Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 20:37
Static task
static1
Behavioral task
behavioral1
Sample
b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe
Resource
win10v2004-20241007-en
General
-
Target
b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe
-
Size
663KB
-
MD5
9d317f4d7b295d2571ec0a901daf3870
-
SHA1
bf50c7c728e8f7c30df8c7d0433c4c133fb2ad79
-
SHA256
b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92
-
SHA512
3797b4fdd315b5dc605bc66810c58d0a4a38a90789f1007bc58ab4a778937be49f6d1de2399fd0233a93a1b666898289eb6aa197e3fc1897b455743671d0ac3d
-
SSDEEP
12288:dMrQy90oetPCXi1PYUGN0Iu+kUcAM+2CFmfkwrHdvmKKEdhdAO:9yktXYUG17kUFMVCFmfkY9vmKKc5
Malware Config
Extracted
redline
ramon
193.233.20.23:4123
-
auth_value
3197576965d9513f115338c233015b40
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c65-12.dat healer behavioral1/memory/1764-15-0x0000000000CA0000-0x0000000000CAA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bpw79rx89.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection bpw79rx89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bpw79rx89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bpw79rx89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bpw79rx89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bpw79rx89.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/224-22-0x00000000024F0000-0x0000000002536000-memory.dmp family_redline behavioral1/memory/224-24-0x00000000026D0000-0x0000000002714000-memory.dmp family_redline behavioral1/memory/224-38-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-36-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-88-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-84-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-82-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-80-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-78-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-76-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-74-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-72-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-68-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-66-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-64-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-62-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-60-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-58-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-56-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-54-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-52-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-50-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-46-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-44-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-42-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-40-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-86-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-70-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-48-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-34-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-32-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-30-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-28-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-26-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline behavioral1/memory/224-25-0x00000000026D0000-0x000000000270E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1884 pgT63bu58.exe 1764 bpw79rx89.exe 224 ckN62wa95.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" bpw79rx89.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" pgT63bu58.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pgT63bu58.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ckN62wa95.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1764 bpw79rx89.exe 1764 bpw79rx89.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1764 bpw79rx89.exe Token: SeDebugPrivilege 224 ckN62wa95.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4976 wrote to memory of 1884 4976 b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe 84 PID 4976 wrote to memory of 1884 4976 b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe 84 PID 4976 wrote to memory of 1884 4976 b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe 84 PID 1884 wrote to memory of 1764 1884 pgT63bu58.exe 85 PID 1884 wrote to memory of 1764 1884 pgT63bu58.exe 85 PID 1884 wrote to memory of 224 1884 pgT63bu58.exe 93 PID 1884 wrote to memory of 224 1884 pgT63bu58.exe 93 PID 1884 wrote to memory of 224 1884 pgT63bu58.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe"C:\Users\Admin\AppData\Local\Temp\b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pgT63bu58.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pgT63bu58.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ckN62wa95.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ckN62wa95.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:224
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
389KB
MD5258a6b2df5cad8c864bb75df2e1d3376
SHA1520d36fbdfd65e2bee1a999bec5d46ee6f7ee6ac
SHA2564ca7414afb2849216202055c68b7c134069a4ec2ea092abeb3770656f9cd18fe
SHA512653f66fbab322803658d017881e76d0792e98d4d64255f1983f7517d8b545cbaa6abf79e8a51f4ceb8db0bcd795988fd5144d038ac78ac121937f4d0e6c6ead7
-
Filesize
11KB
MD57720e60b1e2818e47418fa2551f90f07
SHA1caa232d9a1939650cfd54f7890a74d46c7291356
SHA25683ba14557a7847fb9fd3b925051db3c3b6a32edadd232c8a7fd0bcc6e35ed98d
SHA512cfd3f0be18ddde002d0b778b6231d24cc3dcf816fc47cd8a731e41419cdd833d66a11d9551076374dd61bf9dd5c0abf81606879f5ef4bceb7b87a93fcaa4e1bc
-
Filesize
308KB
MD5268eb6c29660b671081e908c7edff532
SHA1e43f244273c197c44bb8bc7ad1ae2583545724bf
SHA25644dcf8fd0be32702a4246205f7ac38abfed0f072fa42bbe79044476c5f2903d0
SHA512a141e4bdedfcd313468ac3a967ed9a866efc5db3d060edeaa409f1fb278f02595921480192b0b43d02cc18fd2872ac045af2f01c86660d40b6b2f527074a3689