Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 19:42
Static task
static1
Behavioral task
behavioral1
Sample
0f65fa4c174d79cadecf051ba5578642cc281dfd63b4618d4a9eb713fb1f7205.exe
Resource
win10v2004-20241007-en
General
-
Target
0f65fa4c174d79cadecf051ba5578642cc281dfd63b4618d4a9eb713fb1f7205.exe
-
Size
669KB
-
MD5
84c975f7f3c1c7ab277295ba8b0300ba
-
SHA1
0fa7ad4ad0d7c8b9b7e25b94d4b977ad07cbb40a
-
SHA256
0f65fa4c174d79cadecf051ba5578642cc281dfd63b4618d4a9eb713fb1f7205
-
SHA512
2d7ef0f53b9a17f998d07a7a113837af19046b60199a95b9643392cfc9893cdcb7197b72b62c949f8f2310d105ca172f4234461d1b882abaeed0c132c126042a
-
SSDEEP
12288:6Mr2y909SeUBPi7ViOLEUSm/qUkgCZah4YuYKbtwh+OJIO:Ey1BK1EUSmyUkgCIh5ux6MOGO
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b99-12.dat healer behavioral1/memory/3920-15-0x0000000000520000-0x000000000052A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buvb70cA80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buvb70cA80.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buvb70cA80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buvb70cA80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buvb70cA80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buvb70cA80.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2932-22-0x0000000002600000-0x0000000002646000-memory.dmp family_redline behavioral1/memory/2932-24-0x0000000004B90000-0x0000000004BD4000-memory.dmp family_redline behavioral1/memory/2932-28-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-34-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-32-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-30-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-82-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-66-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-48-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-26-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-25-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-36-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-88-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-86-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-84-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-80-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-78-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-76-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-74-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-72-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-70-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-68-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-64-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-62-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-60-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-58-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-56-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-54-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-52-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-50-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-46-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-44-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-42-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-40-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/2932-38-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1360 plYP23Fr06.exe 3920 buvb70cA80.exe 2932 caBz77Gi61.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buvb70cA80.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0f65fa4c174d79cadecf051ba5578642cc281dfd63b4618d4a9eb713fb1f7205.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plYP23Fr06.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caBz77Gi61.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0f65fa4c174d79cadecf051ba5578642cc281dfd63b4618d4a9eb713fb1f7205.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plYP23Fr06.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3920 buvb70cA80.exe 3920 buvb70cA80.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3920 buvb70cA80.exe Token: SeDebugPrivilege 2932 caBz77Gi61.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2896 wrote to memory of 1360 2896 0f65fa4c174d79cadecf051ba5578642cc281dfd63b4618d4a9eb713fb1f7205.exe 83 PID 2896 wrote to memory of 1360 2896 0f65fa4c174d79cadecf051ba5578642cc281dfd63b4618d4a9eb713fb1f7205.exe 83 PID 2896 wrote to memory of 1360 2896 0f65fa4c174d79cadecf051ba5578642cc281dfd63b4618d4a9eb713fb1f7205.exe 83 PID 1360 wrote to memory of 3920 1360 plYP23Fr06.exe 84 PID 1360 wrote to memory of 3920 1360 plYP23Fr06.exe 84 PID 1360 wrote to memory of 2932 1360 plYP23Fr06.exe 95 PID 1360 wrote to memory of 2932 1360 plYP23Fr06.exe 95 PID 1360 wrote to memory of 2932 1360 plYP23Fr06.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f65fa4c174d79cadecf051ba5578642cc281dfd63b4618d4a9eb713fb1f7205.exe"C:\Users\Admin\AppData\Local\Temp\0f65fa4c174d79cadecf051ba5578642cc281dfd63b4618d4a9eb713fb1f7205.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYP23Fr06.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYP23Fr06.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buvb70cA80.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buvb70cA80.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3920
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\caBz77Gi61.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\caBz77Gi61.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
393KB
MD5d4219091803ebac63fb629c639387364
SHA11937b3c3c02d2709009f121e580683af44ed603f
SHA25618e8e1bb79ebcd07894aa4bd97eee33207990749b521434bdabf93f615c53d27
SHA51273f37ed573bf503b231f1e357f5b6027d35b702ec8fcbc4249c80591e9064c7fbf58c81971e127488708ce0751fb86f7669a82923bc21c3414d6e9a0364ef5c0
-
Filesize
12KB
MD56e365e5a4be2edb6974d1f9989b26aed
SHA1f9eb483bcbc21ec5ae7b72a49176c6db4965325d
SHA256f9ba45273be1b0d06f7d1b759da86328510a0d551dee57b711aac2c9fc093ba8
SHA512f3d0ca517ae48294145cc39d843b7b736700c302335171993cf7fa3925f16f9e45649420cc770cfeb062ce9dd3afe601c55fce216c993b619d551677a539cf0c
-
Filesize
304KB
MD5e8a74f8947be8861da483f9a1b725bea
SHA1c9485cc022bb2ee5eb15bc98e1aa5330b1b5c09a
SHA256b27c4b8cc67abed8e257f5b43a656dbfafea50833d2aae5b7fe545ac82d74727
SHA5124ac48c039d81d9b6f5dd9cd4700855bc27efec45bb167fbf0268ec56c238138865a9d9b9575b2e71f2ab204f29da0daff1e78f5ac12cb54d0383766b7c82e2e8