Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 20:42
Static task
static1
Behavioral task
behavioral1
Sample
c143361b048a25715b846dad79addbf9d260468d610bb4c9fc3ea8ae24d8fce2N.exe
Resource
win10v2004-20241007-en
General
-
Target
c143361b048a25715b846dad79addbf9d260468d610bb4c9fc3ea8ae24d8fce2N.exe
-
Size
686KB
-
MD5
dbdf316906ac26eb003e41111a6453e4
-
SHA1
e39cacd5e001d45e0cdecdd6289dc12da20cc144
-
SHA256
c74d8d8fe1d416a21d4bac5b5c09be8a62c821042e649e244a53b8b30abadafc
-
SHA512
2d10c0d50740b2191b40d670051a0e385e51f9d4e216d58b8189c343493f3f46c426f6fbf8c8cbff7c9db1e3b93010527fc8a100f6d80f53382431c0be818bb7
-
SSDEEP
12288:uMrgy90l7WvEmYsPGVxk8mQ+Bj095b51IOcF5HhrxK7+TRPbA2kE4kbTk4f:uyeMYsPGDbmQ+9C5bLkTm2T4uI4f
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023c68-13.dat healer behavioral1/memory/4920-15-0x0000000000FB0000-0x0000000000FBA000-memory.dmp healer -
Healer family
-
Processes:
buEF87UG60.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buEF87UG60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buEF87UG60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buEF87UG60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buEF87UG60.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buEF87UG60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buEF87UG60.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/1960-22-0x0000000004BC0000-0x0000000004C06000-memory.dmp family_redline behavioral1/memory/1960-24-0x00000000071B0000-0x00000000071F4000-memory.dmp family_redline behavioral1/memory/1960-28-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-26-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-25-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-36-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-88-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-86-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-84-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-82-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-80-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-76-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-74-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-72-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-70-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-68-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-66-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-64-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-62-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-58-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-56-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-54-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-52-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-50-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-48-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-46-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-42-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-40-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-39-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-34-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-32-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-30-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-78-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-60-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline behavioral1/memory/1960-44-0x00000000071B0000-0x00000000071EE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
plOw76IK19.exebuEF87UG60.execadP65SL32.exepid Process 4008 plOw76IK19.exe 4920 buEF87UG60.exe 1960 cadP65SL32.exe -
Processes:
buEF87UG60.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buEF87UG60.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c143361b048a25715b846dad79addbf9d260468d610bb4c9fc3ea8ae24d8fce2N.exeplOw76IK19.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c143361b048a25715b846dad79addbf9d260468d610bb4c9fc3ea8ae24d8fce2N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plOw76IK19.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
plOw76IK19.execadP65SL32.exec143361b048a25715b846dad79addbf9d260468d610bb4c9fc3ea8ae24d8fce2N.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plOw76IK19.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cadP65SL32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c143361b048a25715b846dad79addbf9d260468d610bb4c9fc3ea8ae24d8fce2N.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
buEF87UG60.exepid Process 4920 buEF87UG60.exe 4920 buEF87UG60.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
buEF87UG60.execadP65SL32.exedescription pid Process Token: SeDebugPrivilege 4920 buEF87UG60.exe Token: SeDebugPrivilege 1960 cadP65SL32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c143361b048a25715b846dad79addbf9d260468d610bb4c9fc3ea8ae24d8fce2N.exeplOw76IK19.exedescription pid Process procid_target PID 2356 wrote to memory of 4008 2356 c143361b048a25715b846dad79addbf9d260468d610bb4c9fc3ea8ae24d8fce2N.exe 83 PID 2356 wrote to memory of 4008 2356 c143361b048a25715b846dad79addbf9d260468d610bb4c9fc3ea8ae24d8fce2N.exe 83 PID 2356 wrote to memory of 4008 2356 c143361b048a25715b846dad79addbf9d260468d610bb4c9fc3ea8ae24d8fce2N.exe 83 PID 4008 wrote to memory of 4920 4008 plOw76IK19.exe 85 PID 4008 wrote to memory of 4920 4008 plOw76IK19.exe 85 PID 4008 wrote to memory of 1960 4008 plOw76IK19.exe 94 PID 4008 wrote to memory of 1960 4008 plOw76IK19.exe 94 PID 4008 wrote to memory of 1960 4008 plOw76IK19.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\c143361b048a25715b846dad79addbf9d260468d610bb4c9fc3ea8ae24d8fce2N.exe"C:\Users\Admin\AppData\Local\Temp\c143361b048a25715b846dad79addbf9d260468d610bb4c9fc3ea8ae24d8fce2N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plOw76IK19.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plOw76IK19.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buEF87UG60.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buEF87UG60.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cadP65SL32.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cadP65SL32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
401KB
MD56138ab5e7b147e761f2161a68ec569de
SHA1524a61e108dc1866e78bec2d2831468881ea9d65
SHA2565976d7ae60a838f2f955e955b4b05ef5975f9c89189f7cc9fb800f61b156e170
SHA5126d1f1b87bd1c3268afec9a9545787767aa9912ea80634b9d2f80cb604f68df73d13234d3b0aea37410dce6f54abf50107c2290c9c6fc25263708bbb2cf75a5ba
-
Filesize
15KB
MD55f717ded557bd4c64eaf5e94f424c78d
SHA1abd111629febc65b13b76fc83e657edd6d0f295e
SHA256454e44915df17e458b7502b44e77459a08822a5e6d8f4090b493290f32296f0f
SHA512636ea48115f80291b70322ba5da7b48b2a5713100165b4e56a3b114dc0669e8481a7007b12c4ffb55769c18808e8a5bf147b3841cfa4c05ae6d280664847ca4a
-
Filesize
375KB
MD5cd6966060f9f437f1933aba4b8703cca
SHA19f69f3f9317a4a6526c99074bb851bc4a1c30788
SHA25624a0f1a482ffbadb53221d40b7669cfb6352b0ccffb786a595cfeb4d9805b9f0
SHA512d7249fb6f039225e99d30293f69453c0c08a44bf12887d656d4e30fa896aaf51d31fab132ed6840ffe0f305f3ce8cf0be315835bf221745a7b4dac27640c1929