Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 13:28
Static task
static1
Behavioral task
behavioral1
Sample
1e2f460709ec901264db6ec69d44c78f716a14207490291d79ebd2d6f1120885.exe
Resource
win10v2004-20241007-en
General
-
Target
1e2f460709ec901264db6ec69d44c78f716a14207490291d79ebd2d6f1120885.exe
-
Size
1.0MB
-
MD5
4628f51fbc016b0fca9f4a16ae4c98a1
-
SHA1
943b7b5bf5143e4b541bf3be7351fa2f54b1097d
-
SHA256
1e2f460709ec901264db6ec69d44c78f716a14207490291d79ebd2d6f1120885
-
SHA512
a43ea6ffb9c3cfab86ad1f6c645d6c5df05a009ea590b646fba474ac9955ad9ac01a954eccfa3ac4d0015d7be9fe42703af7e387467769382175f2688d071df2
-
SSDEEP
24576:uy2gxV/WWZtI6hQFA6He1n58OvH8Of6JAHfZwbLHze:9FzHLye1n58yHpiqOPS
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023c6e-26.dat healer behavioral1/memory/3776-28-0x0000000000080000-0x000000000008A000-memory.dmp healer -
Healer family
-
Processes:
bumd43ek74.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection bumd43ek74.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bumd43ek74.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bumd43ek74.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bumd43ek74.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bumd43ek74.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bumd43ek74.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/1432-34-0x0000000004CB0000-0x0000000004CF6000-memory.dmp family_redline behavioral1/memory/1432-36-0x00000000071C0000-0x0000000007204000-memory.dmp family_redline behavioral1/memory/1432-42-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-50-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-98-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-96-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-94-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-92-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-90-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-88-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-86-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-82-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-80-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-78-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-76-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-74-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-72-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-70-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-66-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-64-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-62-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-60-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-58-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-56-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-54-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-48-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-46-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-44-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-100-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-84-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-68-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-52-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-40-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-38-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/1432-37-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
Processes:
plNb34cT95.exeplBa92kk55.exeplQS14RA39.exebumd43ek74.execaPi83YI00.exepid Process 1496 plNb34cT95.exe 2916 plBa92kk55.exe 4072 plQS14RA39.exe 3776 bumd43ek74.exe 1432 caPi83YI00.exe -
Processes:
bumd43ek74.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" bumd43ek74.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
1e2f460709ec901264db6ec69d44c78f716a14207490291d79ebd2d6f1120885.exeplNb34cT95.exeplBa92kk55.exeplQS14RA39.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1e2f460709ec901264db6ec69d44c78f716a14207490291d79ebd2d6f1120885.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plNb34cT95.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" plBa92kk55.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" plQS14RA39.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1e2f460709ec901264db6ec69d44c78f716a14207490291d79ebd2d6f1120885.exeplNb34cT95.exeplBa92kk55.exeplQS14RA39.execaPi83YI00.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e2f460709ec901264db6ec69d44c78f716a14207490291d79ebd2d6f1120885.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plNb34cT95.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plBa92kk55.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plQS14RA39.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caPi83YI00.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
bumd43ek74.exepid Process 3776 bumd43ek74.exe 3776 bumd43ek74.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bumd43ek74.execaPi83YI00.exedescription pid Process Token: SeDebugPrivilege 3776 bumd43ek74.exe Token: SeDebugPrivilege 1432 caPi83YI00.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
1e2f460709ec901264db6ec69d44c78f716a14207490291d79ebd2d6f1120885.exeplNb34cT95.exeplBa92kk55.exeplQS14RA39.exedescription pid Process procid_target PID 3628 wrote to memory of 1496 3628 1e2f460709ec901264db6ec69d44c78f716a14207490291d79ebd2d6f1120885.exe 84 PID 3628 wrote to memory of 1496 3628 1e2f460709ec901264db6ec69d44c78f716a14207490291d79ebd2d6f1120885.exe 84 PID 3628 wrote to memory of 1496 3628 1e2f460709ec901264db6ec69d44c78f716a14207490291d79ebd2d6f1120885.exe 84 PID 1496 wrote to memory of 2916 1496 plNb34cT95.exe 87 PID 1496 wrote to memory of 2916 1496 plNb34cT95.exe 87 PID 1496 wrote to memory of 2916 1496 plNb34cT95.exe 87 PID 2916 wrote to memory of 4072 2916 plBa92kk55.exe 88 PID 2916 wrote to memory of 4072 2916 plBa92kk55.exe 88 PID 2916 wrote to memory of 4072 2916 plBa92kk55.exe 88 PID 4072 wrote to memory of 3776 4072 plQS14RA39.exe 89 PID 4072 wrote to memory of 3776 4072 plQS14RA39.exe 89 PID 4072 wrote to memory of 1432 4072 plQS14RA39.exe 98 PID 4072 wrote to memory of 1432 4072 plQS14RA39.exe 98 PID 4072 wrote to memory of 1432 4072 plQS14RA39.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e2f460709ec901264db6ec69d44c78f716a14207490291d79ebd2d6f1120885.exe"C:\Users\Admin\AppData\Local\Temp\1e2f460709ec901264db6ec69d44c78f716a14207490291d79ebd2d6f1120885.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plNb34cT95.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plNb34cT95.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plBa92kk55.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plBa92kk55.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plQS14RA39.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plQS14RA39.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bumd43ek74.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bumd43ek74.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3776
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caPi83YI00.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caPi83YI00.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1432
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
971KB
MD59257263ffa3a27f5a5160cb949429047
SHA150e797a38713ad5ea68c0f7b75c89962d90c4c18
SHA2560f0a0f536b58e4b2ba3d3959ffd6b1f4197eac53d0d33a95b1c5b5a7046e5ce6
SHA51241e12aa6b466d441e7af16a8b1dc8702a1f3dbb66f73cce5504b7502c802953acb3948a2ccb56094d29aa757e1ce1042b2ce95929de37bbafbf505fb43a616e4
-
Filesize
690KB
MD5cedcfaf15b56a1025365f30dac0610fe
SHA12c0b96b870143cc38c6ae3fa29aee13b8d050ea0
SHA2569eb9cee98aea7744258154c1273bdd76dbc807df55f38602e3771754c62ac9c3
SHA512336f97865d1992e842f51a8bf2611ef5d5ece3fca1f28f039853806634b26feb26af3a46cc5968de0a13620daaaf667ae3eb15c163812fe27b91276314de68c6
-
Filesize
403KB
MD5b01b05154c38836e9e68c470e8f3a208
SHA10f643f3c56cbd62862a1db64ae95b6ef04bec90a
SHA2568fbcaa07fcd707ac6b5d21e6792d66cc2b27af99d157e1f53efbb227d4d2f6a6
SHA512c90ce24eec40cdb3ce66ac098db3f312d75c387d5bce64f903e7caf92ae45813550d2c41a3ef27ec32232f5fbd781f39459529ee816c5e609fed2855fd60b71c
-
Filesize
15KB
MD5d5851747229cd8d06921c99d62ba2532
SHA1861b2825dc1cc4180b27bec94feea0cfc96a96e6
SHA256666bd8a31eb47500c95323b54aae5ab21088948d5374456a7fe883e9a269859d
SHA512dcc348181818ccc0b1b6418bbe2b75e1b3b0a7863e2569b1d8b38868d028e171efc517e945f62b0cdec636fded2a45e6daa7a87ebab5fea461b2ab0d81e9844c
-
Filesize
377KB
MD58240ae7f59fb434977686a2040ea62e9
SHA1c0fe02012d46dc9e12c388dd75cab32643708a18
SHA256230a7452b0db2ecd65ee767d852990ff9cb94f65c485e3a68faa4bcb11b52605
SHA51278c782edce8e3cdb57624f3be1bc69976691e1a1938b46214bde842b9cc02966be80872c7ae4093d8154c62fe9de20e2cfdf532feae5dfe647ba0d748777c96b