Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 23:27
Static task
static1
Behavioral task
behavioral1
Sample
f60c7a4488136ae8c5983d7671357aed3a5577f024656e6367d0178cc3436ee5.exe
Resource
win10v2004-20241007-en
General
-
Target
f60c7a4488136ae8c5983d7671357aed3a5577f024656e6367d0178cc3436ee5.exe
-
Size
537KB
-
MD5
9222cb2376969f1764d9f759ca3aceb8
-
SHA1
41c6a72aa8f17b951c7f993adc8c3b9caea5e26f
-
SHA256
f60c7a4488136ae8c5983d7671357aed3a5577f024656e6367d0178cc3436ee5
-
SHA512
9e65db8ef529ff33120b6fb92c528e4e496d8ab83fc635eda5cce106b83ae7f32e753e08980306cabd60eecaf7956a31216bf0b81e594312e7d9b66ed52c4704
-
SSDEEP
12288:wMriy90uhgAvTvrQIv9ZrU7oHlwTu+vK4inr/a:CynfvJ9ZrfFwTuUKxC
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b65-12.dat healer behavioral1/memory/1224-15-0x0000000000AC0000-0x0000000000ACA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr151806.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr151806.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr151806.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr151806.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr151806.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr151806.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3276-22-0x0000000004D70000-0x0000000004DB6000-memory.dmp family_redline behavioral1/memory/3276-24-0x0000000004E30000-0x0000000004E74000-memory.dmp family_redline behavioral1/memory/3276-42-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-44-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-40-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-38-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-36-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-72-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-54-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-34-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-32-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-30-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-28-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-26-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-25-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-46-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-88-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-86-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-84-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-82-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-80-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-78-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-76-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-74-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-70-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-68-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-66-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-64-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-62-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-60-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-58-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-56-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-52-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-50-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline behavioral1/memory/3276-48-0x0000000004E30000-0x0000000004E6F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3912 zieS6691.exe 1224 jr151806.exe 3276 ku032007.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr151806.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f60c7a4488136ae8c5983d7671357aed3a5577f024656e6367d0178cc3436ee5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zieS6691.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2992 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f60c7a4488136ae8c5983d7671357aed3a5577f024656e6367d0178cc3436ee5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zieS6691.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku032007.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1224 jr151806.exe 1224 jr151806.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1224 jr151806.exe Token: SeDebugPrivilege 3276 ku032007.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1120 wrote to memory of 3912 1120 f60c7a4488136ae8c5983d7671357aed3a5577f024656e6367d0178cc3436ee5.exe 84 PID 1120 wrote to memory of 3912 1120 f60c7a4488136ae8c5983d7671357aed3a5577f024656e6367d0178cc3436ee5.exe 84 PID 1120 wrote to memory of 3912 1120 f60c7a4488136ae8c5983d7671357aed3a5577f024656e6367d0178cc3436ee5.exe 84 PID 3912 wrote to memory of 1224 3912 zieS6691.exe 85 PID 3912 wrote to memory of 1224 3912 zieS6691.exe 85 PID 3912 wrote to memory of 3276 3912 zieS6691.exe 96 PID 3912 wrote to memory of 3276 3912 zieS6691.exe 96 PID 3912 wrote to memory of 3276 3912 zieS6691.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\f60c7a4488136ae8c5983d7671357aed3a5577f024656e6367d0178cc3436ee5.exe"C:\Users\Admin\AppData\Local\Temp\f60c7a4488136ae8c5983d7671357aed3a5577f024656e6367d0178cc3436ee5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieS6691.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieS6691.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr151806.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr151806.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku032007.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku032007.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3276
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2992
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
395KB
MD5f6d63c90a78fed2aa2c2f6fec0fd1e73
SHA176c88bdbbf73d7a1e9c1febb96a1d20e4a2148ed
SHA2565b9df301817fd8b0c29af0e6f855f3239d87f5e33b14b701981f2f2a8a11bc5e
SHA51224018dfdf46e16c439bf1fca9a672d339c2979f03971091cb90e94dddf71d5524da2143ab293138aab5c75a239a50e1d549f68b204b70c5dbbba367a0a7ed68c
-
Filesize
13KB
MD5372cd5edcbbc597ab1430fa04207cfd9
SHA1ef81a85fc985c2ccf05bd056aa22f203b0021498
SHA25664b0fe2cc3645c7f5834e8c62e17438e94fbefb0fa10e1e865d7dd1b081a7720
SHA5125f00147b9086a157cf0b085ed527f2810f633f22025f7d90ebfff33ea50c59cea844177a36ea0248bec45eac1bfa839db36d96c389a3dd513cb15474922f9076
-
Filesize
352KB
MD5865712752819b936fc1967b0d44e748b
SHA1a9a3e723bab8b6996e723c5bc8d57c9aa8ce8642
SHA2564e8bca1c4f97f54e5cf0609c150c18f0ebd30536f68b8ea7a72ac43524f36ba3
SHA512a91fcc4a18c6e1a0060ec6b66e272d1fbffb7c52e73afdf589dca997b86a352703a90f4ff24da0675f0030466509e7fcc8b1e9b5193578a383242eb3491edbde