Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:38
Static task
static1
Behavioral task
behavioral1
Sample
bd215b4418042b8e0cf0891ffd392a3cf80c77dc81a9a1c4bee9b49f091904f3.exe
Resource
win10v2004-20241007-en
General
-
Target
bd215b4418042b8e0cf0891ffd392a3cf80c77dc81a9a1c4bee9b49f091904f3.exe
-
Size
522KB
-
MD5
2b7eebeeb118d69f204e9cb163961de4
-
SHA1
c05d36f9755576dd47457b921b7b93428315a50b
-
SHA256
bd215b4418042b8e0cf0891ffd392a3cf80c77dc81a9a1c4bee9b49f091904f3
-
SHA512
f1c919b1835694eb928981ee98090b89bd0ef2135418f94974806908b0fb43d866f74ce38d47e9dcb4db98c4b823581cab403969425a261a64db4424e9d8c915
-
SSDEEP
6144:Kly+bnr+Ep0yN90QEbQp1Mt7Ux3o0xFR2vPSmv5wCKYngvikt02tzedvOCdKCRRz:vMrMy901QpM7UlVihfktsC6aro
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cbb-12.dat healer behavioral1/memory/3584-15-0x0000000000BF0000-0x0000000000BFA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr410302.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr410302.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr410302.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr410302.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr410302.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr410302.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4024-22-0x00000000023D0000-0x0000000002416000-memory.dmp family_redline behavioral1/memory/4024-24-0x0000000004A90000-0x0000000004AD4000-memory.dmp family_redline behavioral1/memory/4024-36-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-28-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-26-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-25-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-46-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-86-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-84-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-82-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-80-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-79-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-76-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-72-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-70-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-68-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-67-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-65-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-62-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-60-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-58-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-56-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-54-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-52-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-48-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-44-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-43-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-40-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-38-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-34-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-32-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-30-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-88-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-74-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/4024-50-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4256 zipE4146.exe 3584 jr410302.exe 4024 ku628948.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr410302.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bd215b4418042b8e0cf0891ffd392a3cf80c77dc81a9a1c4bee9b49f091904f3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zipE4146.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4276 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zipE4146.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku628948.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd215b4418042b8e0cf0891ffd392a3cf80c77dc81a9a1c4bee9b49f091904f3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3584 jr410302.exe 3584 jr410302.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3584 jr410302.exe Token: SeDebugPrivilege 4024 ku628948.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1396 wrote to memory of 4256 1396 bd215b4418042b8e0cf0891ffd392a3cf80c77dc81a9a1c4bee9b49f091904f3.exe 86 PID 1396 wrote to memory of 4256 1396 bd215b4418042b8e0cf0891ffd392a3cf80c77dc81a9a1c4bee9b49f091904f3.exe 86 PID 1396 wrote to memory of 4256 1396 bd215b4418042b8e0cf0891ffd392a3cf80c77dc81a9a1c4bee9b49f091904f3.exe 86 PID 4256 wrote to memory of 3584 4256 zipE4146.exe 87 PID 4256 wrote to memory of 3584 4256 zipE4146.exe 87 PID 4256 wrote to memory of 4024 4256 zipE4146.exe 94 PID 4256 wrote to memory of 4024 4256 zipE4146.exe 94 PID 4256 wrote to memory of 4024 4256 zipE4146.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd215b4418042b8e0cf0891ffd392a3cf80c77dc81a9a1c4bee9b49f091904f3.exe"C:\Users\Admin\AppData\Local\Temp\bd215b4418042b8e0cf0891ffd392a3cf80c77dc81a9a1c4bee9b49f091904f3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipE4146.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipE4146.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr410302.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr410302.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku628948.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku628948.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4024
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4276
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD50be03a17e75690503ca38faa6516d652
SHA150257466bc834674e6bb1164573893fa33e0e0d4
SHA256543aadd7dc4c13658af7d7ba010251e29130d6ecca109d48fbbbf3f30351daf7
SHA5125a02a199f749166dfb4d63f329600a53b1bd7a14324e2410d549e98b379a75a206841a9f407242c77ebd05c423e08252ac3febe31085300706cfa8cc29664a80
-
Filesize
14KB
MD5ff31d605d396fb693100fd22adfcab91
SHA15cef83430fc118302e98b3b3e15625cb66077463
SHA2568c9621e3e2f53c931b930094c944b5b687ccfd8efdfd2e3173473d7b26bd7daa
SHA512fffc4d742debddad9d303a203c10b52f3312c562a85d93440327f5457c70acaa9b8ef74357d524e64a72db7666c47b3e9a24abf46949fd5d1032376d2346d696
-
Filesize
295KB
MD51fd0981aeb708b7edd409b0ab79cecff
SHA131bb7c54c187958e99a7448e669e60cd9593a098
SHA25684949cfa9f4d2de487dcc72b7eaa4f4444fd7e7fdf720193a2d6b44eecb6c624
SHA5121ac64d377b2ee6838858879486decd02f2f7641f3520f923503b3e237a8d64bbc928b5f05af3913b13296bcb40d9dd2b49cae637eb37fc638e0cfe3f5adabe2d