Analysis
-
max time kernel
142s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 03:50
Static task
static1
Behavioral task
behavioral1
Sample
0dd54f2d7b897be97ad8ba1af5d8038221fea9163dc73a79c30a44a6270657cb.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
0dd54f2d7b897be97ad8ba1af5d8038221fea9163dc73a79c30a44a6270657cb.exe
Resource
win10v2004-20241007-en
General
-
Target
0dd54f2d7b897be97ad8ba1af5d8038221fea9163dc73a79c30a44a6270657cb.exe
-
Size
1.2MB
-
MD5
7145de3821650c7d61d6213d70d1aa64
-
SHA1
51d915a6a7d04fd24168dbe92363d8645a674c3d
-
SHA256
0dd54f2d7b897be97ad8ba1af5d8038221fea9163dc73a79c30a44a6270657cb
-
SHA512
14c2eff5098b0499c22481bc8c37024460bc0e98bc5563955f293d75cc15e9cb47a8a696f19e5a919d502703388c01393e52691049857791d0e62962d421f7e1
-
SSDEEP
24576:IP68Q0hZGglqBXOSYHjlRNTeM1YCXLlW//bVyFqb:IVQ0hrlqB5YD3+nbgq
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x000600000001a447-38.dat healer behavioral1/memory/2760-42-0x00000000013D0000-0x00000000013DA000-memory.dmp healer behavioral1/memory/3004-56-0x00000000007C0000-0x00000000007DA000-memory.dmp healer behavioral1/memory/3004-57-0x0000000002830000-0x0000000002848000-memory.dmp healer behavioral1/memory/3004-58-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/3004-71-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/3004-83-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/3004-81-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/3004-79-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/3004-77-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/3004-75-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/3004-73-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/3004-69-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/3004-67-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/3004-65-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/3004-63-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/3004-61-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/3004-59-0x0000000002830000-0x0000000002842000-memory.dmp healer behavioral1/memory/3004-85-0x0000000002830000-0x0000000002842000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection bus4758.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bus4758.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bus4758.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" con4401.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" con4401.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bus4758.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bus4758.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bus4758.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" con4401.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" con4401.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" con4401.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/1624-98-0x00000000050D0000-0x0000000005116000-memory.dmp family_redline behavioral1/memory/1624-99-0x0000000005110000-0x0000000005154000-memory.dmp family_redline behavioral1/memory/1624-131-0x0000000005110000-0x000000000514E000-memory.dmp family_redline behavioral1/memory/1624-129-0x0000000005110000-0x000000000514E000-memory.dmp family_redline behavioral1/memory/1624-127-0x0000000005110000-0x000000000514E000-memory.dmp family_redline behavioral1/memory/1624-125-0x0000000005110000-0x000000000514E000-memory.dmp family_redline behavioral1/memory/1624-123-0x0000000005110000-0x000000000514E000-memory.dmp family_redline behavioral1/memory/1624-121-0x0000000005110000-0x000000000514E000-memory.dmp family_redline behavioral1/memory/1624-119-0x0000000005110000-0x000000000514E000-memory.dmp family_redline behavioral1/memory/1624-117-0x0000000005110000-0x000000000514E000-memory.dmp family_redline behavioral1/memory/1624-115-0x0000000005110000-0x000000000514E000-memory.dmp family_redline behavioral1/memory/1624-113-0x0000000005110000-0x000000000514E000-memory.dmp family_redline behavioral1/memory/1624-111-0x0000000005110000-0x000000000514E000-memory.dmp family_redline behavioral1/memory/1624-109-0x0000000005110000-0x000000000514E000-memory.dmp family_redline behavioral1/memory/1624-107-0x0000000005110000-0x000000000514E000-memory.dmp family_redline behavioral1/memory/1624-105-0x0000000005110000-0x000000000514E000-memory.dmp family_redline behavioral1/memory/1624-103-0x0000000005110000-0x000000000514E000-memory.dmp family_redline behavioral1/memory/1624-101-0x0000000005110000-0x000000000514E000-memory.dmp family_redline behavioral1/memory/1624-100-0x0000000005110000-0x000000000514E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 2024 kino8995.exe 580 kino9628.exe 2132 kino0135.exe 2760 bus4758.exe 3004 con4401.exe 1624 dxx08s54.exe -
Loads dropped DLL 13 IoCs
pid Process 1724 0dd54f2d7b897be97ad8ba1af5d8038221fea9163dc73a79c30a44a6270657cb.exe 2024 kino8995.exe 2024 kino8995.exe 580 kino9628.exe 580 kino9628.exe 2132 kino0135.exe 2132 kino0135.exe 2132 kino0135.exe 2132 kino0135.exe 3004 con4401.exe 580 kino9628.exe 580 kino9628.exe 1624 dxx08s54.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features bus4758.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" bus4758.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features con4401.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" con4401.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0dd54f2d7b897be97ad8ba1af5d8038221fea9163dc73a79c30a44a6270657cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" kino8995.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" kino9628.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" kino0135.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxx08s54.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0dd54f2d7b897be97ad8ba1af5d8038221fea9163dc73a79c30a44a6270657cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kino8995.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kino9628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kino0135.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language con4401.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2760 bus4758.exe 2760 bus4758.exe 3004 con4401.exe 3004 con4401.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2760 bus4758.exe Token: SeDebugPrivilege 3004 con4401.exe Token: SeDebugPrivilege 1624 dxx08s54.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2024 1724 0dd54f2d7b897be97ad8ba1af5d8038221fea9163dc73a79c30a44a6270657cb.exe 30 PID 1724 wrote to memory of 2024 1724 0dd54f2d7b897be97ad8ba1af5d8038221fea9163dc73a79c30a44a6270657cb.exe 30 PID 1724 wrote to memory of 2024 1724 0dd54f2d7b897be97ad8ba1af5d8038221fea9163dc73a79c30a44a6270657cb.exe 30 PID 1724 wrote to memory of 2024 1724 0dd54f2d7b897be97ad8ba1af5d8038221fea9163dc73a79c30a44a6270657cb.exe 30 PID 1724 wrote to memory of 2024 1724 0dd54f2d7b897be97ad8ba1af5d8038221fea9163dc73a79c30a44a6270657cb.exe 30 PID 1724 wrote to memory of 2024 1724 0dd54f2d7b897be97ad8ba1af5d8038221fea9163dc73a79c30a44a6270657cb.exe 30 PID 1724 wrote to memory of 2024 1724 0dd54f2d7b897be97ad8ba1af5d8038221fea9163dc73a79c30a44a6270657cb.exe 30 PID 2024 wrote to memory of 580 2024 kino8995.exe 31 PID 2024 wrote to memory of 580 2024 kino8995.exe 31 PID 2024 wrote to memory of 580 2024 kino8995.exe 31 PID 2024 wrote to memory of 580 2024 kino8995.exe 31 PID 2024 wrote to memory of 580 2024 kino8995.exe 31 PID 2024 wrote to memory of 580 2024 kino8995.exe 31 PID 2024 wrote to memory of 580 2024 kino8995.exe 31 PID 580 wrote to memory of 2132 580 kino9628.exe 32 PID 580 wrote to memory of 2132 580 kino9628.exe 32 PID 580 wrote to memory of 2132 580 kino9628.exe 32 PID 580 wrote to memory of 2132 580 kino9628.exe 32 PID 580 wrote to memory of 2132 580 kino9628.exe 32 PID 580 wrote to memory of 2132 580 kino9628.exe 32 PID 580 wrote to memory of 2132 580 kino9628.exe 32 PID 2132 wrote to memory of 2760 2132 kino0135.exe 33 PID 2132 wrote to memory of 2760 2132 kino0135.exe 33 PID 2132 wrote to memory of 2760 2132 kino0135.exe 33 PID 2132 wrote to memory of 2760 2132 kino0135.exe 33 PID 2132 wrote to memory of 2760 2132 kino0135.exe 33 PID 2132 wrote to memory of 2760 2132 kino0135.exe 33 PID 2132 wrote to memory of 2760 2132 kino0135.exe 33 PID 2132 wrote to memory of 3004 2132 kino0135.exe 35 PID 2132 wrote to memory of 3004 2132 kino0135.exe 35 PID 2132 wrote to memory of 3004 2132 kino0135.exe 35 PID 2132 wrote to memory of 3004 2132 kino0135.exe 35 PID 2132 wrote to memory of 3004 2132 kino0135.exe 35 PID 2132 wrote to memory of 3004 2132 kino0135.exe 35 PID 2132 wrote to memory of 3004 2132 kino0135.exe 35 PID 580 wrote to memory of 1624 580 kino9628.exe 36 PID 580 wrote to memory of 1624 580 kino9628.exe 36 PID 580 wrote to memory of 1624 580 kino9628.exe 36 PID 580 wrote to memory of 1624 580 kino9628.exe 36 PID 580 wrote to memory of 1624 580 kino9628.exe 36 PID 580 wrote to memory of 1624 580 kino9628.exe 36 PID 580 wrote to memory of 1624 580 kino9628.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dd54f2d7b897be97ad8ba1af5d8038221fea9163dc73a79c30a44a6270657cb.exe"C:\Users\Admin\AppData\Local\Temp\0dd54f2d7b897be97ad8ba1af5d8038221fea9163dc73a79c30a44a6270657cb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8995.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8995.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9628.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9628.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0135.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0135.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4758.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4758.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con4401.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con4401.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxx08s54.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxx08s54.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
877KB
MD5f661efffc7a49ee20ff3dd99c0fef43e
SHA178819b0394bd11b38c30bcecb7d5c088a4f7ee0f
SHA25691930052b0b185061b482cda914e6cb94430f11835f7d533d51c34f8598c38b3
SHA5122bcc11627d1d1be0c553f73c5389bdc3fe770cc3016abd0b90ac247635bebc2a712a6d052c67705b4f9fbcf35cae9c8195bf8dacbdc80dac545844dcc6ba51f4
-
Filesize
735KB
MD55c6d05b4e0035cd2456c461b0513c351
SHA1a26aa4dd1b8aadddaf0a7be38827ac4648184f02
SHA2568c3581f9099b30d5f2c559b791d10a435483ec2ac7f5f0bb921dc21acee08a51
SHA512ee2ef35ebe09f99dbbdc0ea6626666dd840842fd21907c27aba4f6b69c95a32ec9ba5425377f58fe7850f57edbcefbd72755cfc77c67522aca4f8ab61b11392d
-
Filesize
420KB
MD5f676df4f80811a65833b331f469efb31
SHA1dcd58ce91d97e53217f398723905008d497b6386
SHA256587a0ae3de4e0536b6aa4d590f3d25dea480eebba043e638ef86f4d117e2eb6d
SHA512dd5a63165e4a482fa9908e2570bacd25329a64b7bc2a3a525cc18cae9334587fbbfdea6883667a1777a1d4762936ae7c3546f6b23ef670b0206c5c0e25446e52
-
Filesize
364KB
MD5c784149a4c9181dda63333bcea9b5d02
SHA198839312fa1eafdde007611623d18a22e7a0ae4b
SHA256654b5e759b01d4021da78b8be0221e854e02697a7bbbcc789908a419dfdbcd53
SHA51214b8f6000fa0c6e6c74247504cfe61840da87012c433ed5802458537e5c4c8c3876a06f8ee766b30685b2dec50d52d31d30142ce333e4f5fd9b7ef9a1975902d
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
363KB
MD5ec22428185bd6b805bd96b65c2d91564
SHA166efdadf77fe523728ee8f2b76afed7b18fb7642
SHA256691aa86256e2288cdec368b3e17a24b9c5d264c8514c0025d759128d2615f537
SHA5125386c91bd3e0049331e9b985ee0ad817ff25bc3525b1a2acce07da06eea96b5723fe8cc97963f6f98690c6e0105e635f39c3bff4be7c0f35575c83c5b26110e1