Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:56
Static task
static1
Behavioral task
behavioral1
Sample
6c15e0bed62a305e11108f3a4435106150513097dc535d1b0702dacb44d482c4N.exe
Resource
win10v2004-20241007-en
General
-
Target
6c15e0bed62a305e11108f3a4435106150513097dc535d1b0702dacb44d482c4N.exe
-
Size
683KB
-
MD5
8512096d8e5b740e6c0d051ea6ddc010
-
SHA1
756982fcfc787c0a2e13756e3465b783044fdb5e
-
SHA256
6c15e0bed62a305e11108f3a4435106150513097dc535d1b0702dacb44d482c4
-
SHA512
c1ee0216bbe83e6896febb5bac3815d01341af06f326d3261a48deef928cecf1e33b837823096db10a1d10a0fd62e1d927c2a95d399b0cc8d6c222a3517fbcbb
-
SSDEEP
12288:VMrBy90qe56ppFFbtYc3LvvVRwgW171F9l/Kd6/lea7eK+yravHvSo+T:UyM56ppv5YcbVgvl/46Ea7eK+LvSoO
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b9d-12.dat healer behavioral1/memory/3272-15-0x0000000000F80000-0x0000000000F8A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buTb07ea43.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buTb07ea43.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buTb07ea43.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buTb07ea43.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buTb07ea43.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buTb07ea43.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4916-22-0x0000000007130000-0x0000000007176000-memory.dmp family_redline behavioral1/memory/4916-24-0x00000000071B0000-0x00000000071F4000-memory.dmp family_redline behavioral1/memory/4916-28-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-38-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-88-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-86-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-84-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-82-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-78-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-76-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-74-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-72-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-70-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-68-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-66-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-64-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-62-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-60-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-56-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-54-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-52-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-50-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-48-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-46-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-45-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-42-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-40-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-36-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-34-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-32-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-30-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-80-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-58-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-26-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/4916-25-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4164 plaH60Ww24.exe 3272 buTb07ea43.exe 4916 caUO52ia27.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buTb07ea43.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6c15e0bed62a305e11108f3a4435106150513097dc535d1b0702dacb44d482c4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plaH60Ww24.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6c15e0bed62a305e11108f3a4435106150513097dc535d1b0702dacb44d482c4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plaH60Ww24.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caUO52ia27.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3272 buTb07ea43.exe 3272 buTb07ea43.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3272 buTb07ea43.exe Token: SeDebugPrivilege 4916 caUO52ia27.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2892 wrote to memory of 4164 2892 6c15e0bed62a305e11108f3a4435106150513097dc535d1b0702dacb44d482c4N.exe 83 PID 2892 wrote to memory of 4164 2892 6c15e0bed62a305e11108f3a4435106150513097dc535d1b0702dacb44d482c4N.exe 83 PID 2892 wrote to memory of 4164 2892 6c15e0bed62a305e11108f3a4435106150513097dc535d1b0702dacb44d482c4N.exe 83 PID 4164 wrote to memory of 3272 4164 plaH60Ww24.exe 85 PID 4164 wrote to memory of 3272 4164 plaH60Ww24.exe 85 PID 4164 wrote to memory of 4916 4164 plaH60Ww24.exe 101 PID 4164 wrote to memory of 4916 4164 plaH60Ww24.exe 101 PID 4164 wrote to memory of 4916 4164 plaH60Ww24.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c15e0bed62a305e11108f3a4435106150513097dc535d1b0702dacb44d482c4N.exe"C:\Users\Admin\AppData\Local\Temp\6c15e0bed62a305e11108f3a4435106150513097dc535d1b0702dacb44d482c4N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plaH60Ww24.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plaH60Ww24.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buTb07ea43.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buTb07ea43.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3272
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\caUO52ia27.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\caUO52ia27.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
399KB
MD5e176e122526d3468191792d383e4bdb2
SHA1330904346b0c9d30fecd749b17f222ca0a0a0e24
SHA256270d885430c0f8f85e8827e73886e7973ed662ce9cab5fa32ffa45df15be3766
SHA512916e9fed912e6c63b781558ac4eeaa5614ebcc1a4a791ee54c7de2af857f5e49037f91bb18dd774343c2d6b3e402bb1b11085bb88fa7b2c111e091e3f24b7fe2
-
Filesize
12KB
MD51f9f19afd851e4df0adf72603531ef57
SHA18615f7bc398546e2c8721e90706e6fef0f7f7a85
SHA256f1eae61bb28f33e6cdbfe276fbd843868e606c268c178d25e1513bc6dd5aebbe
SHA512c5cacf039e444f491d80340de2695446b9e53f52afaccbd11a2e26815b45932c845276f6bafb47edf9d8c9f297b5c8d65b2d769f25e1ec3daa9bfd57fd3c13b3
-
Filesize
375KB
MD5e7158d94c200533e4ab41107e5e183b1
SHA18779fa2f2b5eba6b4daf9d9540d62e523a3d5c17
SHA2560d984f1c04ed6c099eca650cedf4d4307881bb3de0d44fdab9e76436eb016704
SHA5129919a210608661b1d18929d4dbe1590ef75b667547d82cc750256f6e3a15d1097a59047fab842678d5a83adb0a7748d84fba8dba98f61fedb6fd8ab3320a4e19