Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 09:11
Static task
static1
Behavioral task
behavioral1
Sample
2cde295ac83c91cfcafea7475b9246f5293be3da722c66edd001b1c32e8fbeb9.exe
Resource
win10v2004-20241007-en
General
-
Target
2cde295ac83c91cfcafea7475b9246f5293be3da722c66edd001b1c32e8fbeb9.exe
-
Size
1.1MB
-
MD5
25eb0e30d0a153ce04bed256cf062511
-
SHA1
e61a04475cd9c5f477728acf7c121d54fbf27d5d
-
SHA256
2cde295ac83c91cfcafea7475b9246f5293be3da722c66edd001b1c32e8fbeb9
-
SHA512
58bed6a30b6ae608c1e6eed8ae4aea60299086dca0e4e59110b02609ad1216f8e6f381c1573fd6c6ee282e9aace4376b42ae4f6c770af0539978ba311f517597
-
SSDEEP
24576:TyM4CyzgU6G4aQ74vz+f7sqfUy+6iZY81ngldB22ACew4Zw:m3VN4L2GsWsfY81glL22hl
Malware Config
Extracted
redline
rodik
193.233.20.23:4124
-
auth_value
59b6e22e7cfd9b5fa0c99d1942f7c85d
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000a000000023bbc-26.dat healer behavioral1/memory/2892-28-0x0000000000350000-0x000000000035A000-memory.dmp healer -
Healer family
-
Processes:
iCj50sH.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" iCj50sH.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" iCj50sH.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" iCj50sH.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" iCj50sH.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" iCj50sH.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection iCj50sH.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/3496-34-0x0000000004BE0000-0x0000000004C26000-memory.dmp family_redline behavioral1/memory/3496-36-0x0000000004D90000-0x0000000004DD4000-memory.dmp family_redline behavioral1/memory/3496-42-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-44-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-100-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-98-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-97-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-94-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-92-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-91-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-88-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-86-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-85-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-82-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-80-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-79-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-76-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-74-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-72-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-71-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-68-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-66-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-64-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-62-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-60-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-58-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-56-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-54-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-52-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-50-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-46-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-48-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-40-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-38-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline behavioral1/memory/3496-37-0x0000000004D90000-0x0000000004DCF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
Processes:
smu14Cy36.exesXz63eM42.exestX43rV99.exeiCj50sH.exekIA62QB.exepid Process 1268 smu14Cy36.exe 4896 sXz63eM42.exe 4680 stX43rV99.exe 2892 iCj50sH.exe 3496 kIA62QB.exe -
Processes:
iCj50sH.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" iCj50sH.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
2cde295ac83c91cfcafea7475b9246f5293be3da722c66edd001b1c32e8fbeb9.exesmu14Cy36.exesXz63eM42.exestX43rV99.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2cde295ac83c91cfcafea7475b9246f5293be3da722c66edd001b1c32e8fbeb9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" smu14Cy36.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" sXz63eM42.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" stX43rV99.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 5100 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2cde295ac83c91cfcafea7475b9246f5293be3da722c66edd001b1c32e8fbeb9.exesmu14Cy36.exesXz63eM42.exestX43rV99.exekIA62QB.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2cde295ac83c91cfcafea7475b9246f5293be3da722c66edd001b1c32e8fbeb9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smu14Cy36.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sXz63eM42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stX43rV99.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kIA62QB.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
iCj50sH.exepid Process 2892 iCj50sH.exe 2892 iCj50sH.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
iCj50sH.exekIA62QB.exedescription pid Process Token: SeDebugPrivilege 2892 iCj50sH.exe Token: SeDebugPrivilege 3496 kIA62QB.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
2cde295ac83c91cfcafea7475b9246f5293be3da722c66edd001b1c32e8fbeb9.exesmu14Cy36.exesXz63eM42.exestX43rV99.exedescription pid Process procid_target PID 2292 wrote to memory of 1268 2292 2cde295ac83c91cfcafea7475b9246f5293be3da722c66edd001b1c32e8fbeb9.exe 84 PID 2292 wrote to memory of 1268 2292 2cde295ac83c91cfcafea7475b9246f5293be3da722c66edd001b1c32e8fbeb9.exe 84 PID 2292 wrote to memory of 1268 2292 2cde295ac83c91cfcafea7475b9246f5293be3da722c66edd001b1c32e8fbeb9.exe 84 PID 1268 wrote to memory of 4896 1268 smu14Cy36.exe 86 PID 1268 wrote to memory of 4896 1268 smu14Cy36.exe 86 PID 1268 wrote to memory of 4896 1268 smu14Cy36.exe 86 PID 4896 wrote to memory of 4680 4896 sXz63eM42.exe 87 PID 4896 wrote to memory of 4680 4896 sXz63eM42.exe 87 PID 4896 wrote to memory of 4680 4896 sXz63eM42.exe 87 PID 4680 wrote to memory of 2892 4680 stX43rV99.exe 88 PID 4680 wrote to memory of 2892 4680 stX43rV99.exe 88 PID 4680 wrote to memory of 3496 4680 stX43rV99.exe 95 PID 4680 wrote to memory of 3496 4680 stX43rV99.exe 95 PID 4680 wrote to memory of 3496 4680 stX43rV99.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cde295ac83c91cfcafea7475b9246f5293be3da722c66edd001b1c32e8fbeb9.exe"C:\Users\Admin\AppData\Local\Temp\2cde295ac83c91cfcafea7475b9246f5293be3da722c66edd001b1c32e8fbeb9.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smu14Cy36.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smu14Cy36.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sXz63eM42.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sXz63eM42.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\stX43rV99.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\stX43rV99.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCj50sH.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iCj50sH.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kIA62QB.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kIA62QB.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
-
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:5100
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
940KB
MD5803a3ec1f2e04b411ecf541615e4c3a6
SHA1e49b3bd41053d7adc907f0679f9fe3fbc34b31f4
SHA2564ada08a03d6055126358e6ac450998d9da35dcadc8d0c9a1680103beb669b679
SHA51239fe4fa25e2f9f9088f2dbbd49771d072d185d5aeda700cd7bc95bf805349cedc06ad00c60446f0f4bab06ad9ba6c40f73f9fd77f5030690b44911d31e30ab02
-
Filesize
682KB
MD59847aa95ea31f71b369e26bc6c8d4f14
SHA1522b99d421f7b92a6aa310642376e1ccb7490ac1
SHA256ba609ac97c0a14531b17545f18420d61ded612fe6b56595cd199a7403cdb2eb3
SHA512d4c8014fdf669722de7f2cebacfd8915a91139f1eb2b6492d127c9adf924e136418d7059fd0a47ff9038f9cf19a0bb7a7729942c1ce4a89fde15aaaf44e898f0
-
Filesize
399KB
MD594471e802f1d67f36eb7daf8510837ff
SHA1c88ac7050484e4c3189a0ab6d9c7d19ee58f3185
SHA25649a559acf73e276b402dc72f64f1152e6ce3ce52a4a91c74e6f4dd6ea4e1a082
SHA512157a954c68f4e372aa67a00da21eead6230e1609fe80bbf74d6f1b3ca70db66631b50f1371dc58cd7452ced96e2e240bb793e2188d80236d88f4637078faf4e1
-
Filesize
11KB
MD549c153cd9d524dbebaf46d0ab03400fc
SHA14def9c234cf7759c8d3ba393c816d46a17c96101
SHA256cfe947ed37d68b074ed23df1f480d8c732169e905933fe3cc77c0f8faa226d2c
SHA5125aea0bc7b5ef02105467b462d966a2c92ce88315a372dcbae0a9264b0f6b6bf5969c760ae7f36a4e378decd49fcda645fcb7f1d17d40c26d7da65f13d045ad45
-
Filesize
362KB
MD589043a2a2ea21c3bd2a007ecd51c585f
SHA18a69615923db088e06a0ea0e6b9c0c910275573d
SHA256f412aef193eb688eeac1e9cf396e0cc888d3be7ff19c9ce07f815b6a1bff3ecf
SHA512206203bb26173099ceb68ad16a0da6565181b9fc841bec240652f8d7c4f53325a6a1a4af0d33de1d77ad6c27a127189b4f6e4c0f6b354c378e995ce80f1527bd