Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 19:29
Static task
static1
Behavioral task
behavioral1
Sample
b4e97b8e3966d99d001126635111c4580f84f6490c94c2b1985288824ce74801.exe
Resource
win10v2004-20241007-en
General
-
Target
b4e97b8e3966d99d001126635111c4580f84f6490c94c2b1985288824ce74801.exe
-
Size
530KB
-
MD5
ffcc9836a7bb7702604cf7aaab727e1e
-
SHA1
c605e352705e52c218e979a91660ca3f1b7bada0
-
SHA256
b4e97b8e3966d99d001126635111c4580f84f6490c94c2b1985288824ce74801
-
SHA512
b33b1889ef2625e34190154923e3b0faf20f5bf3b7693e01f7a06d7ecb3dabdeefe259bfcc8fa465a1fd7c5ab2549c19723f822427448eccf7c7b031d3dafed7
-
SSDEEP
12288:QMrfy90xhizLG5jP9z0nkiiBm7q0nEK5p4IE5/qS8wF8vTGh:fyQizLSxUDWAEKEJ5xab4
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b95-12.dat healer behavioral1/memory/3452-15-0x0000000000E10000-0x0000000000E1A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr791106.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr791106.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr791106.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr791106.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr791106.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr791106.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2772-22-0x0000000004B60000-0x0000000004BA6000-memory.dmp family_redline behavioral1/memory/2772-24-0x0000000004D50000-0x0000000004D94000-memory.dmp family_redline behavioral1/memory/2772-26-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-38-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-88-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-86-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-84-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-82-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-80-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-78-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-76-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-74-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-72-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-68-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-66-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-64-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-62-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-60-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-58-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-56-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-54-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-52-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-50-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-48-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-46-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-44-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-42-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-36-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-34-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-32-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-30-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-28-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-70-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-40-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline behavioral1/memory/2772-25-0x0000000004D50000-0x0000000004D8F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2856 zifD6386.exe 3452 jr791106.exe 2772 ku881258.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr791106.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b4e97b8e3966d99d001126635111c4580f84f6490c94c2b1985288824ce74801.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zifD6386.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 644 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b4e97b8e3966d99d001126635111c4580f84f6490c94c2b1985288824ce74801.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zifD6386.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku881258.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3452 jr791106.exe 3452 jr791106.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3452 jr791106.exe Token: SeDebugPrivilege 2772 ku881258.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1052 wrote to memory of 2856 1052 b4e97b8e3966d99d001126635111c4580f84f6490c94c2b1985288824ce74801.exe 84 PID 1052 wrote to memory of 2856 1052 b4e97b8e3966d99d001126635111c4580f84f6490c94c2b1985288824ce74801.exe 84 PID 1052 wrote to memory of 2856 1052 b4e97b8e3966d99d001126635111c4580f84f6490c94c2b1985288824ce74801.exe 84 PID 2856 wrote to memory of 3452 2856 zifD6386.exe 85 PID 2856 wrote to memory of 3452 2856 zifD6386.exe 85 PID 2856 wrote to memory of 2772 2856 zifD6386.exe 94 PID 2856 wrote to memory of 2772 2856 zifD6386.exe 94 PID 2856 wrote to memory of 2772 2856 zifD6386.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4e97b8e3966d99d001126635111c4580f84f6490c94c2b1985288824ce74801.exe"C:\Users\Admin\AppData\Local\Temp\b4e97b8e3966d99d001126635111c4580f84f6490c94c2b1985288824ce74801.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifD6386.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifD6386.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr791106.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr791106.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3452
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku881258.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku881258.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:644
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD5ef448866808d51c688fb1ae61f6addc4
SHA1657d99fe238dbc2f8475850c8114a3c5274482e2
SHA256c6391ec36f12c2f40888b29afbe9d9ec388e93bfd45aafe6e614021b6f8bdf34
SHA51226d5705d15dc374d2b62e1ac7fe9cc4f0fb220c031414b656fcb0cf18972d8e58fb08fa72ee9314ca7161cc7f1e032c7813d30663260fdc31abfa2be236ae13c
-
Filesize
12KB
MD5fa5371a607a025064ccb0c8a5a521bb4
SHA1f86c50ee2fada9610874c0fd28bcda835f1dce7e
SHA256714bed24a85088c8e53b9de6affff93a9459d0967a484e8dbe55abd3fe90bbf7
SHA51219412a96df5f8b09caad24afcae627f76c0a17c25c3cbad8987975cf87b20c103c1d09abe28cfe9fb6204ca91ff81dfae3752bbf941fec2821be48ad6af4c2b5
-
Filesize
342KB
MD5d6b1cc04b14760c7ddff357bd8da2952
SHA14544a71312168893c6ffa645071281e7b89193b7
SHA2564c6012b73010c72859ab4086d7a2b055546abe9d6d3a6952d8d965ede7f8f704
SHA51203bd5fbc13f7dd549ce6c2308ed6fe5f9596e433118c3fc2d01b8554d80cbd122787b5f5db23625548e5f65710823c7a2168b1b1e6d91a4b40fe7f97abe03795