Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 07:15
Static task
static1
Behavioral task
behavioral1
Sample
da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe
Resource
win10v2004-20241007-en
General
-
Target
da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe
-
Size
1.1MB
-
MD5
55c04cc87d3fa8d47490e74cc7f27df4
-
SHA1
0305088691d2c1c8ab1954ef089d138a27b05ffa
-
SHA256
da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e
-
SHA512
1bef46bc1a76ccae124000db1be60a622e8ca1ac1cdeab9873135245c8258d8de6737d9082d794616d614a2f2bc6eeff55d8ffff328012a3c967c36e1f79b56c
-
SSDEEP
24576:SyQafCWzbGX90EO7SHvvR1vJTj13/kleCTysD7eWhZ+OI:5LfCW/GXtG8fRl/mNP+O
Malware Config
Extracted
redline
rodik
193.233.20.23:4124
-
auth_value
59b6e22e7cfd9b5fa0c99d1942f7c85d
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023c7c-26.dat healer behavioral1/memory/4560-28-0x0000000000EE0000-0x0000000000EEA000-memory.dmp healer -
Healer family
-
Processes:
iTc67ii.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection iTc67ii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" iTc67ii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" iTc67ii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" iTc67ii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" iTc67ii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" iTc67ii.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/2860-34-0x0000000004B80000-0x0000000004BC6000-memory.dmp family_redline behavioral1/memory/2860-36-0x00000000071C0000-0x0000000007204000-memory.dmp family_redline behavioral1/memory/2860-48-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-54-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-100-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-98-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-97-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-94-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-93-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-90-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-88-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-86-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-84-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-82-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-78-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-76-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-74-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-72-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-71-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-68-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-64-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-63-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-60-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-58-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-56-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-52-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-50-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-46-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-44-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-80-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-66-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-42-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-40-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-38-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline behavioral1/memory/2860-37-0x00000000071C0000-0x00000000071FF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
Processes:
sMd69eR69.exeseR20tx67.exeshQ07NY07.exeiTc67ii.exeket87DV.exepid Process 1376 sMd69eR69.exe 2948 seR20tx67.exe 3916 shQ07NY07.exe 4560 iTc67ii.exe 2860 ket87DV.exe -
Processes:
iTc67ii.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" iTc67ii.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exesMd69eR69.exeseR20tx67.exeshQ07NY07.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sMd69eR69.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" seR20tx67.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" shQ07NY07.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
shQ07NY07.exeket87DV.exeda7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exesMd69eR69.exeseR20tx67.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shQ07NY07.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ket87DV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sMd69eR69.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language seR20tx67.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
iTc67ii.exepid Process 4560 iTc67ii.exe 4560 iTc67ii.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
iTc67ii.exeket87DV.exedescription pid Process Token: SeDebugPrivilege 4560 iTc67ii.exe Token: SeDebugPrivilege 2860 ket87DV.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exesMd69eR69.exeseR20tx67.exeshQ07NY07.exedescription pid Process procid_target PID 4904 wrote to memory of 1376 4904 da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe 85 PID 4904 wrote to memory of 1376 4904 da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe 85 PID 4904 wrote to memory of 1376 4904 da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe 85 PID 1376 wrote to memory of 2948 1376 sMd69eR69.exe 87 PID 1376 wrote to memory of 2948 1376 sMd69eR69.exe 87 PID 1376 wrote to memory of 2948 1376 sMd69eR69.exe 87 PID 2948 wrote to memory of 3916 2948 seR20tx67.exe 89 PID 2948 wrote to memory of 3916 2948 seR20tx67.exe 89 PID 2948 wrote to memory of 3916 2948 seR20tx67.exe 89 PID 3916 wrote to memory of 4560 3916 shQ07NY07.exe 90 PID 3916 wrote to memory of 4560 3916 shQ07NY07.exe 90 PID 3916 wrote to memory of 2860 3916 shQ07NY07.exe 99 PID 3916 wrote to memory of 2860 3916 shQ07NY07.exe 99 PID 3916 wrote to memory of 2860 3916 shQ07NY07.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe"C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
964KB
MD548d76ba7eba9fe36abfdcf0eb805d4e6
SHA150290672b453e591c60754011b3651ed80acee6a
SHA25698f0908162a9ff04724af618b89f18f372c516aa308bc45a960cfd5732a319a3
SHA5126959d0c37e5da7b7f26d827a8b51972a901a1f8262a5b4f5af485fe10b4e1cfe57d2c17b6c2b84e8cd8282ddfbc8d673ef5c5b82b3fa2ec34ccc2bc9aca3e029
-
Filesize
685KB
MD5011f572cd01040ae90f4c2bec985279e
SHA153b48ee92c94b118051ae561091cf3f09445e5a2
SHA25688feb9c9fefc90e4e5692cbe903f14acf18d2abc3811a7cbe1c22634b83c3021
SHA512198edfebf162d32c88f58eb1dd415110fed01655164e6e195a2b1ec7863a7d300ca04ff3cbac7b96f0abef9e31304b4f68479d909a93ca311ba6bc2f6fb9d4f5
-
Filesize
400KB
MD524c66ce9bd9f1848461d318aaa2965d1
SHA1e1654fb970dd38239f22aa980faf5db20fe6ac31
SHA256651f812f9cdeed77d6a0078fdc425a036ef00dff1b452da53683b048522c2b33
SHA512263841ddd5975ee6229469db9e59e3a50523b4bb2d4c8bf8350fc8e614a288440103176b8321b9fc582a020e8ad4eff28496aa0d92e8fecb7c584c3f321ab92c
-
Filesize
11KB
MD596bc4aa13190b64dbac933e84b3755bf
SHA102eea495c0471e5bf620fcbb1e7236a9af6884d7
SHA256813d515b4bf61ca4ec78dcca4ec5881d170f40fec4ba94dd6126b693f1f24a1a
SHA51212e9eeb9a8b44a71e84d962072d6a19a2cee2b115299eab8378ef822fd933faaf97f606b4c5febe059a5c9d81d75aa331ee591fc2bb2d69fc2dd4d3fd5868fc8
-
Filesize
344KB
MD5a6adc2e80b48f93ba7b7a58f2465d794
SHA1f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41