Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2024 21:41
Static task
static1
Behavioral task
behavioral1
Sample
92a3cacf353b52ae72515e0dac58e73c948558631c61cf2853bb62d47325e491.exe
Resource
win10v2004-20241007-en
General
-
Target
92a3cacf353b52ae72515e0dac58e73c948558631c61cf2853bb62d47325e491.exe
-
Size
530KB
-
MD5
3fd6d5f18bf08b4b813b6cc8c533ba26
-
SHA1
219181babf1539a1700aefaab3d76dec6e8800a0
-
SHA256
92a3cacf353b52ae72515e0dac58e73c948558631c61cf2853bb62d47325e491
-
SHA512
8a3e517cf5301339651baa9698d6c2c2debeb0347a5ca5f948308b474e3201944e730de6b16fe1b10dfa828bcaf737842f32ef526cf76a23e509f3a378cfdb59
-
SSDEEP
12288:SMrYy90oG/dW02HD+BRTIO245aU+hwk5o0/vCV1E:eyQX2j+BVwhwAAV1E
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b8b-12.dat healer behavioral1/memory/2896-15-0x00000000002B0000-0x00000000002BA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr426448.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr426448.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr426448.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr426448.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr426448.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr426448.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4100-21-0x00000000049A0000-0x00000000049E6000-memory.dmp family_redline behavioral1/memory/4100-23-0x0000000004B90000-0x0000000004BD4000-memory.dmp family_redline behavioral1/memory/4100-39-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-63-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-87-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-85-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-81-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-79-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-77-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-75-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-73-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-71-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-67-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-61-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-59-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-58-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-55-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-53-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-51-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-49-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-47-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-45-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-43-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-41-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-37-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-35-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-34-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-31-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-29-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-27-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-83-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-69-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-65-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-25-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline behavioral1/memory/4100-24-0x0000000004B90000-0x0000000004BCF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2560 zieO5240.exe 2896 jr426448.exe 4100 ku137820.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr426448.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 92a3cacf353b52ae72515e0dac58e73c948558631c61cf2853bb62d47325e491.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zieO5240.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 92a3cacf353b52ae72515e0dac58e73c948558631c61cf2853bb62d47325e491.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zieO5240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku137820.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2896 jr426448.exe 2896 jr426448.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2896 jr426448.exe Token: SeDebugPrivilege 4100 ku137820.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2560 2488 92a3cacf353b52ae72515e0dac58e73c948558631c61cf2853bb62d47325e491.exe 86 PID 2488 wrote to memory of 2560 2488 92a3cacf353b52ae72515e0dac58e73c948558631c61cf2853bb62d47325e491.exe 86 PID 2488 wrote to memory of 2560 2488 92a3cacf353b52ae72515e0dac58e73c948558631c61cf2853bb62d47325e491.exe 86 PID 2560 wrote to memory of 2896 2560 zieO5240.exe 87 PID 2560 wrote to memory of 2896 2560 zieO5240.exe 87 PID 2560 wrote to memory of 4100 2560 zieO5240.exe 93 PID 2560 wrote to memory of 4100 2560 zieO5240.exe 93 PID 2560 wrote to memory of 4100 2560 zieO5240.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\92a3cacf353b52ae72515e0dac58e73c948558631c61cf2853bb62d47325e491.exe"C:\Users\Admin\AppData\Local\Temp\92a3cacf353b52ae72515e0dac58e73c948558631c61cf2853bb62d47325e491.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieO5240.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieO5240.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr426448.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr426448.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku137820.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku137820.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4100
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD5add044658a447aefe61f8ed8060b63da
SHA15b636d5d16940fee0c1b4b062510c0cbdd02f2ec
SHA256a1f5cc3f80ed509e0cb144a092d011b5a119d98ab083624241269d98efa4c051
SHA5129f1c9f440c821b46791526668a75853a073077cc81a612ddc971373a4097553b09d31a8449f03b47d47c330ef8f5fede176ba5a0939e2094eca8726526398134
-
Filesize
12KB
MD54bc2c6f93dc57bc281e509c28695d10c
SHA1bf31cd0c8b54fe127125eb8a46710ea2f94dd935
SHA256250a3899c3714d74f299ed48fbae6a6e711fbf661ad307da9e60c37dc6db9212
SHA5120793902dd1499cb24a7b995e45c98ba702a7294b4104241e05119dbe3b63efd28ed099d9a1f2332e8ccc02019a98276f6d08abf2bac09f52c1792659a2906c3f
-
Filesize
355KB
MD5bc1a2339b3c6fe4fe6de713a378175bf
SHA1b1c47c0db380ec5ee5a403d6b784e859d9d9b713
SHA2567f4445cb1eaeef02700827529ef3a022f634d5cdfcbadb0123ec0b34e853f5a2
SHA51288498fcd66733cb018998f559c88bce9619925a0dc24354c577a225f044067775f4227237c1f0cc076e868263327160797303bd46496cd77b8437012cbb52d95