw12aZ36RG51.exe 4712 tkDu17UN50IB.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sw12aZ36RG51.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 54472595e5d1dc5a72981da5bfb6750ea31ee37f17f8438e412b61cdec0e2ca8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vkTP0937xX.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vkTP0937xX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tkDu17UN50IB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 54472595e5d1dc5a72981da5bfb6750ea31ee37f17f8438e412b61cdec0e2ca8.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4184 sw12aZ36RG51.exe 4184 sw12aZ36RG51.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4184 sw12aZ36RG51.exe Token: SeDebugPrivilege 4712 tkDu17UN50IB.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3920 wrote to memory of 4172 3920 54472595e5d1dc5a72981da5bfb6750ea31ee37f17f8438e412b61cdec0e2ca8.exe 85 PID 3920 wrote to memory of 4172 3920 54472595e5d1dc5a72981da5bfb6750ea31ee37f17f8438e412b61cdec0e2ca8.exe 85 PID 3920 wrote to memory of 4172 3920 54472595e5d1dc5a72981da5bfb6750ea31ee37f17f8438e412b61cdec0e2ca8.exe 85 PID 4172 wrote to memory of 4184 4172 vkTP0937xX.exe 86 PID 4172 wrote to memory of 4184 4172 vkTP0937xX.exe 86 PID 4172 wrote to memory of 4712 4172 vkTP0937xX.exe 94 PID 4172 wrote to memory of 4712 4172 vkTP0937xX.exe 94 PID 4172 wrote to memory of 4712 4172 vkTP0937xX.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\54472595e5d1dc5a72981da5bfb6750ea31ee37f17f8438e412b61cdec0e2ca8.exe"C:\Users\Admin\AppData\Local\Temp\54472595e5d1dc5a72981da5bfb6750ea31ee37f17f8438e412b61cdec0e2ca8.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkTP0937xX.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkTP0937xX.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw12aZ36RG51.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw12aZ36RG51.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkDu17UN50IB.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkDu17UN50IB.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4712
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
386KB
MD5a456cd3a5971af181bacc99729cc31ea
SHA1c95641472ade9aeceb36298431654333186f9636
SHA25665daa39d4ba4fd6d96140c1b665d662f1fae096250211f845724436cbe804149
SHA512283326095497585ad236666fa6aeaee0ded4dcdf63f5e18e6261f6e3722058fec563221a9539a0db9f5e4437ad7aa169e541c4a4e41200cb0c4a29769c03a6fb
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
289KB
MD5f719d70ebe5b666b482c91b61516218e
SHA161da23978f14b2ef38e7d14113172346145fe6ba
SHA256439904dbd91520dd5e82eb107d025d3f0e7a74e30f1e1743976c046d5b28e568
SHA512be894aa89bf97710e2eeb77425880a452abffebdc742c3426222aa433d558636398b36df659d6cea3eae614a1a5fc624da514f17074bcf8034039ddb1a12ee72