Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:21
Static task
static1
Behavioral task
behavioral1
Sample
789493d4af5115ebf53950c83cc0e41bf97f25f3456217abcd7090cb9b0e0127.exe
Resource
win10v2004-20241007-en
General
-
Target
789493d4af5115ebf53950c83cc0e41bf97f25f3456217abcd7090cb9b0e0127.exe
-
Size
530KB
-
MD5
b3a790e0984060f0fef02e8aa8a29647
-
SHA1
10300524a688ead9786b43800a3389063038b972
-
SHA256
789493d4af5115ebf53950c83cc0e41bf97f25f3456217abcd7090cb9b0e0127
-
SHA512
54c8433edfcab8beebd792f27e9f2819b9775d7005dc08ddca12827ff4ff570cd97dfdc06552c8aa905ed0d3980646e71b193795b37c32916a9cf874dd6e0a76
-
SSDEEP
12288:1MrUy90cHtIcHnqISCWKeXL6KvLQuqBV8tg+rJW+kPaSj:1ylN+IsKOjDQ97ca7
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b6d-12.dat healer behavioral1/memory/1456-15-0x0000000000C00000-0x0000000000C0A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr684128.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr684128.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr684128.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr684128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr684128.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr684128.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3288-22-0x0000000004B40000-0x0000000004B86000-memory.dmp family_redline behavioral1/memory/3288-24-0x0000000004C50000-0x0000000004C94000-memory.dmp family_redline behavioral1/memory/3288-37-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-40-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-88-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-87-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-84-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-82-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-81-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-78-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-77-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-74-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-72-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-70-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-68-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-66-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-64-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-60-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-58-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-52-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-50-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-48-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-46-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-44-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-42-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-38-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-34-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-32-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-30-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-62-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-56-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-54-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-28-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-26-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline behavioral1/memory/3288-25-0x0000000004C50000-0x0000000004C8F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4308 ziML6658.exe 1456 jr684128.exe 3288 ku044810.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr684128.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 789493d4af5115ebf53950c83cc0e41bf97f25f3456217abcd7090cb9b0e0127.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziML6658.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 789493d4af5115ebf53950c83cc0e41bf97f25f3456217abcd7090cb9b0e0127.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziML6658.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku044810.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1456 jr684128.exe 1456 jr684128.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1456 jr684128.exe Token: SeDebugPrivilege 3288 ku044810.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4500 wrote to memory of 4308 4500 789493d4af5115ebf53950c83cc0e41bf97f25f3456217abcd7090cb9b0e0127.exe 84 PID 4500 wrote to memory of 4308 4500 789493d4af5115ebf53950c83cc0e41bf97f25f3456217abcd7090cb9b0e0127.exe 84 PID 4500 wrote to memory of 4308 4500 789493d4af5115ebf53950c83cc0e41bf97f25f3456217abcd7090cb9b0e0127.exe 84 PID 4308 wrote to memory of 1456 4308 ziML6658.exe 85 PID 4308 wrote to memory of 1456 4308 ziML6658.exe 85 PID 4308 wrote to memory of 3288 4308 ziML6658.exe 94 PID 4308 wrote to memory of 3288 4308 ziML6658.exe 94 PID 4308 wrote to memory of 3288 4308 ziML6658.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\789493d4af5115ebf53950c83cc0e41bf97f25f3456217abcd7090cb9b0e0127.exe"C:\Users\Admin\AppData\Local\Temp\789493d4af5115ebf53950c83cc0e41bf97f25f3456217abcd7090cb9b0e0127.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziML6658.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziML6658.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr684128.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr684128.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku044810.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku044810.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3288
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD5b23ad977252e0ab085ee44c1710a921b
SHA13c6534e9b53c47afc6c87c83fdabe66041d14d80
SHA256b3c60a53d157c63ed40ef12d9b364345556d195369aef82151a0acdb94501eae
SHA512638fd3b7e21075e883fad621e00f1a9981ffd0d799cc23896d9b0fec0aaef552751d855885afaad77b1ae0085bf26bca27c99539c34d638b348c89e96a195b65
-
Filesize
11KB
MD572f6e5b3d37f8e459aa8d443f0dee42c
SHA1b2bf68250386a762387d32d12fe9034773b3b274
SHA256177dfde9f2a767310111bd9e285cf0b4134bb0753af04033a561fee4d45b817f
SHA512323188ab51bc45876a804acaa2585522a1fd20a468d2b0112f5c90ec439ee63212036e1d892941766ec5abb23c8c2c9b93a8258129767b37455efa78a4230ea4
-
Filesize
354KB
MD543ea2ae8ba184a58204a451f1404c8b2
SHA1b65dc2f1252330478a1094432af3fe3a0a500ce8
SHA256eedf90f18241f1319bcf5ea121fcd0c4ae708c97e54667c1c6fb0b68f88801e8
SHA512da3ad63a57531b3713371fb9cd1c8416b090e1d115aff20c6d67ddd3c1b7e2324cd21d4b9565580f58d89897daa7f5558501c7857065c43793e52af500a21f88