Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 06:39
Static task
static1
Behavioral task
behavioral1
Sample
6853a494b19350267fcc5dedbdd0b9aab6b81d7047b735c24513750a33796890.exe
Resource
win10v2004-20241007-en
General
-
Target
6853a494b19350267fcc5dedbdd0b9aab6b81d7047b735c24513750a33796890.exe
-
Size
1.1MB
-
MD5
1b1a7f17da21c7b4c92ee47e1a6ed89d
-
SHA1
85e120d1288ada50739e5a8c2504979fd4e75e51
-
SHA256
6853a494b19350267fcc5dedbdd0b9aab6b81d7047b735c24513750a33796890
-
SHA512
aca9fe0ee3b8e14e6396c4841141799543da9f8dd7e629c04e79244466c04c1227ff2117b7e03f75594df338d43bc35f7258970bec72e4c414e68a5c73af4b15
-
SSDEEP
24576:By+OeVYkb1l2roMVqLsPtBjHiWxkdonfP8qXg:0HeKkDWmIBGckdofP8qQ
Malware Config
Extracted
redline
rodik
193.233.20.23:4124
-
auth_value
59b6e22e7cfd9b5fa0c99d1942f7c85d
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023cb1-26.dat healer behavioral1/memory/3520-28-0x0000000000E60000-0x0000000000E6A000-memory.dmp healer -
Healer family
-
Processes:
iDK84GF.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection iDK84GF.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" iDK84GF.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" iDK84GF.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" iDK84GF.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" iDK84GF.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" iDK84GF.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/4572-34-0x0000000004C70000-0x0000000004CB6000-memory.dmp family_redline behavioral1/memory/4572-36-0x0000000007190000-0x00000000071D4000-memory.dmp family_redline behavioral1/memory/4572-66-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-68-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-100-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-96-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-94-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-92-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-90-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-88-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-86-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-84-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-82-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-78-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-76-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-74-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-72-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-70-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-64-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-62-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-60-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-58-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-56-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-52-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-50-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-48-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-47-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-44-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-42-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-98-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-80-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-54-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-40-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-38-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/4572-37-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
Processes:
sXR83Hm47.exesxB62Yf17.exesuC42DU94.exeiDK84GF.exekEk39Xb.exepid Process 4904 sXR83Hm47.exe 2548 sxB62Yf17.exe 2212 suC42DU94.exe 3520 iDK84GF.exe 4572 kEk39Xb.exe -
Processes:
iDK84GF.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" iDK84GF.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
6853a494b19350267fcc5dedbdd0b9aab6b81d7047b735c24513750a33796890.exesXR83Hm47.exesxB62Yf17.exesuC42DU94.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6853a494b19350267fcc5dedbdd0b9aab6b81d7047b735c24513750a33796890.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sXR83Hm47.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" sxB62Yf17.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" suC42DU94.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 3324 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
kEk39Xb.exe6853a494b19350267fcc5dedbdd0b9aab6b81d7047b735c24513750a33796890.exesXR83Hm47.exesxB62Yf17.exesuC42DU94.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kEk39Xb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6853a494b19350267fcc5dedbdd0b9aab6b81d7047b735c24513750a33796890.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sXR83Hm47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sxB62Yf17.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language suC42DU94.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
iDK84GF.exepid Process 3520 iDK84GF.exe 3520 iDK84GF.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
iDK84GF.exekEk39Xb.exedescription pid Process Token: SeDebugPrivilege 3520 iDK84GF.exe Token: SeDebugPrivilege 4572 kEk39Xb.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
6853a494b19350267fcc5dedbdd0b9aab6b81d7047b735c24513750a33796890.exesXR83Hm47.exesxB62Yf17.exesuC42DU94.exedescription pid Process procid_target PID 4552 wrote to memory of 4904 4552 6853a494b19350267fcc5dedbdd0b9aab6b81d7047b735c24513750a33796890.exe 84 PID 4552 wrote to memory of 4904 4552 6853a494b19350267fcc5dedbdd0b9aab6b81d7047b735c24513750a33796890.exe 84 PID 4552 wrote to memory of 4904 4552 6853a494b19350267fcc5dedbdd0b9aab6b81d7047b735c24513750a33796890.exe 84 PID 4904 wrote to memory of 2548 4904 sXR83Hm47.exe 85 PID 4904 wrote to memory of 2548 4904 sXR83Hm47.exe 85 PID 4904 wrote to memory of 2548 4904 sXR83Hm47.exe 85 PID 2548 wrote to memory of 2212 2548 sxB62Yf17.exe 87 PID 2548 wrote to memory of 2212 2548 sxB62Yf17.exe 87 PID 2548 wrote to memory of 2212 2548 sxB62Yf17.exe 87 PID 2212 wrote to memory of 3520 2212 suC42DU94.exe 88 PID 2212 wrote to memory of 3520 2212 suC42DU94.exe 88 PID 2212 wrote to memory of 4572 2212 suC42DU94.exe 94 PID 2212 wrote to memory of 4572 2212 suC42DU94.exe 94 PID 2212 wrote to memory of 4572 2212 suC42DU94.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\6853a494b19350267fcc5dedbdd0b9aab6b81d7047b735c24513750a33796890.exe"C:\Users\Admin\AppData\Local\Temp\6853a494b19350267fcc5dedbdd0b9aab6b81d7047b735c24513750a33796890.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sXR83Hm47.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sXR83Hm47.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sxB62Yf17.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sxB62Yf17.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\suC42DU94.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\suC42DU94.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDK84GF.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iDK84GF.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3520
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kEk39Xb.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kEk39Xb.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4572
-
-
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3324
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
961KB
MD5fd45babeea7abb4d13e4e671286b4c2b
SHA19b4d8ecc064ac9394dcd476f89b0412c91beecce
SHA256aaa6d26f568f9b19c446a82e53760d352fa9613b25203f0d9722f4c03a7b5133
SHA512c7a187b8cc9edc1eca9c8647ab43ce7294dcc90171bc7dd18992849a7f4b7a51dcf0a82e95dd8df73bf87a897eb1d7558cb4461cf5b733f6873280d65938cc6e
-
Filesize
683KB
MD558aaeeb0b59d1acd15bd88dd2c3196e0
SHA1076d240ec26243c6204f88959a7e6d367aeb30b2
SHA25644779cc1ca900e864d2b20c004d8785e3107828af7e9d8c35cae596cf9103d97
SHA512405b5f08e21b773659c2a4143f270c6b6ae221b77775712b04b9426e9218d8089a86b67884bb2eb524ad74f8cdbdc0929ebf05b5db65102c2779f9d786ce552e
-
Filesize
399KB
MD551a718e584b06193e03f980bafbf7eda
SHA1a396f841e51bd0030c19dfb64a584c93866154ac
SHA256678b0557f7d36469a59cd6f8b7cd40ee6cd59da92441c01799cf2e8b6f38ac2a
SHA5127a94083fcf494ad5869d06da9b5e78771594dcb59b862aa24ee6a05be2f1f37db5b572f8599a33bc6dffaa1364c6f2c043fd36cf83d1ac287a056139e559f49f
-
Filesize
11KB
MD5f061ffc02a0f4bbcb07725b34547d624
SHA148f160581b0279f1b30c09591c344556e5fa4116
SHA2569c8936c0b0965a7269ebb525dcdfb1b3d30c3d5ff3a6aea102f57f59ddcf9e43
SHA5124cdc7122165211cbab2fb7b021e2a002248d38c36777d54fa2b9fac81d5635f4330145dabb8ea9643ecd4a9b2286d817cb4f8a272b2bb3a0f8fa2a8a2be65fd2
-
Filesize
352KB
MD5b0b94e2c2b7fcb269bf95b62cc9b065b
SHA1538d87b1ccae12796ed59ee2b407a5e19fce17ed
SHA256b99491d4afd199d95ff54c83be16a8e91f7a25299ac3b592e0e563b7798dd578
SHA512ee8c0a033e9decaae0f9de9e67907feca5de84f3ef300e34e8de8871bf37fe1d21b4e1922c1989cece049e988aa2c1410953a1951277466daf572723e4c42b25