Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:26
Static task
static1
Behavioral task
behavioral1
Sample
f433958487158ef6a3f9271c3474c265781c6e5b410ad5446fc02844a9bb5165.exe
Resource
win10v2004-20241007-en
General
-
Target
f433958487158ef6a3f9271c3474c265781c6e5b410ad5446fc02844a9bb5165.exe
-
Size
549KB
-
MD5
07e33e9238f6c0d667f45cb210bbe2d5
-
SHA1
0db0287f66e08d509c74c1ab51fb56bddbdad14d
-
SHA256
f433958487158ef6a3f9271c3474c265781c6e5b410ad5446fc02844a9bb5165
-
SHA512
9ac2370a07710e9af3b0fa9ac52fd6ec9eb4648573cf6f06840f679b1f965a557e4894ff557c3d1a2413a59affc0785720da260414583215c3ca02ff415954f4
-
SSDEEP
12288:VMrYy90isPEwhts5jnLggW+RdIvYQmKSVXcxWk:FykthOpnLggW+IQi9
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b8c-12.dat healer behavioral1/memory/1384-15-0x0000000000650000-0x000000000065A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr221278.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr221278.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr221278.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr221278.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr221278.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr221278.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4356-22-0x0000000004E60000-0x0000000004EA6000-memory.dmp family_redline behavioral1/memory/4356-24-0x0000000004F20000-0x0000000004F64000-memory.dmp family_redline behavioral1/memory/4356-40-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-46-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-86-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-84-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-82-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-80-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-78-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-76-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-74-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-72-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-70-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-66-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-64-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-62-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-60-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-58-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-54-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-50-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-48-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-44-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-42-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-38-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-36-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-34-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-88-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-68-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-56-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-52-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-32-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-30-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-28-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-26-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline behavioral1/memory/4356-25-0x0000000004F20000-0x0000000004F5F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 608 zizD2840.exe 1384 jr221278.exe 4356 ku364503.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr221278.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f433958487158ef6a3f9271c3474c265781c6e5b410ad5446fc02844a9bb5165.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zizD2840.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 6048 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku364503.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f433958487158ef6a3f9271c3474c265781c6e5b410ad5446fc02844a9bb5165.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zizD2840.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1384 jr221278.exe 1384 jr221278.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1384 jr221278.exe Token: SeDebugPrivilege 4356 ku364503.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4336 wrote to memory of 608 4336 f433958487158ef6a3f9271c3474c265781c6e5b410ad5446fc02844a9bb5165.exe 86 PID 4336 wrote to memory of 608 4336 f433958487158ef6a3f9271c3474c265781c6e5b410ad5446fc02844a9bb5165.exe 86 PID 4336 wrote to memory of 608 4336 f433958487158ef6a3f9271c3474c265781c6e5b410ad5446fc02844a9bb5165.exe 86 PID 608 wrote to memory of 1384 608 zizD2840.exe 87 PID 608 wrote to memory of 1384 608 zizD2840.exe 87 PID 608 wrote to memory of 4356 608 zizD2840.exe 96 PID 608 wrote to memory of 4356 608 zizD2840.exe 96 PID 608 wrote to memory of 4356 608 zizD2840.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\f433958487158ef6a3f9271c3474c265781c6e5b410ad5446fc02844a9bb5165.exe"C:\Users\Admin\AppData\Local\Temp\f433958487158ef6a3f9271c3474c265781c6e5b410ad5446fc02844a9bb5165.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizD2840.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizD2840.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221278.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221278.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku364503.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku364503.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4356
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:6048
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
395KB
MD5940da6d32bef734f01b6953a62c1dd51
SHA1c3e5ffd0843adc578ecfe8b924209bb9a4b5885b
SHA2563d9639df2ddda602d03f9b3336f55c5fdabc40e0853ce2639dd7ef8323e4630c
SHA51230ad33df7e406bb3f0ec59c915e4c9e86b7b656bc601b7f8799ecf34c307d9588fe66de5e0e07428d62d4e7452055a3ec9f443ba8b5f612a8d4cc88428b324d2
-
Filesize
11KB
MD527ce2d170ab35b1ab3b0cc00b8ae9a69
SHA1b5de7fba219dfad61b56bfbafc3022cf05959bf7
SHA256911c3a02cac4d3f21ce97ddcff973ba819b691c6ef7f117257631022370f731d
SHA512974f63ffb1dfe203463180281d293d7279648a40e60288c9de3b2a49d36315c4120c5ef02873daa91a07257623d79ebfe9907904c8b665eff591a93a439dfe61
-
Filesize
348KB
MD5e2f8cc6a7f0ff00279808e21641551a7
SHA1326830375c8e851a6ffdaed8b2e52f742264a0d9
SHA256106c3dad9232abf3dcef13abb68b0d88dc3c6f1e63025c617eeb7bda73c13510
SHA51286efdb3793a4191c13254d62192bae3a22bf2f079af936641f926d080d32489c1093f438708da78581e2c52ce715ce7abc67bab2e942f71f01b858317df30ff0