Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 19:40
Static task
static1
Behavioral task
behavioral1
Sample
2072fd42546d9a6a03e57bbc7463a13054e91ea0536705f5844280eec586d005N.exe
Resource
win10v2004-20241007-en
General
-
Target
2072fd42546d9a6a03e57bbc7463a13054e91ea0536705f5844280eec586d005N.exe
-
Size
682KB
-
MD5
10d00805124190094a9d4924a72d25d0
-
SHA1
4dcdb4979db2ba37f0a8c1eb9f7b05192937e7e7
-
SHA256
2072fd42546d9a6a03e57bbc7463a13054e91ea0536705f5844280eec586d005
-
SHA512
b4d3a77d5f46202def625e75e6ecdbae1173f40b499cef665071d098788d439af2cd986cb0a0160124da3026fe07112e24c7d99a17393dc0ac19c0b0d9a5d5be
-
SSDEEP
12288:MMrby909ha3VnWXIMak8357gzC/S+10umha6S3pIJqFDLfTxc9p4dixbCgvSNFW:Hyq8VXk83RMCL0n8aJqFDLfTxu4w/2FW
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c97-12.dat healer behavioral1/memory/3732-15-0x00000000008A0000-0x00000000008AA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection beBu54jN88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" beBu54jN88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" beBu54jN88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" beBu54jN88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" beBu54jN88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" beBu54jN88.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/532-22-0x0000000004B10000-0x0000000004B56000-memory.dmp family_redline behavioral1/memory/532-24-0x0000000004CC0000-0x0000000004D04000-memory.dmp family_redline behavioral1/memory/532-28-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-26-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-25-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-82-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-88-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-86-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-84-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-80-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-78-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-76-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-74-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-72-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-70-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-68-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-64-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-62-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-60-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-58-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-56-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-54-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-50-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-48-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-46-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-44-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-42-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-40-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-38-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-34-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-32-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-66-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-52-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-36-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline behavioral1/memory/532-30-0x0000000004CC0000-0x0000000004CFE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3032 ptwF6265Ke.exe 3732 beBu54jN88.exe 532 cuFf14AY50.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" beBu54jN88.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2072fd42546d9a6a03e57bbc7463a13054e91ea0536705f5844280eec586d005N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ptwF6265Ke.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2072fd42546d9a6a03e57bbc7463a13054e91ea0536705f5844280eec586d005N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptwF6265Ke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cuFf14AY50.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3732 beBu54jN88.exe 3732 beBu54jN88.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3732 beBu54jN88.exe Token: SeDebugPrivilege 532 cuFf14AY50.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1424 wrote to memory of 3032 1424 2072fd42546d9a6a03e57bbc7463a13054e91ea0536705f5844280eec586d005N.exe 83 PID 1424 wrote to memory of 3032 1424 2072fd42546d9a6a03e57bbc7463a13054e91ea0536705f5844280eec586d005N.exe 83 PID 1424 wrote to memory of 3032 1424 2072fd42546d9a6a03e57bbc7463a13054e91ea0536705f5844280eec586d005N.exe 83 PID 3032 wrote to memory of 3732 3032 ptwF6265Ke.exe 84 PID 3032 wrote to memory of 3732 3032 ptwF6265Ke.exe 84 PID 3032 wrote to memory of 532 3032 ptwF6265Ke.exe 101 PID 3032 wrote to memory of 532 3032 ptwF6265Ke.exe 101 PID 3032 wrote to memory of 532 3032 ptwF6265Ke.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\2072fd42546d9a6a03e57bbc7463a13054e91ea0536705f5844280eec586d005N.exe"C:\Users\Admin\AppData\Local\Temp\2072fd42546d9a6a03e57bbc7463a13054e91ea0536705f5844280eec586d005N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptwF6265Ke.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptwF6265Ke.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beBu54jN88.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beBu54jN88.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cuFf14AY50.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cuFf14AY50.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:532
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
399KB
MD566b74bc40917d8f05a79548e167703c4
SHA1492bc58df520709f02a6de8f2e668470adb8bf2f
SHA2567795a6881ab3dcec8c00e6d42b000a970c24cc4d5349152342b4061fcfedccac
SHA512fc441b654f20cbf9ec7f962c97f62ca51e098317e7bc7f031515f2bcb2a57ce6c966b185c6b6080e9a79736af04ccdc9f4d587acf088e8b1e120a9431b9bb46a
-
Filesize
14KB
MD5679e2fb590e993f2009fd37a069c8c81
SHA1666c2773e8715c34e544f377264adab4f6112e8a
SHA256827ffe1495757c587d273f213a014d1bdc2eec223ed03fe3242ad739ff37d5fa
SHA512f075a6593598427320ebdef163695353ce0429602c6529ff140c89d0843aa2c02c58a6ad6319e833dda7759214b779a5a56daeabc72589ba01a87d1c95b98b6a
-
Filesize
375KB
MD58543cf3384382f56703a6ee451ac68f3
SHA1353211899c2c986e0d038a11f566e02e3113e113
SHA2562f1d315d7594bdb561cc82a3e1893703535688dff362e547d1e0ce98362c0acf
SHA512609055d116696778d46331609f81697e5b01e34bc70e3ddbd9a27a23f5024ed37902c38ee329e05c29e06422e9352ebb266e9f260cafad9e20f2b262248f4186