Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:22
Static task
static1
Behavioral task
behavioral1
Sample
91a1b2f530c757cd2861a0be9c7b6dc1c7a684ddcfafee3b8ee72986a8f15cae.exe
Resource
win10v2004-20241007-en
General
-
Target
91a1b2f530c757cd2861a0be9c7b6dc1c7a684ddcfafee3b8ee72986a8f15cae.exe
-
Size
530KB
-
MD5
7a0dea108ec9ba06d50dbaeeb8531ee0
-
SHA1
baffe8f52f323ab3aaba8b072ced90bfe0e68064
-
SHA256
91a1b2f530c757cd2861a0be9c7b6dc1c7a684ddcfafee3b8ee72986a8f15cae
-
SHA512
6b0b31cafe48ab0f517314cc43458945afec596d57ed1281a43d459d6180727eba7e43b58d209872729d314cb28d4fc0ac3a9269bc29eb656ddfcee5d17cbd6d
-
SSDEEP
6144:K+y+bnr+Dp0yN90QEES9CaYXRpErPjlOqrzplAqTwALG1bb/o1ONxGSPRka+mz1y:mMrDy9059MfEzTtlAn3bs0N+mzz4c3m
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cb0-12.dat healer behavioral1/memory/1120-15-0x0000000000DA0000-0x0000000000DAA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr457031.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr457031.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr457031.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr457031.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr457031.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr457031.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 36 IoCs
resource yara_rule behavioral1/memory/4448-22-0x0000000004A80000-0x0000000004AC6000-memory.dmp family_redline behavioral1/memory/4448-24-0x00000000071D0000-0x0000000007214000-memory.dmp family_redline behavioral1/memory/4448-80-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-89-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-86-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-87-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-84-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-82-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-78-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-76-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-74-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-72-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-70-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-68-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-66-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-62-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-60-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-58-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-54-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-52-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-50-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-48-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-46-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-42-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-40-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-38-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-36-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-34-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-32-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-65-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-56-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-44-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-30-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-28-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-26-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline behavioral1/memory/4448-25-0x00000000071D0000-0x000000000720F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3044 ziwF3790.exe 1120 jr457031.exe 4448 ku219815.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr457031.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 91a1b2f530c757cd2861a0be9c7b6dc1c7a684ddcfafee3b8ee72986a8f15cae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziwF3790.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 91a1b2f530c757cd2861a0be9c7b6dc1c7a684ddcfafee3b8ee72986a8f15cae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziwF3790.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku219815.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1120 jr457031.exe 1120 jr457031.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1120 jr457031.exe Token: SeDebugPrivilege 4448 ku219815.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3540 wrote to memory of 3044 3540 91a1b2f530c757cd2861a0be9c7b6dc1c7a684ddcfafee3b8ee72986a8f15cae.exe 84 PID 3540 wrote to memory of 3044 3540 91a1b2f530c757cd2861a0be9c7b6dc1c7a684ddcfafee3b8ee72986a8f15cae.exe 84 PID 3540 wrote to memory of 3044 3540 91a1b2f530c757cd2861a0be9c7b6dc1c7a684ddcfafee3b8ee72986a8f15cae.exe 84 PID 3044 wrote to memory of 1120 3044 ziwF3790.exe 85 PID 3044 wrote to memory of 1120 3044 ziwF3790.exe 85 PID 3044 wrote to memory of 4448 3044 ziwF3790.exe 94 PID 3044 wrote to memory of 4448 3044 ziwF3790.exe 94 PID 3044 wrote to memory of 4448 3044 ziwF3790.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\91a1b2f530c757cd2861a0be9c7b6dc1c7a684ddcfafee3b8ee72986a8f15cae.exe"C:\Users\Admin\AppData\Local\Temp\91a1b2f530c757cd2861a0be9c7b6dc1c7a684ddcfafee3b8ee72986a8f15cae.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwF3790.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziwF3790.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr457031.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr457031.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku219815.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku219815.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4448
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
387KB
MD5c137f37984bac3e2bbbd0ddc3c3ef186
SHA140a9cd004523fb08f05627070aaeddf35910449a
SHA256358b454bef7111dbb908e8949dc214a7f85669c47f0ef3cdde0e7b6e7e4efe8a
SHA5120bcb418bc3b5df7bcdddc9fe53063bfeef29e247d97e86df992b328b2589b4125f0a4a4d915fb69755d335903387634739495c4a8063d0ba5a0cc51bda3e5045
-
Filesize
12KB
MD5ce5dd3ab7bf3c6d191ff815978cee380
SHA18d1f63bc499993c9fe487fd389fb1c681fad58d6
SHA256c720d5e8cdd32055634b13eb7fa388e8815e105c043f6366e5f9a19b74e87777
SHA512530116704b2a0d6d8d0741c856676a4720c254d39758201a051d59c5ab7f0535f5951f80fbbc1f015867faaa9da30fbde8240ed97f4a080de1f841bc7ef576fd
-
Filesize
342KB
MD5f1407f28b2378a564a28674bc6c8e804
SHA15b2706b021b40edbaa040d8d804a4dfd9aaf459c
SHA2562101f88feeb9861173e81e9452f678002779c4e1e19067f953086afc1783851b
SHA5127ab4150724ab037d50ce86ea1728d569d001ec17b1e64e73d3df4a053d0c5c727bd53d7debe04d6323ddf2300e3bf57c1727b6ca872adce1a60e227131df7a30