Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:02
Static task
static1
Behavioral task
behavioral1
Sample
7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5.exe
Resource
win10v2004-20241007-en
General
-
Target
7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5.exe
-
Size
522KB
-
MD5
e46732f3180a6884445b74e62e2ed80a
-
SHA1
fd60474323dda461d2a01b2cf77abc30412a00e9
-
SHA256
7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5
-
SHA512
383e3882337b6254160f03b7d7d9fc66715ef9d7e5ff570a2a6904a97d02c4930ea22e496772b9c4b104d362b3ee4902300b2f6447944419a5a34a1f03299134
-
SSDEEP
12288:rMrVy90QdsLDWMiQo/5L3iFqfsQt2upxIfafZk4:iyWrkSFq3vxI6K4
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c98-12.dat healer behavioral1/memory/1664-15-0x00000000008A0000-0x00000000008AA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr365161.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr365161.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr365161.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr365161.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr365161.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr365161.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3852-22-0x00000000049F0000-0x0000000004A36000-memory.dmp family_redline behavioral1/memory/3852-24-0x0000000004A80000-0x0000000004AC4000-memory.dmp family_redline behavioral1/memory/3852-66-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-50-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-34-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-26-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-25-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-82-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-88-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-84-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-80-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-78-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-76-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-74-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-72-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-71-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-68-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-64-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-62-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-60-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-58-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-56-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-54-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-52-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-48-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-46-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-44-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-42-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-40-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-38-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-36-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-32-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-30-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-28-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline behavioral1/memory/3852-86-0x0000000004A80000-0x0000000004ABF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3488 ziEi9057.exe 1664 jr365161.exe 3852 ku239007.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr365161.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziEi9057.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziEi9057.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku239007.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1664 jr365161.exe 1664 jr365161.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1664 jr365161.exe Token: SeDebugPrivilege 3852 ku239007.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5072 wrote to memory of 3488 5072 7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5.exe 83 PID 5072 wrote to memory of 3488 5072 7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5.exe 83 PID 5072 wrote to memory of 3488 5072 7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5.exe 83 PID 3488 wrote to memory of 1664 3488 ziEi9057.exe 84 PID 3488 wrote to memory of 1664 3488 ziEi9057.exe 84 PID 3488 wrote to memory of 3852 3488 ziEi9057.exe 93 PID 3488 wrote to memory of 3852 3488 ziEi9057.exe 93 PID 3488 wrote to memory of 3852 3488 ziEi9057.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5.exe"C:\Users\Admin\AppData\Local\Temp\7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEi9057.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEi9057.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku239007.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku239007.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3852
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD521027cb188f40490066154654e60e3c7
SHA19a981a31ad1a33e7e3f2830738e45d9435bf1f96
SHA256ffd1488bb251d82d1378cc7f6b9633e55eef97d8d50978440b5a0c48f5249e6a
SHA5128a5ec496d88808a3bbcadd788342cbbb01257c37d12bab91d4570e08d4da5415a2c17f060db4c82c73bd278f86b25296a15892c34c86bfced2e7a38f6f4d5851
-
Filesize
14KB
MD5b5d2eb69dbf7867c1308103cebbb8287
SHA19a587694e49fcb89a48b029aec9aa1bfafdfe3ac
SHA256e16ee90aa92ab21eb34a8b4e4a5027f3e59224e94196f81f45312ee124abcaf9
SHA512486ace5c0a8ebcf8642fe9ebfa65bcd96d054cf9bc6e6f60437dbec1db99961f0f40402b8a2f05f1435054edd40019e6d1806214296008d16701528d3b3db7ae
-
Filesize
295KB
MD529a1d47a0a764e756409e83d84a5c0a3
SHA194fdc133eab57c39c1e692ddd64035ef39d6b427
SHA2567850d76bc48a8b4bd776069b9e89daac6348d0bd972de32943c886ce1e24f60c
SHA5124189fc3d08e800ab4043a73bb73922ed11cdba79fef73e7c609191f890a1ce8e14ecda120664290908e236c4bc477fa8980f0b92453addc33b0b4a13a0a2c0c8