Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:46
Static task
static1
Behavioral task
behavioral1
Sample
d2c2678864274fc50bc7e92f614258136109786f7a060f1c3422a42113b85340.exe
Resource
win10v2004-20241007-en
General
-
Target
d2c2678864274fc50bc7e92f614258136109786f7a060f1c3422a42113b85340.exe
-
Size
536KB
-
MD5
75e6ec5ea8ec26876420e80eed8a46fc
-
SHA1
7b1f624bbbbe1f97dd74e6852c565685e3cf0aaf
-
SHA256
d2c2678864274fc50bc7e92f614258136109786f7a060f1c3422a42113b85340
-
SHA512
c6b4218b8f62a2d864447fe3f139315364ed5943ac915c33d46c85091bd40e5b250859f398214991d6ffddc37a44a64afe4f456881155b6097c7ca6488115b8c
-
SSDEEP
12288:WMr8y90ZgBId8NGZJl8NSzhFo2LHvWxB:uywqKz8NSY2I
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cc0-12.dat healer behavioral1/memory/2072-15-0x0000000000650000-0x000000000065A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr129642.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr129642.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr129642.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr129642.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr129642.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr129642.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4320-22-0x00000000028F0000-0x0000000002936000-memory.dmp family_redline behavioral1/memory/4320-24-0x0000000005400000-0x0000000005444000-memory.dmp family_redline behavioral1/memory/4320-25-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-38-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-36-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-34-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-32-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-30-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-28-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-26-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-78-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-62-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-48-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-88-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-86-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-84-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-82-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-80-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-76-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-74-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-72-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-70-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-68-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-66-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-64-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-60-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-58-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-56-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-54-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-53-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-50-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-46-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-44-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-42-0x0000000005400000-0x000000000543F000-memory.dmp family_redline behavioral1/memory/4320-40-0x0000000005400000-0x000000000543F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4864 ziXJ3520.exe 2072 jr129642.exe 4320 ku682612.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr129642.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d2c2678864274fc50bc7e92f614258136109786f7a060f1c3422a42113b85340.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziXJ3520.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d2c2678864274fc50bc7e92f614258136109786f7a060f1c3422a42113b85340.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziXJ3520.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku682612.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2072 jr129642.exe 2072 jr129642.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2072 jr129642.exe Token: SeDebugPrivilege 4320 ku682612.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 628 wrote to memory of 4864 628 d2c2678864274fc50bc7e92f614258136109786f7a060f1c3422a42113b85340.exe 83 PID 628 wrote to memory of 4864 628 d2c2678864274fc50bc7e92f614258136109786f7a060f1c3422a42113b85340.exe 83 PID 628 wrote to memory of 4864 628 d2c2678864274fc50bc7e92f614258136109786f7a060f1c3422a42113b85340.exe 83 PID 4864 wrote to memory of 2072 4864 ziXJ3520.exe 84 PID 4864 wrote to memory of 2072 4864 ziXJ3520.exe 84 PID 4864 wrote to memory of 4320 4864 ziXJ3520.exe 89 PID 4864 wrote to memory of 4320 4864 ziXJ3520.exe 89 PID 4864 wrote to memory of 4320 4864 ziXJ3520.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2c2678864274fc50bc7e92f614258136109786f7a060f1c3422a42113b85340.exe"C:\Users\Admin\AppData\Local\Temp\d2c2678864274fc50bc7e92f614258136109786f7a060f1c3422a42113b85340.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXJ3520.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXJ3520.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr129642.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr129642.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku682612.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku682612.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4320
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
394KB
MD59e0f5f800df2502b1409460fc10297ba
SHA1c0a673322671e1baa1ccfc1996afd80e7a97c080
SHA2568c000b27efa04421184fa5b6c8e4b9cf5033fc59bf2969e1cf3dfcb5d6de295c
SHA51261d8540961292daf7fa026bd93cd3b116013e9111206480ebc65377846612824581c3585d175db13a85763bd29b4cdb2496ee927abe376db548c8130bc2d2f14
-
Filesize
13KB
MD593b6c649fdc7ff03538e31e0d9294382
SHA1053a5e4c6aa56cbe71d0eeb39d354c424055e673
SHA2566127312c2b7593a878ffce3a9de1d816bc6cf69c3f5931016f749e6af11dd1f6
SHA512b455f87b11021b93527cf2842b8690fb3a271990ffe1dda04c6ddc0a7e0ba65e94d139525fb9bbb7bfcfda8eb452f28a260f88c28ed8179783dd69b3ccde0637
-
Filesize
353KB
MD5916a2646e9e8cded89177094fa05ba51
SHA13705da93c186964fec84c8edcf96621e62ef3e91
SHA25607dda88815a7f5a250d7b5628d79481a554526781d4fd968b0632b19d26fef17
SHA512fae8b57591357bf86cfcb57cf400e106935234669c587aa2aafc3bbfabbff32fec0def5321e0b133bbdee12f8d11bded2dfd244678fe9c16ab1fe12688e9a93c