Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 22:44
Static task
static1
Behavioral task
behavioral1
Sample
723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09.exe
Resource
win10v2004-20241007-en
General
-
Target
723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09.exe
-
Size
534KB
-
MD5
4bbdbbdb555203d13f5b6094b446953c
-
SHA1
ee1dd1f69f7c0ccdd500867fe7ab15c0f19caf99
-
SHA256
723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09
-
SHA512
0dc44316b0de09c1c24c7909c9858998c62233da670fbfe162712211b34a14110c408baf127fac6a4732825e0d16f4006d1569173eff4da4b47c12809693aa8c
-
SSDEEP
12288:SMrEy90UYsIl+YDAA7gaUb4HNpeRa3melpmu0mX:iyDldFa84tMRalbm2X
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b90-12.dat healer behavioral1/memory/4044-15-0x0000000000800000-0x000000000080A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr530245.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr530245.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr530245.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr530245.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr530245.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr530245.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1384-22-0x00000000024A0000-0x00000000024E6000-memory.dmp family_redline behavioral1/memory/1384-24-0x0000000002520000-0x0000000002564000-memory.dmp family_redline behavioral1/memory/1384-28-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-26-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-25-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-36-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-88-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-86-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-84-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-82-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-78-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-76-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-74-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-72-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-70-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-68-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-66-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-64-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-62-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-58-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-56-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-54-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-52-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-50-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-48-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-46-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-44-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-40-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-38-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-34-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-32-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-30-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-80-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-60-0x0000000002520000-0x000000000255F000-memory.dmp family_redline behavioral1/memory/1384-42-0x0000000002520000-0x000000000255F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2784 zisM3761.exe 4044 jr530245.exe 1384 ku088731.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr530245.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zisM3761.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zisM3761.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku088731.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4044 jr530245.exe 4044 jr530245.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4044 jr530245.exe Token: SeDebugPrivilege 1384 ku088731.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4364 wrote to memory of 2784 4364 723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09.exe 84 PID 4364 wrote to memory of 2784 4364 723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09.exe 84 PID 4364 wrote to memory of 2784 4364 723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09.exe 84 PID 2784 wrote to memory of 4044 2784 zisM3761.exe 85 PID 2784 wrote to memory of 4044 2784 zisM3761.exe 85 PID 2784 wrote to memory of 1384 2784 zisM3761.exe 94 PID 2784 wrote to memory of 1384 2784 zisM3761.exe 94 PID 2784 wrote to memory of 1384 2784 zisM3761.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09.exe"C:\Users\Admin\AppData\Local\Temp\723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisM3761.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisM3761.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr530245.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr530245.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4044
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku088731.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku088731.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
392KB
MD576546d2dcad1b0bd0fea447654727999
SHA1272347c11dc4cda9f177d7147674cb399fcc195f
SHA2560ad481902500e41ffc8a69a2c79c297ad240c969c02bcdacea86b3a1b84997c5
SHA512679d847ae2c8a7c8c9bfb2524a4f2b7578a3dba01e4002a50635877580b15caeb9d067f45a0b3bafd6e1a3d409b0fc16b4e9a7ca06c3e71a83ec4e0e7b81ecac
-
Filesize
12KB
MD5575e5a5dbc3b0d3ea4ada58d7fc675ee
SHA120d4a3476842bdea29b2df1abc7867e520a5ba69
SHA25659250c57ba96a2d74d871a7a2d86d2240f24f19312c0836841aec4336ec2c96b
SHA512714f0c723c9dcd6809493b15f9eed7791949f13b77433c97a10ffe76fdd101282f4d6316f417d296f3b4a961635780024200d83de7e45fc5865d9a55b623b38f
-
Filesize
319KB
MD5cc6bc3bb30f28ae8410e2779c2a8de6c
SHA1b187906d9bd4551088516078a84b0ad58c611756
SHA25630e1fb4f825608dc3b344e43e6f8870432e667af52c240e0ef44ea747aa1e83c
SHA512f4ea0ebd749812a6db3b14f14bbebe257fa3863c2e95bc1ccf32668f173d82ab2a31c4c81bb898ab50b44dfd2eedfd67a2d276eb7bf4fc84dafdcf2207888aa2