Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:56
Static task
static1
Behavioral task
behavioral1
Sample
ff11af6fff75daa46e24031d02207701983db152c99114117ba90e94c718a38a.exe
Resource
win10v2004-20241007-en
General
-
Target
ff11af6fff75daa46e24031d02207701983db152c99114117ba90e94c718a38a.exe
-
Size
551KB
-
MD5
533d49520c6376589f5e38df3c75534a
-
SHA1
291cefc89c67ea82f684a95bdc50eae76e50a15e
-
SHA256
ff11af6fff75daa46e24031d02207701983db152c99114117ba90e94c718a38a
-
SHA512
698c2b2a6b06c8ef158ae6f233ef18996d143be5c9678c82370e56493bb4c00807bbcb1e4b0b705b011a27c2b5edf9771ffc0c68102344a8cbb284c4f5640970
-
SSDEEP
12288:SMrgy9086E0Owoke6FMZnscC0MBj3MlkLztSl:myIE0OoM2mMR53g
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cb1-12.dat healer behavioral1/memory/4376-15-0x0000000000020000-0x000000000002A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection pro4980.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro4980.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro4980.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro4980.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro4980.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro4980.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/336-22-0x00000000020C0000-0x0000000002106000-memory.dmp family_redline behavioral1/memory/336-24-0x00000000050D0000-0x0000000005114000-memory.dmp family_redline behavioral1/memory/336-30-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-38-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-36-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-34-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-32-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-72-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-50-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-28-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-26-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-25-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-88-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-86-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-84-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-82-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-80-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-78-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-76-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-74-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-70-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-68-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-66-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-64-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-62-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-60-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-58-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-56-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-54-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-52-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-48-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-46-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-44-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-42-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline behavioral1/memory/336-40-0x00000000050D0000-0x000000000510E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4512 unio4993.exe 4376 pro4980.exe 336 qu8751.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" pro4980.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ff11af6fff75daa46e24031d02207701983db152c99114117ba90e94c718a38a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio4993.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ff11af6fff75daa46e24031d02207701983db152c99114117ba90e94c718a38a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio4993.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu8751.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4376 pro4980.exe 4376 pro4980.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4376 pro4980.exe Token: SeDebugPrivilege 336 qu8751.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4760 wrote to memory of 4512 4760 ff11af6fff75daa46e24031d02207701983db152c99114117ba90e94c718a38a.exe 83 PID 4760 wrote to memory of 4512 4760 ff11af6fff75daa46e24031d02207701983db152c99114117ba90e94c718a38a.exe 83 PID 4760 wrote to memory of 4512 4760 ff11af6fff75daa46e24031d02207701983db152c99114117ba90e94c718a38a.exe 83 PID 4512 wrote to memory of 4376 4512 unio4993.exe 84 PID 4512 wrote to memory of 4376 4512 unio4993.exe 84 PID 4512 wrote to memory of 336 4512 unio4993.exe 93 PID 4512 wrote to memory of 336 4512 unio4993.exe 93 PID 4512 wrote to memory of 336 4512 unio4993.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff11af6fff75daa46e24031d02207701983db152c99114117ba90e94c718a38a.exe"C:\Users\Admin\AppData\Local\Temp\ff11af6fff75daa46e24031d02207701983db152c99114117ba90e94c718a38a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio4993.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio4993.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4980.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4980.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8751.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8751.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:336
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
409KB
MD511233e8d188ac8b4e20e4f878a12ab92
SHA105a069debf9dac565171b47fb59962fd5a7201bf
SHA256b35679870c08e46ae7125f350b47d46114dec5b86521aa8f68d9dc3ce2b84bdd
SHA512046f296bdbe1da2ffbde322c25a18cb6e53056ff359f3f8585693f245da81c334f3135bad12d59d96e107099b354ee4f75b695ac3a3e04d289c2f189ea9cee3f
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
497KB
MD5f72d2aa08e6872a76fd1b65f6edc3e98
SHA1e7595a7cfc24695c5cc746f02852116930288ed6
SHA25654e18a50af11ff6f0076b7e1559821b6f3e1e192077627d9fa4aba9cd6f159bc
SHA5127bee2a97d7247a74b64125527ac5015a95cc492d1683c3a083d9900e760b458a214518238b2aad9441fdc2a40fa3ed9c256de2a652241608baaa856fd80bf42b