Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:59
Static task
static1
Behavioral task
behavioral1
Sample
bf997da4d9959531292eec0cc69a9f66f124574bb2a98162ba6e9c06133a8418.exe
Resource
win10v2004-20241007-en
General
-
Target
bf997da4d9959531292eec0cc69a9f66f124574bb2a98162ba6e9c06133a8418.exe
-
Size
522KB
-
MD5
ae290ca8ac138b64b1afee79dc1ff9d6
-
SHA1
f929f73d2381a8b0acc7f3d56b522ad4d03b0ec4
-
SHA256
bf997da4d9959531292eec0cc69a9f66f124574bb2a98162ba6e9c06133a8418
-
SHA512
85ca2c092ba013f3d3ea4b4bc9185a3355f7b8c3c19e0d8c90f9b4077f8e720ca047b9de029594defb165f55a7697808291b0f6595d28dbdf90623c755952643
-
SSDEEP
12288:VMrzy90YNyOwdde+P5QFEDPEkNg3Z/iHdt/2cL:SyIBphQFEjvN8Z/iHdt/lL
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023bd2-12.dat healer behavioral1/memory/5016-15-0x0000000000010000-0x000000000001A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr339264.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr339264.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr339264.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr339264.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr339264.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr339264.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2044-22-0x00000000024C0000-0x0000000002506000-memory.dmp family_redline behavioral1/memory/2044-24-0x0000000002680000-0x00000000026C4000-memory.dmp family_redline behavioral1/memory/2044-28-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-35-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-32-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-30-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-56-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-26-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-25-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-36-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-88-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-86-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-84-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-82-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-80-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-78-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-76-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-74-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-72-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-70-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-68-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-66-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-64-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-62-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-60-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-58-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-54-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-53-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-50-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-48-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-47-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-44-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-42-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-40-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline behavioral1/memory/2044-38-0x0000000002680000-0x00000000026BF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4568 ziNR2369.exe 5016 jr339264.exe 2044 ku808780.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr339264.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziNR2369.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bf997da4d9959531292eec0cc69a9f66f124574bb2a98162ba6e9c06133a8418.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bf997da4d9959531292eec0cc69a9f66f124574bb2a98162ba6e9c06133a8418.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziNR2369.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku808780.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5016 jr339264.exe 5016 jr339264.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5016 jr339264.exe Token: SeDebugPrivilege 2044 ku808780.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 220 wrote to memory of 4568 220 bf997da4d9959531292eec0cc69a9f66f124574bb2a98162ba6e9c06133a8418.exe 84 PID 220 wrote to memory of 4568 220 bf997da4d9959531292eec0cc69a9f66f124574bb2a98162ba6e9c06133a8418.exe 84 PID 220 wrote to memory of 4568 220 bf997da4d9959531292eec0cc69a9f66f124574bb2a98162ba6e9c06133a8418.exe 84 PID 4568 wrote to memory of 5016 4568 ziNR2369.exe 85 PID 4568 wrote to memory of 5016 4568 ziNR2369.exe 85 PID 4568 wrote to memory of 2044 4568 ziNR2369.exe 94 PID 4568 wrote to memory of 2044 4568 ziNR2369.exe 94 PID 4568 wrote to memory of 2044 4568 ziNR2369.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf997da4d9959531292eec0cc69a9f66f124574bb2a98162ba6e9c06133a8418.exe"C:\Users\Admin\AppData\Local\Temp\bf997da4d9959531292eec0cc69a9f66f124574bb2a98162ba6e9c06133a8418.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNR2369.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNR2369.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr339264.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr339264.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku808780.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku808780.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD5bce988539b5a259386c752cf7c5582a5
SHA1af3b0b08903a8a2584af7ed096ced26963b9c668
SHA256c0f811c4fcade019d3c1d74a54e26d3ed17b08f7f4fd50106e3cd5a159ddf82e
SHA5129698346123571c9d52ebb7574f54ca8de803d6bf2e74ef7d54d5d68b9934aa9389ae6a149a3efcd7e71451305b973bae7eb9032ad7bdbe513a8721e65d023932
-
Filesize
15KB
MD5825a3bc8a8ef0961138471a216579d82
SHA1b685a4c990327c7f6f660b41a155e2c62418b77f
SHA256653ef118c8d5cb365230cbf0350e7c9ca836f62326cab7e4f0568e33acde4d46
SHA512c42b65d9d6941db3b6ea975da71e3f3375091e23b00b5ccf39ee756ef0fd5a393273d9e60fbe4cf8ab5fa5d5fdd53ff3b06d5f04ab02cb626c9313481d889ad0
-
Filesize
294KB
MD5688f5fee44da30e9d2a9c8d24e9ff786
SHA1e31a537d9c09cff4ec8da58b09a4901be60ef3af
SHA2562c681ed1cf6e04c821e2d20abd1bf657aad5322814262cc6143236c172764bca
SHA512ce620db26bdd6a876ab0dc8a12bdbd7e09741dd27f21369a2c1e8acdbd6a81c247e8ab1dfeb39d3cdbebe69acffc53ad33a777a0545c3695e091778b50be5395