Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:47
Static task
static1
Behavioral task
behavioral1
Sample
20cd183570155f14057bdc2ea18e7198d65c5cb4042dfe55d87b575f2007e015N.exe
Resource
win10v2004-20241007-en
General
-
Target
20cd183570155f14057bdc2ea18e7198d65c5cb4042dfe55d87b575f2007e015N.exe
-
Size
1.2MB
-
MD5
ce48174683e6c20aed39934908d2a3f2
-
SHA1
129c0265a97dbfe90339fd598af55231849a008f
-
SHA256
5142102c7da0f3090d6d7a8bc6021dd11d64bcc3040e884514db25148f7f84ec
-
SHA512
f3e6a9faedd2d6c5b00745e36db753edd74a788170680b6e2f8b02baac44045f25e3d9c4981f417f1d002650c886bdc842c3c9304c4b9e1d66ef17117bf8fdeb
-
SSDEEP
24576:dyilyisGwlWiclUxeZDw8AWQ0KXsp/DzlI5nI57HCL43hpbexpk7Z7w0RyC2P0:4iljsM7lUxgW2KYlSI5uwhpbexi7ZM0/
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023ca9-33.dat healer behavioral1/memory/1964-35-0x0000000000250000-0x000000000025A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buQY92uJ96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buQY92uJ96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buQY92uJ96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buQY92uJ96.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buQY92uJ96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buQY92uJ96.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4952-41-0x0000000004DC0000-0x0000000004E06000-memory.dmp family_redline behavioral1/memory/4952-43-0x0000000007760000-0x00000000077A4000-memory.dmp family_redline behavioral1/memory/4952-63-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-75-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-107-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-105-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-103-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-102-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-99-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-97-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-95-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-93-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-91-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-89-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-87-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-83-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-81-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-79-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-77-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-73-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-71-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-69-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-67-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-65-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-61-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-59-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-58-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-53-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-51-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-49-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-85-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-55-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-47-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-45-0x0000000007760000-0x000000000779E000-memory.dmp family_redline behavioral1/memory/4952-44-0x0000000007760000-0x000000000779E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 4988 plJJ83ZE32.exe 3068 plTh81jw72.exe 1104 plxb02qK13.exe 3788 plIE49xu41.exe 1964 buQY92uJ96.exe 4952 caSq39ux69.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buQY92uJ96.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 20cd183570155f14057bdc2ea18e7198d65c5cb4042dfe55d87b575f2007e015N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plJJ83ZE32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plTh81jw72.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plxb02qK13.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" plIE49xu41.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caSq39ux69.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20cd183570155f14057bdc2ea18e7198d65c5cb4042dfe55d87b575f2007e015N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plJJ83ZE32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plTh81jw72.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plxb02qK13.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plIE49xu41.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1964 buQY92uJ96.exe 1964 buQY92uJ96.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1964 buQY92uJ96.exe Token: SeDebugPrivilege 4952 caSq39ux69.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1228 wrote to memory of 4988 1228 20cd183570155f14057bdc2ea18e7198d65c5cb4042dfe55d87b575f2007e015N.exe 83 PID 1228 wrote to memory of 4988 1228 20cd183570155f14057bdc2ea18e7198d65c5cb4042dfe55d87b575f2007e015N.exe 83 PID 1228 wrote to memory of 4988 1228 20cd183570155f14057bdc2ea18e7198d65c5cb4042dfe55d87b575f2007e015N.exe 83 PID 4988 wrote to memory of 3068 4988 plJJ83ZE32.exe 84 PID 4988 wrote to memory of 3068 4988 plJJ83ZE32.exe 84 PID 4988 wrote to memory of 3068 4988 plJJ83ZE32.exe 84 PID 3068 wrote to memory of 1104 3068 plTh81jw72.exe 86 PID 3068 wrote to memory of 1104 3068 plTh81jw72.exe 86 PID 3068 wrote to memory of 1104 3068 plTh81jw72.exe 86 PID 1104 wrote to memory of 3788 1104 plxb02qK13.exe 88 PID 1104 wrote to memory of 3788 1104 plxb02qK13.exe 88 PID 1104 wrote to memory of 3788 1104 plxb02qK13.exe 88 PID 3788 wrote to memory of 1964 3788 plIE49xu41.exe 89 PID 3788 wrote to memory of 1964 3788 plIE49xu41.exe 89 PID 3788 wrote to memory of 4952 3788 plIE49xu41.exe 95 PID 3788 wrote to memory of 4952 3788 plIE49xu41.exe 95 PID 3788 wrote to memory of 4952 3788 plIE49xu41.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\20cd183570155f14057bdc2ea18e7198d65c5cb4042dfe55d87b575f2007e015N.exe"C:\Users\Admin\AppData\Local\Temp\20cd183570155f14057bdc2ea18e7198d65c5cb4042dfe55d87b575f2007e015N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plJJ83ZE32.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plJJ83ZE32.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plTh81jw72.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plTh81jw72.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxb02qK13.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxb02qK13.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plIE49xu41.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plIE49xu41.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buQY92uJ96.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buQY92uJ96.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caSq39ux69.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caSq39ux69.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD561d273146b25273285d27eace9334d73
SHA121b843a4be7c1d2756fd9dc91953e8f773eed558
SHA25645e265dea59758ac99bbd7dda262471b9a7f56e54001c122b5745898676a59cc
SHA5121819f10344500652e907d855d33a0e3786d4575b228942549cd8de44077eb717797f5be8af1f5e87cc482b1b46f8dbd73ba2335ed164839ef0770d3e1b3ac957
-
Filesize
971KB
MD51c65d7ed5e3586a7ad2e6c30c5fa21f0
SHA1aa1c8921489f0e8370f0b3f836ec2f3f16709439
SHA256a743349cdd77be59d93fb3786fd0a68cdc78ea76710e308a0cce3837257fe93a
SHA51259feb354e939938a703218d4c9ce889623a026e40465f833b77249b61e98921c3b6b694fe9c4c34cdbfdef7b339498e1329979daac27da42f7b88aa3e3d6f232
-
Filesize
690KB
MD5874fa1793604962a2b1b0eba384964d5
SHA1a192bf6d9197513b8889909333a8a2da694979c9
SHA256f4f3bf29a613c80cd947a8643a6d6ab81638ec3eb80a814e01dfe157ef934684
SHA512092541b664d7e058bb44d7dbbe096048227138384033035fc25fa4b0bf26ce462771294aaea4ba04215ae9814814e9bbe33d12aefd58fcd24efcc562c7fc229e
-
Filesize
403KB
MD5f6f68a58df4e09fa82cdf6409b69fd9e
SHA1f47b4a375b7f5a661220732a0347b36cba9ba3ce
SHA2560178b51135f56f331e8f78149858a76d82a0c73137f17c493e9cb617678efd4d
SHA5125741dab820b559e29acbd041960ec13b9fceb9f61316da986f5ee1c46454167e61c2b2a31ce1bc2c624bf5085e69ae3c08396ddbf00dce3b253e78b04e4a7b76
-
Filesize
15KB
MD545b8301c4da3ccf9a2ae7f96b7a32d28
SHA19e83dbd88b40f4285bea300e6b8d91e1acdab294
SHA2567594c5b603b58d2f66fcb876413baca0560bb69be9da50c0eee2ac5faa0b18c0
SHA512bcba9be12cbd211a5a86872e259683614a39f32e1678a843db909f822b06a370145bedb838116a8a604d8c8cb222106026b8f153a75c6fcdd450d6d73c575e8c
-
Filesize
378KB
MD50699a3dd8a0bfbef309a3c474b22b56d
SHA18f8218184e8f28b14b8a3d5f828e28b9d8cd40a8
SHA2560fe939fc94b4462887001499c9acd988653938b21d30b6eadfa023629edad178
SHA5126dff28c979b7efeb3b8fccb98102b1adeaa5e31aebf01713c76f8055c7ac520bc8b37857f442e1d0de5d4b77295325b485cf8d53d72fd4d22091211de4ef26cd