Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:47
Static task
static1
Behavioral task
behavioral1
Sample
b4ac718c40662abd179030f497c3a40dfefd875fcb275124ce9e2a9b4a643d80.exe
Resource
win10v2004-20241007-en
General
-
Target
b4ac718c40662abd179030f497c3a40dfefd875fcb275124ce9e2a9b4a643d80.exe
-
Size
539KB
-
MD5
095c7c82a98489aeaef0f462964fc198
-
SHA1
4f3d7c21582c06b41356b4c519f5e345e5f78d78
-
SHA256
b4ac718c40662abd179030f497c3a40dfefd875fcb275124ce9e2a9b4a643d80
-
SHA512
dc3c8c67dba79bd2510d3c806fa8bbd7c254ec7fc548c5f732870fc0de795a3fa3b751a09b924a7dbb6afa32cb413cf19468103033197ffdbf975040973b164d
-
SSDEEP
12288:IMr0y90DLuKVKBSWHqqjVNw9UyNQCQdgAa1YW:My+rEBFqqBiNodgv2W
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c67-12.dat healer behavioral1/memory/4584-15-0x0000000000C70000-0x0000000000C7A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9561.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9561.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9561.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9561.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection pro9561.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9561.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/960-22-0x0000000004A90000-0x0000000004AD6000-memory.dmp family_redline behavioral1/memory/960-24-0x0000000007170000-0x00000000071B4000-memory.dmp family_redline behavioral1/memory/960-28-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-26-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-25-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-38-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-88-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-86-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-84-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-82-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-80-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-78-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-76-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-74-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-72-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-70-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-68-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-66-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-62-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-60-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-58-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-56-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-54-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-52-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-50-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-48-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-44-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-42-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-40-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-36-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-34-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-32-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-30-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-64-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline behavioral1/memory/960-46-0x0000000007170000-0x00000000071AE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4976 unio4459.exe 4584 pro9561.exe 960 qu5771.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9561.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b4ac718c40662abd179030f497c3a40dfefd875fcb275124ce9e2a9b4a643d80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio4459.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2856 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b4ac718c40662abd179030f497c3a40dfefd875fcb275124ce9e2a9b4a643d80.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unio4459.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu5771.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4584 pro9561.exe 4584 pro9561.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4584 pro9561.exe Token: SeDebugPrivilege 960 qu5771.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1236 wrote to memory of 4976 1236 b4ac718c40662abd179030f497c3a40dfefd875fcb275124ce9e2a9b4a643d80.exe 83 PID 1236 wrote to memory of 4976 1236 b4ac718c40662abd179030f497c3a40dfefd875fcb275124ce9e2a9b4a643d80.exe 83 PID 1236 wrote to memory of 4976 1236 b4ac718c40662abd179030f497c3a40dfefd875fcb275124ce9e2a9b4a643d80.exe 83 PID 4976 wrote to memory of 4584 4976 unio4459.exe 84 PID 4976 wrote to memory of 4584 4976 unio4459.exe 84 PID 4976 wrote to memory of 960 4976 unio4459.exe 97 PID 4976 wrote to memory of 960 4976 unio4459.exe 97 PID 4976 wrote to memory of 960 4976 unio4459.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4ac718c40662abd179030f497c3a40dfefd875fcb275124ce9e2a9b4a643d80.exe"C:\Users\Admin\AppData\Local\Temp\b4ac718c40662abd179030f497c3a40dfefd875fcb275124ce9e2a9b4a643d80.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio4459.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio4459.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9561.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9561.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5771.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5771.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:960
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2856
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
397KB
MD509530b89037138100e9c674a1d68141c
SHA10859d14af5681270fe2ca36acbc7bd2072e35cff
SHA25647d124ba9536eb76dce3fee9ac5c7e5e7c05e9be31baa2be307b499ad36911a7
SHA512cfc779065aab051da195c7dbe4a8c2cbc5ef6909ac94417a68212b1ced65d2a2c422f59294c3566fa157a53d588e73eab735d7db1ee3c85829eed71f4fabc87d
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
356KB
MD598669e867357aea9b07b21ccdb587a9d
SHA152461e95df0a3d7bdcfa670108e944fa7f1dc8a3
SHA25605c872811dcd96a300431a026c52e2f0edd4021b884885ed8a5a033150e7ed54
SHA51279592e8459f13612d1b27938bd4714427de445a50cbff99ab165158ce867b46c755556b43372b8213cc5756c3a27771b391ef6c93fa9ae832c93198ba51db7b8