Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 23:26
Static task
static1
Behavioral task
behavioral1
Sample
55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe
Resource
win10v2004-20241007-en
General
-
Target
55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe
-
Size
530KB
-
MD5
30843c7d717e1963ac1011dd3a24688c
-
SHA1
8e372226bb0c5bcf09966e0914f9eab64e45fcb8
-
SHA256
55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077
-
SHA512
b5cbe97b166dd8bfe80d188dbe4acbb931242477dde0347c60fe0792fade23d4b14c8b70c99497302480f0617f320685a50584d00e33d252a914de81fde516b0
-
SSDEEP
12288:GMrwy90HtDAxPm1Q9yUStQLJtUbshFnSw:iyItePmG9k8tUbESw
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0032000000023b78-12.dat healer behavioral1/memory/696-15-0x00000000007E0000-0x00000000007EA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr198355.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr198355.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr198355.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr198355.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr198355.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr198355.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/396-22-0x0000000007080000-0x00000000070C6000-memory.dmp family_redline behavioral1/memory/396-24-0x0000000007730000-0x0000000007774000-memory.dmp family_redline behavioral1/memory/396-28-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-40-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-88-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-86-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-84-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-82-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-80-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-76-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-74-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-72-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-70-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-68-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-66-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-64-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-62-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-60-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-58-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-56-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-52-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-50-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-48-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-46-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-42-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-38-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-36-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-34-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-32-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-30-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-78-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-54-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-44-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-26-0x0000000007730000-0x000000000776F000-memory.dmp family_redline behavioral1/memory/396-25-0x0000000007730000-0x000000000776F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1432 ziDD7673.exe 696 jr198355.exe 396 ku525755.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr198355.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziDD7673.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1000 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziDD7673.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku525755.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 696 jr198355.exe 696 jr198355.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 696 jr198355.exe Token: SeDebugPrivilege 396 ku525755.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4172 wrote to memory of 1432 4172 55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe 84 PID 4172 wrote to memory of 1432 4172 55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe 84 PID 4172 wrote to memory of 1432 4172 55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe 84 PID 1432 wrote to memory of 696 1432 ziDD7673.exe 85 PID 1432 wrote to memory of 696 1432 ziDD7673.exe 85 PID 1432 wrote to memory of 396 1432 ziDD7673.exe 95 PID 1432 wrote to memory of 396 1432 ziDD7673.exe 95 PID 1432 wrote to memory of 396 1432 ziDD7673.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe"C:\Users\Admin\AppData\Local\Temp\55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDD7673.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDD7673.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr198355.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr198355.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku525755.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku525755.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1000
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
387KB
MD527f8e6363dce659b324e5641c30709d7
SHA1515547036fd23b95f32aea8e06f43582c811b4e3
SHA25632736e819f75e26afd8ec27d0df553bf9a9f6efa8b8d179e87e8c5b0f820d3e2
SHA51204b550867799a702a72464e5ebbc48f9007ffc7848f0e35dd479d62d5dec1c198292d0c3401b235680dd33744f3aeda1b7074b727541f70de70f1d95c363bdd9
-
Filesize
12KB
MD54f6cfc203061090123f931df9e71ecb3
SHA161375f4b936d63d7df13f64fdb93a31df71d0f97
SHA256a00fbafce8da0da20272c61a9a44f57de2cfca88a56cfbdf7fb6bcc2e59b2501
SHA512821141ea539f88d2f920cca3ad6d7dc94b38397af91807a8acb47ab90872fd6eb20fe62a93395946c50a6d0e5e9fc224ff184ad088782722a6d611add121f2d8
-
Filesize
342KB
MD5d6b2fcb1ce832c7b837174422f922bbd
SHA162fd2dd22bcbe3b84dbf8d3bcec855ab73475aeb
SHA25633aa92f22b35598001bd733affa0a18c7cae0ccbb8ec9530325547ca9e1e9954
SHA5123c8a47c7bce7507c0b0b947054092e72ba0ce5093087d82177d3888964a72b7380450916322c42fe53e2aacc286cb268c8a97f3b7d3e9b6dbafda7ce7e3a8e9d