Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:22
Static task
static1
Behavioral task
behavioral1
Sample
fcf030954f7069c9d7f22aec66441c662ff884f66a22b4a18a49d23a568e04e1.exe
Resource
win10v2004-20241007-en
General
-
Target
fcf030954f7069c9d7f22aec66441c662ff884f66a22b4a18a49d23a568e04e1.exe
-
Size
521KB
-
MD5
9af882ae141ddbfe7b7192e2f6c5b997
-
SHA1
7f31b4d822dce7722e6740655b624e6aa333388f
-
SHA256
fcf030954f7069c9d7f22aec66441c662ff884f66a22b4a18a49d23a568e04e1
-
SHA512
62ef01f5ce3683a96090c95dfd80eda980b27a68e7f36fa208b597c53a1625106950930e4c9a67253b17f530234fbccee66584783b662b75c727ed83b4e69c01
-
SSDEEP
12288:qMrzy904bgXiMAKSLY8sArLiMMGXNURDp:pyd8iBvLrsA6ANcp
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c98-12.dat healer behavioral1/memory/2688-15-0x0000000000D80000-0x0000000000D8A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr175830.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr175830.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr175830.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr175830.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr175830.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr175830.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3588-22-0x0000000002600000-0x0000000002646000-memory.dmp family_redline behavioral1/memory/3588-24-0x00000000050C0000-0x0000000005104000-memory.dmp family_redline behavioral1/memory/3588-46-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-58-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-88-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-86-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-82-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-80-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-78-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-76-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-74-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-70-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-68-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-66-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-64-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-62-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-56-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-54-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-52-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-50-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-48-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-44-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-42-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-40-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-38-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-36-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-34-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-32-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-84-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-72-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-60-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-31-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-28-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-26-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline behavioral1/memory/3588-25-0x00000000050C0000-0x00000000050FF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2264 ziET7887.exe 2688 jr175830.exe 3588 ku484921.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr175830.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fcf030954f7069c9d7f22aec66441c662ff884f66a22b4a18a49d23a568e04e1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziET7887.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fcf030954f7069c9d7f22aec66441c662ff884f66a22b4a18a49d23a568e04e1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziET7887.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku484921.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2688 jr175830.exe 2688 jr175830.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2688 jr175830.exe Token: SeDebugPrivilege 3588 ku484921.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1544 wrote to memory of 2264 1544 fcf030954f7069c9d7f22aec66441c662ff884f66a22b4a18a49d23a568e04e1.exe 86 PID 1544 wrote to memory of 2264 1544 fcf030954f7069c9d7f22aec66441c662ff884f66a22b4a18a49d23a568e04e1.exe 86 PID 1544 wrote to memory of 2264 1544 fcf030954f7069c9d7f22aec66441c662ff884f66a22b4a18a49d23a568e04e1.exe 86 PID 2264 wrote to memory of 2688 2264 ziET7887.exe 87 PID 2264 wrote to memory of 2688 2264 ziET7887.exe 87 PID 2264 wrote to memory of 3588 2264 ziET7887.exe 95 PID 2264 wrote to memory of 3588 2264 ziET7887.exe 95 PID 2264 wrote to memory of 3588 2264 ziET7887.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcf030954f7069c9d7f22aec66441c662ff884f66a22b4a18a49d23a568e04e1.exe"C:\Users\Admin\AppData\Local\Temp\fcf030954f7069c9d7f22aec66441c662ff884f66a22b4a18a49d23a568e04e1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziET7887.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziET7887.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr175830.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr175830.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku484921.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku484921.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3588
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
379KB
MD5f8a10b5b8848b1f105ed27d75d50d769
SHA121bf685e02b26cdbb47c5c1321d10f0cbb101def
SHA256bbac1430764c016b3e0bfcfe7380332791972303b8a319eb05ba6c0f8426da4d
SHA5127cf3ee8f26896bc4bf5e112d0aaa0009ee7a76b6cdeb55f4090a897bb6cb1a1efc2a9a7267e48805a832ede0d9079abdfbc4ef11f8f8b0876e5fb058c5e7e540
-
Filesize
15KB
MD5fa439dc66d50a84ffa6d12808f29758f
SHA12f93b6107f9903b4ed38134eaf2dc293afafb64f
SHA25699de32ae12e9a0ebd71b6141b0bdecae288aa3393492a149f34de32dd18de2ca
SHA5129cb53d1f296ad6e80f857750e8db584f9ad0feae0f83c74715f9bc26728ce4c5417664991738413485fe3da2b0dc6390c859d70bf911945bc8f1d67b0d6f04e8
-
Filesize
295KB
MD55766361053aefa724584724560f1925e
SHA13d9840072059b7b7cd66ec0e193792a1c11471cf
SHA256c4c275d0935c0135ff0946fea5f00a39489a21c66439c179d9326975007c3917
SHA512d87579e6047e07786d20eb06056e7d1bade8e42239abe5ee97e72d29243e17d676690dc6c057bd6f3879068417e62677b0f3b76f5c672949b99a2d1db59d32aa