Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
a5feda4790610e6b76d11bfd92266c8718894e7e49331c0c021b258d32eb944e.exe
Resource
win10v2004-20241007-en
General
-
Target
a5feda4790610e6b76d11bfd92266c8718894e7e49331c0c021b258d32eb944e.exe
-
Size
521KB
-
MD5
8ad5adc475d5b26f7796ab930cb7ae60
-
SHA1
60f927703e43ffaab80fb62cc6f96d572460f940
-
SHA256
a5feda4790610e6b76d11bfd92266c8718894e7e49331c0c021b258d32eb944e
-
SHA512
6de8dc7b41e8261fcd0fcd0d787afbce15a9c3e6aa0ac9443a386f0f7cce90387c7e37da66997753ea57dd680a429e41143b255bd484c33b39334f7ff582a894
-
SSDEEP
12288:DMrNy901iC/KjyDF4rCjxrQSiTigksVxYXpcpi:GyJjutxcSuiTsV2wi
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023ba2-12.dat healer behavioral1/memory/3412-15-0x00000000006E0000-0x00000000006EA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr603907.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr603907.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr603907.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr603907.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr603907.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr603907.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2676-22-0x0000000004A80000-0x0000000004AC6000-memory.dmp family_redline behavioral1/memory/2676-24-0x0000000004B00000-0x0000000004B44000-memory.dmp family_redline behavioral1/memory/2676-36-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-40-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-88-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-86-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-84-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-82-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-80-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-78-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-74-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-72-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-70-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-68-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-66-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-64-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-62-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-60-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-58-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-54-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-52-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-50-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-48-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-46-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-44-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-42-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-38-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-34-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-32-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-30-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-76-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-56-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-28-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-26-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline behavioral1/memory/2676-25-0x0000000004B00000-0x0000000004B3F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1092 zipQ7889.exe 3412 jr603907.exe 2676 ku680807.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr603907.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a5feda4790610e6b76d11bfd92266c8718894e7e49331c0c021b258d32eb944e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zipQ7889.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5feda4790610e6b76d11bfd92266c8718894e7e49331c0c021b258d32eb944e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zipQ7889.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku680807.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3412 jr603907.exe 3412 jr603907.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3412 jr603907.exe Token: SeDebugPrivilege 2676 ku680807.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2812 wrote to memory of 1092 2812 a5feda4790610e6b76d11bfd92266c8718894e7e49331c0c021b258d32eb944e.exe 84 PID 2812 wrote to memory of 1092 2812 a5feda4790610e6b76d11bfd92266c8718894e7e49331c0c021b258d32eb944e.exe 84 PID 2812 wrote to memory of 1092 2812 a5feda4790610e6b76d11bfd92266c8718894e7e49331c0c021b258d32eb944e.exe 84 PID 1092 wrote to memory of 3412 1092 zipQ7889.exe 85 PID 1092 wrote to memory of 3412 1092 zipQ7889.exe 85 PID 1092 wrote to memory of 2676 1092 zipQ7889.exe 94 PID 1092 wrote to memory of 2676 1092 zipQ7889.exe 94 PID 1092 wrote to memory of 2676 1092 zipQ7889.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5feda4790610e6b76d11bfd92266c8718894e7e49331c0c021b258d32eb944e.exe"C:\Users\Admin\AppData\Local\Temp\a5feda4790610e6b76d11bfd92266c8718894e7e49331c0c021b258d32eb944e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipQ7889.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipQ7889.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr603907.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr603907.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku680807.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku680807.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
379KB
MD5f7e404db8ef153866e4d7959bd592bb1
SHA1148ecbb0019b7f582ac07c5c15d271c4abe3312f
SHA256e26560cb67d95e29bd3cfb2ee26930ebac3d7cda6b557929998eac1a96983465
SHA512118c9f4d80fa208bcb658f908d7f5ab86388d04a590905475c5b18f15a6acd5bec7f97aca34cd6a56a3fbdc942cae82e2f8adeff5e67462fde45039fc168966a
-
Filesize
15KB
MD5abd4c023ec2c1cbd086eda5d764eac64
SHA160f9729bcd739e321a045dada8bec5d14cc23fe7
SHA2566a8d4c8c2b359345652f0f9429d2676a880d24b50fbd39855d70467b2cff9673
SHA512eb4d0b89e5f7824c9c12a3c2e823626dd35102ec7ade71c5693bd732eadf1fc9773e251b5ba8d56815c141890f0b377622cd8230ac0659e8cf2ad2a9b48c3a18
-
Filesize
294KB
MD5e7d1ff8a95750d753c55c81f1ee25a6d
SHA15e1a4c06073a6998dae927e43527a1bd80047fe7
SHA2564bb724ae17cba490f3b677883f614f458fffdd074b1b49484177365e8505379e
SHA512fd902b5e93d7c6b1ab4ed75aa323fe9e00143027da71e0722dbbcaa06b1032bc1c59420123a485c70526488804ba83bd5c72c6e0e77a48a03aaf6dfab14a99ad