Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 23:11
Static task
static1
Behavioral task
behavioral1
Sample
7513cb7cfb66e5358669e34fa9d52e4bed31e65993817db49ba590dd6e69df08.exe
Resource
win10v2004-20241007-en
General
-
Target
7513cb7cfb66e5358669e34fa9d52e4bed31e65993817db49ba590dd6e69df08.exe
-
Size
538KB
-
MD5
11ed9fa96e55bb0555c4d4fbcb182d80
-
SHA1
f109af444985949a30c5879a672e5dfc9b8641ef
-
SHA256
7513cb7cfb66e5358669e34fa9d52e4bed31e65993817db49ba590dd6e69df08
-
SHA512
fba5a967c09dde3230a39101b6d2b95ba1efc7f12e74e084ed6a46882334ea78b044e623c09b877bf6c5f9f743e1ecfd71a830730bc8af6b342822715b3ba61f
-
SSDEEP
12288:KMr8y90z7z45J+1YyrUOSVD+0pL4hHTMIRnEDZOs19Y:iyRck8TtREDB6
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b3a-12.dat healer behavioral1/memory/2772-15-0x0000000000010000-0x000000000001A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr062744.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr062744.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr062744.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr062744.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr062744.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr062744.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/384-22-0x00000000027C0000-0x0000000002806000-memory.dmp family_redline behavioral1/memory/384-24-0x0000000004DF0000-0x0000000004E34000-memory.dmp family_redline behavioral1/memory/384-80-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-88-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-86-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-84-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-82-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-78-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-76-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-74-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-72-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-70-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-68-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-66-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-62-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-60-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-58-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-56-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-54-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-52-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-50-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-48-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-46-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-44-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-40-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-38-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-36-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-34-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-32-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-30-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-28-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-64-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-42-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-26-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline behavioral1/memory/384-25-0x0000000004DF0000-0x0000000004E2F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3972 zijm2424.exe 2772 jr062744.exe 384 ku051038.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr062744.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7513cb7cfb66e5358669e34fa9d52e4bed31e65993817db49ba590dd6e69df08.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zijm2424.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7513cb7cfb66e5358669e34fa9d52e4bed31e65993817db49ba590dd6e69df08.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zijm2424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku051038.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2772 jr062744.exe 2772 jr062744.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2772 jr062744.exe Token: SeDebugPrivilege 384 ku051038.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1648 wrote to memory of 3972 1648 7513cb7cfb66e5358669e34fa9d52e4bed31e65993817db49ba590dd6e69df08.exe 84 PID 1648 wrote to memory of 3972 1648 7513cb7cfb66e5358669e34fa9d52e4bed31e65993817db49ba590dd6e69df08.exe 84 PID 1648 wrote to memory of 3972 1648 7513cb7cfb66e5358669e34fa9d52e4bed31e65993817db49ba590dd6e69df08.exe 84 PID 3972 wrote to memory of 2772 3972 zijm2424.exe 86 PID 3972 wrote to memory of 2772 3972 zijm2424.exe 86 PID 3972 wrote to memory of 384 3972 zijm2424.exe 94 PID 3972 wrote to memory of 384 3972 zijm2424.exe 94 PID 3972 wrote to memory of 384 3972 zijm2424.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\7513cb7cfb66e5358669e34fa9d52e4bed31e65993817db49ba590dd6e69df08.exe"C:\Users\Admin\AppData\Local\Temp\7513cb7cfb66e5358669e34fa9d52e4bed31e65993817db49ba590dd6e69df08.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijm2424.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zijm2424.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr062744.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr062744.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku051038.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku051038.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:384
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
395KB
MD549193b97a4b4cfadcd8c6c449c876299
SHA11d4f5f6a39e7e90c7923194e63537354803222c4
SHA256dde2620b84d82e46a73bcf1322ed6741b0db6d94711e681da8a4b309a1afa7bf
SHA512e92b7a025b7540c04a9dd49a9e74a9f0533a4578458665632b7eac9eff6590bc2ddc53ec72ca0f0efaf7131404c02ded52318c5272cfba012c693052ea31adc4
-
Filesize
13KB
MD57c04730ce6ba37a33fb0def0ffa26913
SHA1288caba68f4d660c2faceb72f1479493e0f67190
SHA256e7938b98e0cb031d31a30f52e90254e1622c53b16c9ab24a465995714cf657a3
SHA5126c19d61b125d60e858f3d74d0c55cf682289b8dd430b0bd02e8bb482aa8734575c585364a21e7c172168254595557da583cd198adb60b9f8ba4cbdaac6c7d337
-
Filesize
353KB
MD57c0ae26655d56191ccca6cb190c4131f
SHA168d610535c8b55f0d5c0d68b81b549e5c46abc9f
SHA2568908526bc11ff73c4dcb60edc53bc3c3c7d16186beb146c0aabc482689414340
SHA512c72cc1f49cca38abea7241e7c317cdc44de3ff266d72034c9ad5212229bf994fc01aaa7843e0744be3bf92d6a31976a063111f989a60724f8e25708bc9df1737