Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 20:43
Static task
static1
Behavioral task
behavioral1
Sample
cb2f5d95747eda778f562050223d87cad7e9ffd743ba833b36a10be2e65004a3N.exe
Resource
win10v2004-20241007-en
General
-
Target
cb2f5d95747eda778f562050223d87cad7e9ffd743ba833b36a10be2e65004a3N.exe
-
Size
1.0MB
-
MD5
a8e484f08a64f86f0bb66affa6d06400
-
SHA1
b2767179e1db7cf3814ae58b92e91574dc7c7f92
-
SHA256
cb2f5d95747eda778f562050223d87cad7e9ffd743ba833b36a10be2e65004a3
-
SHA512
903ea08cd4d54bfef1aa23e9ce747cf7ec9eb3960f2bc87f8017b67dbfa0d06fdcefec881f4d68c57fa558e70613406257bfa8fb7a5e21ec44b740b14dc17880
-
SSDEEP
24576:tyxsB7ztG5bBRX7ab3xRJHo4fGKlVvqucWwJ4oE:IxsdzY5DEDJI4fjwJ4o
Malware Config
Extracted
redline
rouch
193.56.146.11:4162
-
auth_value
1b1735bcfc122c708eae27ca352568de
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023c7b-25.dat healer behavioral1/memory/2792-28-0x0000000000D80000-0x0000000000D8A000-memory.dmp healer -
Healer family
-
Processes:
buKL00dS44.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection buKL00dS44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" buKL00dS44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" buKL00dS44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" buKL00dS44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" buKL00dS44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" buKL00dS44.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/2908-34-0x0000000002790000-0x00000000027D6000-memory.dmp family_redline behavioral1/memory/2908-36-0x0000000005170000-0x00000000051B4000-memory.dmp family_redline behavioral1/memory/2908-46-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-44-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-100-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-98-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-97-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-94-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-92-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-90-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-88-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-86-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-82-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-80-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-78-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-76-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-74-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-72-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-70-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-68-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-66-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-64-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-60-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-58-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-57-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-54-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-52-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-50-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-48-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-42-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-84-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-62-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-40-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-38-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline behavioral1/memory/2908-37-0x0000000005170000-0x00000000051AE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
Processes:
plfZ94Zc81.exepldn40rz15.exepltX52sb12.exebuKL00dS44.execaQA44Ea24.exepid Process 1172 plfZ94Zc81.exe 4548 pldn40rz15.exe 1332 pltX52sb12.exe 2792 buKL00dS44.exe 2908 caQA44Ea24.exe -
Processes:
buKL00dS44.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" buKL00dS44.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
pltX52sb12.execb2f5d95747eda778f562050223d87cad7e9ffd743ba833b36a10be2e65004a3N.exeplfZ94Zc81.exepldn40rz15.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" pltX52sb12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cb2f5d95747eda778f562050223d87cad7e9ffd743ba833b36a10be2e65004a3N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" plfZ94Zc81.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" pldn40rz15.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
plfZ94Zc81.exepldn40rz15.exepltX52sb12.execaQA44Ea24.execb2f5d95747eda778f562050223d87cad7e9ffd743ba833b36a10be2e65004a3N.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plfZ94Zc81.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pldn40rz15.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pltX52sb12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caQA44Ea24.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cb2f5d95747eda778f562050223d87cad7e9ffd743ba833b36a10be2e65004a3N.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
buKL00dS44.exepid Process 2792 buKL00dS44.exe 2792 buKL00dS44.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
buKL00dS44.execaQA44Ea24.exedescription pid Process Token: SeDebugPrivilege 2792 buKL00dS44.exe Token: SeDebugPrivilege 2908 caQA44Ea24.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
cb2f5d95747eda778f562050223d87cad7e9ffd743ba833b36a10be2e65004a3N.exeplfZ94Zc81.exepldn40rz15.exepltX52sb12.exedescription pid Process procid_target PID 1552 wrote to memory of 1172 1552 cb2f5d95747eda778f562050223d87cad7e9ffd743ba833b36a10be2e65004a3N.exe 83 PID 1552 wrote to memory of 1172 1552 cb2f5d95747eda778f562050223d87cad7e9ffd743ba833b36a10be2e65004a3N.exe 83 PID 1552 wrote to memory of 1172 1552 cb2f5d95747eda778f562050223d87cad7e9ffd743ba833b36a10be2e65004a3N.exe 83 PID 1172 wrote to memory of 4548 1172 plfZ94Zc81.exe 84 PID 1172 wrote to memory of 4548 1172 plfZ94Zc81.exe 84 PID 1172 wrote to memory of 4548 1172 plfZ94Zc81.exe 84 PID 4548 wrote to memory of 1332 4548 pldn40rz15.exe 86 PID 4548 wrote to memory of 1332 4548 pldn40rz15.exe 86 PID 4548 wrote to memory of 1332 4548 pldn40rz15.exe 86 PID 1332 wrote to memory of 2792 1332 pltX52sb12.exe 87 PID 1332 wrote to memory of 2792 1332 pltX52sb12.exe 87 PID 1332 wrote to memory of 2908 1332 pltX52sb12.exe 96 PID 1332 wrote to memory of 2908 1332 pltX52sb12.exe 96 PID 1332 wrote to memory of 2908 1332 pltX52sb12.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb2f5d95747eda778f562050223d87cad7e9ffd743ba833b36a10be2e65004a3N.exe"C:\Users\Admin\AppData\Local\Temp\cb2f5d95747eda778f562050223d87cad7e9ffd743ba833b36a10be2e65004a3N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plfZ94Zc81.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plfZ94Zc81.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pldn40rz15.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pldn40rz15.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pltX52sb12.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pltX52sb12.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\buKL00dS44.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\buKL00dS44.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caQA44Ea24.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caQA44Ea24.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
934KB
MD59689f0d92b6b7a0369a845f8744628aa
SHA1bab14b9720bf071a4188a3a98647b334bb9cfdc6
SHA2567375353e1e957f53707598514b0f8298e4d4f49ff73d66abc0b3f94c3ed96d2a
SHA512f1cbf8e8388bd1ec19bccd8da7e92fe9561d8f33181548be4634009021e8cfdb9d5c5d52aea41ad74f9d15defd5b545df36486b79d3ae9c15c64ce0789cd76f0
-
Filesize
666KB
MD598510bfd28df4c891ba204a21866cbed
SHA1d411fff6b53b11ff2b5520f24e00ee9e6e5640d3
SHA2565c0d568cd25fc0ecd8c8d09124bab8328eb9789264be280d0098f1e09c8c0d45
SHA51237da8c169f30b6bd81c71f43783cbec891b2202219eed0ddd4659fb80cfb27e5d26d33e559973a6c9ee243104c693684ceca3deaa2cc932d0c302358f7d1273b
-
Filesize
391KB
MD54e12d0398c883810b4df0a238db49169
SHA1b2d793dc687d493f6cc046e03b2b865256079e18
SHA2564208cf167c8c3f75eee746ad9e76915f4969af8bac259eae7d63f4a4eb4bee25
SHA512fb34426509fa259cfb4f51283ce29c9394ce7680201ba970b6bbd4972040537814b04ecd40ffdbbbbac0f0a5fce0e7f47cfeeca0ae1985d00135dfe8575e2ff4
-
Filesize
11KB
MD5daf007a02f41be8140207c985df73fa2
SHA1802bba76bd75fa8a76ef653e684601f4ecd26626
SHA2560837b830496360e21b49f2a64ea207cfc12b861e9a7c45b01f4d39a3c7c4aa81
SHA5122653b31ebf5521dd74f528ae5bc1d20264004f42473919056bc2fa1a705ff326812cc74ed3d4a36c8519bfa2237fffa3c1dfc2e9078e657dcd67d57a45ebe2b8
-
Filesize
303KB
MD5003ebed48d2fda6c315c683d32b6a6dc
SHA1677088017218065e750a178b68fe2388ac74920a
SHA2560fddb3cac884f8ec784d8b989c3be838bab6db5d0c031deffe70950044a1d88c
SHA51226666394d314e9d1ee3e9cbc667fd4905523c8613eded7b399a7a53ee1dc738220414456e7396ed0ad3b4be4206feeca053b83d24005c8090b9c7744125ba72d