Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:55
Static task
static1
Behavioral task
behavioral1
Sample
7ed6524816f7c38bc68db11b0ddcd5c354a03406d967173e719883259ef0c6bc.exe
Resource
win10v2004-20241007-en
General
-
Target
7ed6524816f7c38bc68db11b0ddcd5c354a03406d967173e719883259ef0c6bc.exe
-
Size
561KB
-
MD5
d572a4539bc6382a4f8f95482bfca0d7
-
SHA1
06b98efe3e5bf7dc2bcc5796ce31dbacfcfd719a
-
SHA256
7ed6524816f7c38bc68db11b0ddcd5c354a03406d967173e719883259ef0c6bc
-
SHA512
21e907aaf780c83a4d625d9e34b16e9de8af17e4665d05c7b7bf1fc6340aeb729d2642976c50cfc3d233a27476e48347b9ded42e7e8ea7609633c8674ecf9f66
-
SSDEEP
12288:ZMrEy90q/JvfbkRd1RiFOFUVGKT/m6Zp9qjezKwOV:Byb/pbgd1RiFOFUY6ZreV
Malware Config
Extracted
redline
fud
193.233.20.27:4123
-
auth_value
cddc991efd6918ad5321d80dac884b40
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b7a-12.dat healer behavioral1/memory/4672-15-0x0000000000130000-0x000000000013A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sf35sb92vK35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sf35sb92vK35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sf35sb92vK35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sf35sb92vK35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sf35sb92vK35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sf35sb92vK35.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2628-21-0x0000000004CF0000-0x0000000004D36000-memory.dmp family_redline behavioral1/memory/2628-23-0x00000000072F0000-0x0000000007334000-memory.dmp family_redline behavioral1/memory/2628-37-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-39-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-35-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-33-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-31-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-30-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-81-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-69-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-53-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-27-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-25-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-24-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-87-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-85-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-84-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-79-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-77-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-75-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-73-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-71-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-67-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-65-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-63-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-61-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-59-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-57-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-55-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-51-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-49-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-47-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-45-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-43-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline behavioral1/memory/2628-41-0x00000000072F0000-0x000000000732E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4504 vhsB0866mN.exe 4672 sf35sb92vK35.exe 2628 tf51FM39qy35.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sf35sb92vK35.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7ed6524816f7c38bc68db11b0ddcd5c354a03406d967173e719883259ef0c6bc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vhsB0866mN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ed6524816f7c38bc68db11b0ddcd5c354a03406d967173e719883259ef0c6bc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vhsB0866mN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tf51FM39qy35.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4672 sf35sb92vK35.exe 4672 sf35sb92vK35.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4672 sf35sb92vK35.exe Token: SeDebugPrivilege 2628 tf51FM39qy35.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 364 wrote to memory of 4504 364 7ed6524816f7c38bc68db11b0ddcd5c354a03406d967173e719883259ef0c6bc.exe 84 PID 364 wrote to memory of 4504 364 7ed6524816f7c38bc68db11b0ddcd5c354a03406d967173e719883259ef0c6bc.exe 84 PID 364 wrote to memory of 4504 364 7ed6524816f7c38bc68db11b0ddcd5c354a03406d967173e719883259ef0c6bc.exe 84 PID 4504 wrote to memory of 4672 4504 vhsB0866mN.exe 85 PID 4504 wrote to memory of 4672 4504 vhsB0866mN.exe 85 PID 4504 wrote to memory of 2628 4504 vhsB0866mN.exe 100 PID 4504 wrote to memory of 2628 4504 vhsB0866mN.exe 100 PID 4504 wrote to memory of 2628 4504 vhsB0866mN.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ed6524816f7c38bc68db11b0ddcd5c354a03406d967173e719883259ef0c6bc.exe"C:\Users\Admin\AppData\Local\Temp\7ed6524816f7c38bc68db11b0ddcd5c354a03406d967173e719883259ef0c6bc.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhsB0866mN.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhsB0866mN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf35sb92vK35.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf35sb92vK35.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf51FM39qy35.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf51FM39qy35.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
416KB
MD5b59f0f81d8eca52f9b6698f365ac36a3
SHA152688521ddd88dfb1be1f19531a20bbdd8597c40
SHA25610da39b0030c69ea212acaecadecb17d4c4cb9b0a1099017030dd097471e3f7a
SHA5128ae504e4967f94f5185fe506fff7494be7c3fcf6ce353250577539fd102efe46a33aecbfdc5636e53bac19aa6c6f8935b612e8ef5836096b1f011686e1a0a3e4
-
Filesize
11KB
MD5b939b180e30acc3c5ce9c9b80d91b657
SHA1efc4ad36ae1cd28ad0c7031dbed94bffd06101af
SHA2561c49fd426f0f50d4d12f47a1c59f3896de38716b8292744d8968f7f5ce27ae8a
SHA512fc9fb455807a77e2161300954a9b24d927cf6abeabadbd5403a28a1b8b89cce5a639e54b23ef52b14cfe648ee21b5fd0ffc4b70ec236cf78ef315dad4b8b41b2
-
Filesize
416KB
MD59ce8c74a533c9909e622ad2c5700ca63
SHA1bcce3e38eaf3c3b741bad36507671231d94ef844
SHA256a41658d0c260a9fa32e4797a385856dcbcd11ec5afd2135cee0f69ee6a52576d
SHA51298491caf62c0bfd90a89e3172801096e12328a4ac379f99a6895db5d85eb70468ccede97678b46eceabdc419d1114f3da59b9e72d68847be2384c58169cb0e73