Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:46
Static task
static1
Behavioral task
behavioral1
Sample
8991654af5fccfd9e8cd36fcc642d9aae48e3c011d9b3b49597a1415a39bd6cf.exe
Resource
win10v2004-20241007-en
General
-
Target
8991654af5fccfd9e8cd36fcc642d9aae48e3c011d9b3b49597a1415a39bd6cf.exe
-
Size
535KB
-
MD5
763d82706320303a38fcd016715ddfe7
-
SHA1
b4551cfe898e76d603cad5f51f0283c3d0ff39c0
-
SHA256
8991654af5fccfd9e8cd36fcc642d9aae48e3c011d9b3b49597a1415a39bd6cf
-
SHA512
b637862b17ef101f3d5cc90ed55927b0e4dc954198b744e7b4bfc7ed4bceab63290e7a22c528d9328c7e50a1dbfafb68b78fe4cb59163ce105afeaa7ae820ed7
-
SSDEEP
6144:Kiy+bnr+xp0yN90QE5RdqVKo8IntDHJCOOv3nroaF4FXjCcKfyQA1TFurko14qo9:2MrVy90rqVJt8L3rn6FXmctx5DcUt
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c67-12.dat healer behavioral1/memory/1964-15-0x0000000000950000-0x000000000095A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sw36VE07WN93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sw36VE07WN93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" sw36VE07WN93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sw36VE07WN93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" sw36VE07WN93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sw36VE07WN93.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/448-22-0x0000000002690000-0x00000000026D6000-memory.dmp family_redline behavioral1/memory/448-24-0x0000000004BC0000-0x0000000004C04000-memory.dmp family_redline behavioral1/memory/448-34-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-40-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-88-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-86-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-82-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-80-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-79-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-76-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-74-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-72-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-70-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-68-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-64-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-62-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-60-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-58-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-56-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-54-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-52-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-48-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-46-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-44-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-42-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-38-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-36-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-32-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-30-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-84-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-66-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-50-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-28-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-26-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline behavioral1/memory/448-25-0x0000000004BC0000-0x0000000004BFE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1912 vyV7282KX.exe 1964 sw36VE07WN93.exe 448 tpw71Uq97.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sw36VE07WN93.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vyV7282KX.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8991654af5fccfd9e8cd36fcc642d9aae48e3c011d9b3b49597a1415a39bd6cf.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8991654af5fccfd9e8cd36fcc642d9aae48e3c011d9b3b49597a1415a39bd6cf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vyV7282KX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpw71Uq97.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1964 sw36VE07WN93.exe 1964 sw36VE07WN93.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1964 sw36VE07WN93.exe Token: SeDebugPrivilege 448 tpw71Uq97.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4272 wrote to memory of 1912 4272 8991654af5fccfd9e8cd36fcc642d9aae48e3c011d9b3b49597a1415a39bd6cf.exe 83 PID 4272 wrote to memory of 1912 4272 8991654af5fccfd9e8cd36fcc642d9aae48e3c011d9b3b49597a1415a39bd6cf.exe 83 PID 4272 wrote to memory of 1912 4272 8991654af5fccfd9e8cd36fcc642d9aae48e3c011d9b3b49597a1415a39bd6cf.exe 83 PID 1912 wrote to memory of 1964 1912 vyV7282KX.exe 84 PID 1912 wrote to memory of 1964 1912 vyV7282KX.exe 84 PID 1912 wrote to memory of 448 1912 vyV7282KX.exe 97 PID 1912 wrote to memory of 448 1912 vyV7282KX.exe 97 PID 1912 wrote to memory of 448 1912 vyV7282KX.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\8991654af5fccfd9e8cd36fcc642d9aae48e3c011d9b3b49597a1415a39bd6cf.exe"C:\Users\Admin\AppData\Local\Temp\8991654af5fccfd9e8cd36fcc642d9aae48e3c011d9b3b49597a1415a39bd6cf.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vyV7282KX.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vyV7282KX.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw36VE07WN93.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw36VE07WN93.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tpw71Uq97.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tpw71Uq97.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:448
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
391KB
MD5f254f74b32fc7d6679b931a95a1acd0d
SHA141538c27d591342c33e4f03db4f2be106a0a57a8
SHA256597269c3eed5cea49b3dad963a45b72068e03e454521b21bd53f46329ee9d033
SHA512082df44cb81c7c1ae20e2ba5195decaffe332a5a10d69234104edca449c4a92cc9fe3ce54c4fec4e4050935ab049acc07aca98511a523bec4eb560c2f79505ff
-
Filesize
17KB
MD5482ae1cc580deb5dc3bf07fbbdd2d55a
SHA1528f0d3119eab3e18df01ef1dad3190a2137347c
SHA256e4a1a765574c707495dfd8dad20bf5e09d4651d4e989d4799877eec3baa93cfa
SHA512df7dd2defc8a3ed0268de91ff57f5b67fc30979ee5739f1953a2452f79e591076143326d3be386f263f087885f29a9ce79e460eeee6244593b5c21e2fdf129ec
-
Filesize
302KB
MD5b0b07df44fd27fecf8a8ed8735a76c78
SHA133e2470f3dea8a97ecff3109daed706e174201b4
SHA256c1628dae076220ce412d7342a5880f545b9ecec4fc819e1ee50d16b483b8e374
SHA5123e251045447c14c3aa8948ef5a625fd29a87f4ca05330a390e5830fa3cc399d28caa5c03c481b7e97b1d41ef3717872e45bad6609ae3f17ed45fd7be950fd2a7