Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:47
Static task
static1
Behavioral task
behavioral1
Sample
28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4.exe
Resource
win10v2004-20241007-en
General
-
Target
28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4.exe
-
Size
522KB
-
MD5
08125e561d244eed78e153bad1452340
-
SHA1
89521d73475525d925e70d21875ee29fe8af4d96
-
SHA256
28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4
-
SHA512
e1374408cb9c03d7df4cc68a8cc2438cb070b2fd69722bf201f5011a8d484983fe01f9e2e6729ef4ea4ccd529add15ea59d573cd98ffd6ee8a2ffbf5760709ad
-
SSDEEP
12288:KMrTy90wTQUEDhBvmZ9ZR6As10YYCoz8mN46CzWKdAgSZF8x:RyFTQJDhpm1RI1hmO67Kenex
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b8a-13.dat healer behavioral1/memory/5032-15-0x0000000000560000-0x000000000056A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr994622.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr994622.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr994622.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr994622.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr994622.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr994622.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1676-22-0x0000000002530000-0x0000000002576000-memory.dmp family_redline behavioral1/memory/1676-24-0x0000000004B10000-0x0000000004B54000-memory.dmp family_redline behavioral1/memory/1676-30-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-36-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-35-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-32-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-86-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-74-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-44-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-28-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-26-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-25-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-88-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-84-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-82-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-80-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-78-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-76-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-72-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-70-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-68-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-66-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-64-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-62-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-60-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-58-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-57-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-54-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-52-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-50-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-48-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-46-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-42-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-41-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline behavioral1/memory/1676-38-0x0000000004B10000-0x0000000004B4F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3692 ziPK9492.exe 5032 jr994622.exe 1676 ku195452.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr994622.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziPK9492.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziPK9492.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku195452.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5032 jr994622.exe 5032 jr994622.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5032 jr994622.exe Token: SeDebugPrivilege 1676 ku195452.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4000 wrote to memory of 3692 4000 28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4.exe 84 PID 4000 wrote to memory of 3692 4000 28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4.exe 84 PID 4000 wrote to memory of 3692 4000 28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4.exe 84 PID 3692 wrote to memory of 5032 3692 ziPK9492.exe 85 PID 3692 wrote to memory of 5032 3692 ziPK9492.exe 85 PID 3692 wrote to memory of 1676 3692 ziPK9492.exe 99 PID 3692 wrote to memory of 1676 3692 ziPK9492.exe 99 PID 3692 wrote to memory of 1676 3692 ziPK9492.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4.exe"C:\Users\Admin\AppData\Local\Temp\28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPK9492.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPK9492.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195452.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195452.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
379KB
MD52145719c8df48ee93ffcc94961129132
SHA13d8a1a345c5a8633586f949a815a0e312b78f61c
SHA25696a8b64a822baea461eaf71aaf5cdb61465760c16bab2c9edf7b1ce76406b293
SHA512725fe1ad6da10db61394df73754a279c0e9c0dcf67f89e0db93c208170d268cbc7e8be8d6c28a1a52e3e8a5b27ca7c934109224273bfe9d60d7f9901d375a050
-
Filesize
15KB
MD57ff24f9bb4b0dcc5bc325a3b9215b692
SHA1a2a74df8e9d1cd66156fe82f07c9c31a83e235cb
SHA2561466a0eac7850d5bbef7831b1a3628e7859089e6647abc9e9f96ab0de837c7d7
SHA5120b8af222520eb70d7ef37384b6489c33a438fcc0325d3b9e5cd313b6a734f665ffdc405690d31ec221dc3583562befa29e214053b732352af5eddd4733be2734
-
Filesize
294KB
MD56d4736f10db18f610f659f8c799c9392
SHA1b433de01816df02380bc34bc2fe8a0c84859b79d
SHA2566673ac912bc7ca0660715ef4f2935b7fbb8e9d5c1a8ff291f7cf295074034ed7
SHA51295d066b502b8654d2953e8075c116e703cb0f6ef7836f9a98b2b5e79139c15285ce3fde444fb0aeb65cc3680b09667f0dd022c4f747e5d65924e76df49787e41