Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 18:50
Static task
static1
Behavioral task
behavioral1
Sample
3617ab7a925c8c89be352756ca49252e7a7b89ca1aabaa45baead3f127241c45.exe
Resource
win10v2004-20241007-en
General
-
Target
3617ab7a925c8c89be352756ca49252e7a7b89ca1aabaa45baead3f127241c45.exe
-
Size
522KB
-
MD5
927553a17093f72b9fc531bd3bb96fb6
-
SHA1
41f52ae91878015555f825b4c3c3e9677783c69a
-
SHA256
3617ab7a925c8c89be352756ca49252e7a7b89ca1aabaa45baead3f127241c45
-
SHA512
9a91f0fd8d5663bc69d670f632c5461d171e373df93e29ee8fb5d6cb09217f229a31e382706889c4984dd016f8b8a0c79c372f03ebf1d1126a086da2ee69c8c2
-
SSDEEP
12288:5MrHy90K9DwKM5I/Np0ceuItBUVpDf6u:GyHTM5I/t/ItBUVlf6u
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b7a-12.dat healer behavioral1/memory/1676-15-0x0000000000240000-0x000000000024A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr063446.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr063446.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr063446.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr063446.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr063446.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr063446.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/220-22-0x00000000023C0000-0x0000000002406000-memory.dmp family_redline behavioral1/memory/220-24-0x0000000004AB0000-0x0000000004AF4000-memory.dmp family_redline behavioral1/memory/220-56-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-58-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-89-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-86-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-85-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-80-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-79-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-76-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-74-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-72-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-70-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-69-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-66-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-64-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-62-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-60-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-54-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-52-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-50-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-46-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-44-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-42-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-40-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-38-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-36-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-34-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-82-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-48-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-32-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-30-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-28-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-26-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline behavioral1/memory/220-25-0x0000000004AB0000-0x0000000004AEF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3992 ziuT0441.exe 1676 jr063446.exe 220 ku707442.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr063446.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3617ab7a925c8c89be352756ca49252e7a7b89ca1aabaa45baead3f127241c45.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziuT0441.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3617ab7a925c8c89be352756ca49252e7a7b89ca1aabaa45baead3f127241c45.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziuT0441.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku707442.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1676 jr063446.exe 1676 jr063446.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1676 jr063446.exe Token: SeDebugPrivilege 220 ku707442.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2492 wrote to memory of 3992 2492 3617ab7a925c8c89be352756ca49252e7a7b89ca1aabaa45baead3f127241c45.exe 84 PID 2492 wrote to memory of 3992 2492 3617ab7a925c8c89be352756ca49252e7a7b89ca1aabaa45baead3f127241c45.exe 84 PID 2492 wrote to memory of 3992 2492 3617ab7a925c8c89be352756ca49252e7a7b89ca1aabaa45baead3f127241c45.exe 84 PID 3992 wrote to memory of 1676 3992 ziuT0441.exe 85 PID 3992 wrote to memory of 1676 3992 ziuT0441.exe 85 PID 3992 wrote to memory of 220 3992 ziuT0441.exe 94 PID 3992 wrote to memory of 220 3992 ziuT0441.exe 94 PID 3992 wrote to memory of 220 3992 ziuT0441.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\3617ab7a925c8c89be352756ca49252e7a7b89ca1aabaa45baead3f127241c45.exe"C:\Users\Admin\AppData\Local\Temp\3617ab7a925c8c89be352756ca49252e7a7b89ca1aabaa45baead3f127241c45.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziuT0441.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziuT0441.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr063446.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr063446.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku707442.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku707442.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD568f0718fef2238bb625fae99d17d9890
SHA10eab8f9badc5c580152037cced585e89452ad514
SHA256a7c48a4db6159de0d569a8653d9e1f95b0e8fd38a7f7a02fdf2ac8d6eb1b0e5f
SHA5120f7f94106824262c2c2b79017b7dadc3aa2d76fda65f91e91e4ea217365e86fff1be16671211b3932c49ff1413ac907ff7700cee6167fd9455a3b5908f11a51f
-
Filesize
14KB
MD59d2ccc36e7602625843d593cd14cdbe5
SHA161f73817bad57fc0c2224e74cff59d3597ab4ccd
SHA256a30d69f7d070df0764b94952b0776ee6a31d155e59d1700d201bf1895b5a41a3
SHA5122c92fc10664cfbf2a7d41992e478388796153d645806da9a8bf43ad5cb5c702b541ea3e34ba3c23eb75fc3f8bbf8064523aef5ad35d789aff325e733b6229b87
-
Filesize
295KB
MD5a99377a8fa7673c2b5d275ee809b5d17
SHA14f5b245415ef9f2292e36bc2021cee3d8ea26c06
SHA256a1020ccab7dc0206bacd4a95a123628b381beaed1187c57cfd549b8cc7f215c0
SHA512c325e370d9fa35c0e9099d508a032b1eef5b2f0fb3d875bfc7383b4f242cd37feb5a3c90356c81c52f434f40bb473b291aa8dd8a4264bc86228189f5d93ec376