Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:54
Static task
static1
Behavioral task
behavioral1
Sample
481afb3c38881e4be2e7f680672482d0f17b664c0364ba44e631689c2969bbf3.exe
Resource
win10v2004-20241007-en
General
-
Target
481afb3c38881e4be2e7f680672482d0f17b664c0364ba44e631689c2969bbf3.exe
-
Size
540KB
-
MD5
f4a87ee012b29d5d2d25dc9d110463dc
-
SHA1
95ec3c17ec48061bdd97b379b2e9600ca5eddfb5
-
SHA256
481afb3c38881e4be2e7f680672482d0f17b664c0364ba44e631689c2969bbf3
-
SHA512
2e6d27fcb2b4e04e9fd2041c6cdd52782ca4852e93864f2dc8f915e9be48321a35dec82f277ae3b57f7574bfa0aa0cc62d4f4bdb4afc236534d655b3fdd91b00
-
SSDEEP
12288:MMrPy907RlRlqTRrFDaQFdu+UN466gs8Fbxpn8F4:LycRk94QFxO466MFbvM4
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b70-12.dat healer behavioral1/memory/2916-15-0x0000000000A40000-0x0000000000A4A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro2602.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro2602.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro2602.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection pro2602.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro2602.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro2602.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4680-22-0x0000000004C50000-0x0000000004C96000-memory.dmp family_redline behavioral1/memory/4680-24-0x0000000004E40000-0x0000000004E84000-memory.dmp family_redline behavioral1/memory/4680-32-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-42-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-88-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-86-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-84-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-82-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-81-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-78-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-76-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-74-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-72-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-70-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-66-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-64-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-62-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-60-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-58-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-54-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-52-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-51-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-48-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-47-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-44-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-40-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-38-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-36-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-34-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-68-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-56-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-30-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-28-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-26-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline behavioral1/memory/4680-25-0x0000000004E40000-0x0000000004E7E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2216 unio7563.exe 2916 pro2602.exe 4680 qu2890.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" pro2602.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 481afb3c38881e4be2e7f680672482d0f17b664c0364ba44e631689c2969bbf3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio7563.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu2890.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 481afb3c38881e4be2e7f680672482d0f17b664c0364ba44e631689c2969bbf3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio7563.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2916 pro2602.exe 2916 pro2602.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2916 pro2602.exe Token: SeDebugPrivilege 4680 qu2890.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2896 wrote to memory of 2216 2896 481afb3c38881e4be2e7f680672482d0f17b664c0364ba44e631689c2969bbf3.exe 83 PID 2896 wrote to memory of 2216 2896 481afb3c38881e4be2e7f680672482d0f17b664c0364ba44e631689c2969bbf3.exe 83 PID 2896 wrote to memory of 2216 2896 481afb3c38881e4be2e7f680672482d0f17b664c0364ba44e631689c2969bbf3.exe 83 PID 2216 wrote to memory of 2916 2216 unio7563.exe 85 PID 2216 wrote to memory of 2916 2216 unio7563.exe 85 PID 2216 wrote to memory of 4680 2216 unio7563.exe 93 PID 2216 wrote to memory of 4680 2216 unio7563.exe 93 PID 2216 wrote to memory of 4680 2216 unio7563.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\481afb3c38881e4be2e7f680672482d0f17b664c0364ba44e631689c2969bbf3.exe"C:\Users\Admin\AppData\Local\Temp\481afb3c38881e4be2e7f680672482d0f17b664c0364ba44e631689c2969bbf3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7563.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7563.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2602.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2602.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2890.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2890.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4680
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
397KB
MD526a8ef116d6adf54854dc6b7d034f589
SHA1b299aef831018ed5657aeb4c4464137497436ee7
SHA2567ed2a869eba25800f41f1781cc2deab33dec195dd982371b4c7d5b5e3c7b5103
SHA512690e64aabbf7e22068f63dc4562aaf2cd397dd08066f2c554ae85c91b7550faaf7dc3e447ca4bc48914433e51d94fb664dd28864ef0781699b7de2595f69024e
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
356KB
MD5c6d9144861fc5118f1d1399dd7f80cc4
SHA10a9818d690a14c5f957b57916351016410b80817
SHA25675ddc81d0c5abdc1b981faa4016edc07ace6d9fa46cde1b7927a2b2a0995dff9
SHA512d74265103da9f9117d1a6f57f0d82a6dcf4f0beaad604912183c746127f348036b4259ff4741e8f70f7e9543a1cf6b725e31de4191a88a2fd11f7267615caf38