Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 03:56
Static task
static1
Behavioral task
behavioral1
Sample
d0a5150e46445d2ade0f913ffca157f9865feaa2c513c4deac3813f4ed2b7f8e.exe
Resource
win10v2004-20241007-en
General
-
Target
d0a5150e46445d2ade0f913ffca157f9865feaa2c513c4deac3813f4ed2b7f8e.exe
-
Size
536KB
-
MD5
347f5d668ad22da5ac5a4c6418340d0a
-
SHA1
08cc692dab7260ce82b1d30c31101975dd354762
-
SHA256
d0a5150e46445d2ade0f913ffca157f9865feaa2c513c4deac3813f4ed2b7f8e
-
SHA512
9afd580116dd15a6a42992c6ee9f11956bf9f466e1da9533b201481f3eb9fb281a5256c7de446b180a58dd1c1260c4582bc46717397c89d45e1e1c1296913c23
-
SSDEEP
12288:PMrBy907rALyc91auglv6bsCNXzNCRoTlpcf4B:iyekL591V8CbsCNX0ohpcwB
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b7d-12.dat healer behavioral1/memory/2008-15-0x0000000000720000-0x000000000072A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr162597.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr162597.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr162597.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr162597.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr162597.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr162597.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2904-21-0x00000000028A0000-0x00000000028E6000-memory.dmp family_redline behavioral1/memory/2904-23-0x00000000053C0000-0x0000000005404000-memory.dmp family_redline behavioral1/memory/2904-27-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-37-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-88-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-85-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-83-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-81-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-79-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-77-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-75-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-73-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-69-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-67-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-65-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-63-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-61-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-59-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-57-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-55-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-53-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-51-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-47-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-45-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-43-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-42-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-39-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-35-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-33-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-31-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-29-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-71-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-49-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-25-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline behavioral1/memory/2904-24-0x00000000053C0000-0x00000000053FF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3528 zieB4574.exe 2008 jr162597.exe 2904 ku855629.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr162597.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zieB4574.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d0a5150e46445d2ade0f913ffca157f9865feaa2c513c4deac3813f4ed2b7f8e.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0a5150e46445d2ade0f913ffca157f9865feaa2c513c4deac3813f4ed2b7f8e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zieB4574.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku855629.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2008 jr162597.exe 2008 jr162597.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2008 jr162597.exe Token: SeDebugPrivilege 2904 ku855629.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3816 wrote to memory of 3528 3816 d0a5150e46445d2ade0f913ffca157f9865feaa2c513c4deac3813f4ed2b7f8e.exe 84 PID 3816 wrote to memory of 3528 3816 d0a5150e46445d2ade0f913ffca157f9865feaa2c513c4deac3813f4ed2b7f8e.exe 84 PID 3816 wrote to memory of 3528 3816 d0a5150e46445d2ade0f913ffca157f9865feaa2c513c4deac3813f4ed2b7f8e.exe 84 PID 3528 wrote to memory of 2008 3528 zieB4574.exe 85 PID 3528 wrote to memory of 2008 3528 zieB4574.exe 85 PID 3528 wrote to memory of 2904 3528 zieB4574.exe 95 PID 3528 wrote to memory of 2904 3528 zieB4574.exe 95 PID 3528 wrote to memory of 2904 3528 zieB4574.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0a5150e46445d2ade0f913ffca157f9865feaa2c513c4deac3813f4ed2b7f8e.exe"C:\Users\Admin\AppData\Local\Temp\d0a5150e46445d2ade0f913ffca157f9865feaa2c513c4deac3813f4ed2b7f8e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieB4574.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieB4574.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr162597.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr162597.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku855629.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku855629.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
394KB
MD58bef6b0facf50f45bc7d2b746ee04716
SHA167578bf3a03a5461e4dc38f5ea953ca02d4ca984
SHA2564712d275696c14f832f0cadef849ec4bbe5093bce8aeb1172aad5b4043a33ca8
SHA5123bb516e9951860c3b019a4f29133af3ee1515f3a44d81d12cd097956550e2175b2eaa2cd345db6a1da48f499b1f244afa31102af96986f89a1a65f5c9c7a8ac9
-
Filesize
13KB
MD534460244ddc626d4599e070c66ea340f
SHA15a24de2a7c59aea23106ef0af22b4b391f192dbb
SHA256535baee1fe5d24e6ceefd7b3f7037d4ea2a0cd14535a814b6978f5ee9ebe2146
SHA51209945543c5e51666d2819b9213f1251b4074b28bb5fbea9637cdc104f977e5d83b2160ad1807874c57124ff67d6cc2c95c918d23733e61e01b14b8b6a788c37d
-
Filesize
353KB
MD5fec2fb517b3eb96b94407d6e1ad9ac6c
SHA1500066dc7eec7643cefc6830b30013fccb144d79
SHA256624ab4d1bcec473a5ed13d870212ecb30a35fd61f89d9b70d28246a5e720258d
SHA51293bbbb9e841266f2b13778bc13f5525ac155f832f93ceab6481641b9fca12f370bc20ca626bef59b9b66683a5b57f6373f7bd6fcdccc79d7dd61773ee87af654