Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:14
Static task
static1
Behavioral task
behavioral1
Sample
c12fa81e5ef76d5da7efb18f4d7b95c5a9b83c4d8e91d81b2a81ed48bd32d376.exe
Resource
win10v2004-20241007-en
General
-
Target
c12fa81e5ef76d5da7efb18f4d7b95c5a9b83c4d8e91d81b2a81ed48bd32d376.exe
-
Size
530KB
-
MD5
48670da0ce9dd78a7bb77c8088bb7b37
-
SHA1
56e964068744459922de58b0a60f9563d739e1fd
-
SHA256
c12fa81e5ef76d5da7efb18f4d7b95c5a9b83c4d8e91d81b2a81ed48bd32d376
-
SHA512
90f5baec6f9ea69574935a4f7e5beffa8bd7dfff680e437a06c997f3ae19a3a85236e63d0cdc4849c1d4221b98fca053227b7aebbe6f4579e994473393d95d16
-
SSDEEP
12288:AMrUy90XakJlSmo5YA4ySo0HO4Ij93v0VQdvgA0i:kyHobySj+Vv0VQODi
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c75-12.dat healer behavioral1/memory/1416-15-0x0000000000990000-0x000000000099A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr247213.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr247213.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr247213.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr247213.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr247213.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr247213.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3472-22-0x0000000004B10000-0x0000000004B56000-memory.dmp family_redline behavioral1/memory/3472-24-0x0000000007760000-0x00000000077A4000-memory.dmp family_redline behavioral1/memory/3472-30-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-40-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-38-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-36-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-34-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-32-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-88-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-76-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-56-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-44-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-28-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-26-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-25-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-86-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-84-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-82-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-80-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-78-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-74-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-72-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-70-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-69-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-66-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-64-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-62-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-60-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-58-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-54-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-52-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-50-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-48-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-46-0x0000000007760000-0x000000000779F000-memory.dmp family_redline behavioral1/memory/3472-42-0x0000000007760000-0x000000000779F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4836 zipO9280.exe 1416 jr247213.exe 3472 ku709726.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr247213.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c12fa81e5ef76d5da7efb18f4d7b95c5a9b83c4d8e91d81b2a81ed48bd32d376.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zipO9280.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4320 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c12fa81e5ef76d5da7efb18f4d7b95c5a9b83c4d8e91d81b2a81ed48bd32d376.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zipO9280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku709726.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1416 jr247213.exe 1416 jr247213.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1416 jr247213.exe Token: SeDebugPrivilege 3472 ku709726.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2820 wrote to memory of 4836 2820 c12fa81e5ef76d5da7efb18f4d7b95c5a9b83c4d8e91d81b2a81ed48bd32d376.exe 85 PID 2820 wrote to memory of 4836 2820 c12fa81e5ef76d5da7efb18f4d7b95c5a9b83c4d8e91d81b2a81ed48bd32d376.exe 85 PID 2820 wrote to memory of 4836 2820 c12fa81e5ef76d5da7efb18f4d7b95c5a9b83c4d8e91d81b2a81ed48bd32d376.exe 85 PID 4836 wrote to memory of 1416 4836 zipO9280.exe 86 PID 4836 wrote to memory of 1416 4836 zipO9280.exe 86 PID 4836 wrote to memory of 3472 4836 zipO9280.exe 93 PID 4836 wrote to memory of 3472 4836 zipO9280.exe 93 PID 4836 wrote to memory of 3472 4836 zipO9280.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\c12fa81e5ef76d5da7efb18f4d7b95c5a9b83c4d8e91d81b2a81ed48bd32d376.exe"C:\Users\Admin\AppData\Local\Temp\c12fa81e5ef76d5da7efb18f4d7b95c5a9b83c4d8e91d81b2a81ed48bd32d376.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipO9280.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipO9280.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr247213.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr247213.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku709726.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku709726.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3472
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4320
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
387KB
MD56b35504316a4731fd343ccdefe5451ce
SHA1fac7f090cd80b070bdeafbda8c9b26eff5717b08
SHA256a2f3e9dc9843cd0c36497035d35c08cc8c6a80237accec566f764a99454a5e63
SHA5122a291f1e851904b999c9a58a47f4e4777198e197dc519c2d40b5dc32c2ffddfa240f5cef64f452f851434266a99261ea0a34065b2e11ebaff536e8bf24d6dd38
-
Filesize
12KB
MD593875b44398c62948decc62d45e84af9
SHA17b4fed98b263cfb1bc1722d182cdbb6a96454cfa
SHA256ced5a32e8b3d74ba04fd0e6ba432f7057554efb5e97e1c589d81c8457125d5b0
SHA512fcf1bce36b71715c47b82f9fbe401125eb57d0776578ccef96e1363191e48c0b5c87c6a51c1c1e34b9ca71a3fe92deae6e937e5acd6fa94d3c951da8e1d0d168
-
Filesize
342KB
MD534f9b1a16658c547719ce5fc4b9d3ee0
SHA17916b0c490b022f5fb5add5d7d64704d870f1005
SHA2569a50ed0007abd170d13d7d2a40c4590aadb0408181071bec6351dda3bbd3a036
SHA5121ce4eebee7e8108c81a6c0a4a75f833d664470d2410aa2560020165c5b9b683c09a5a0fd68611a5d8042904be9ed2139f2618843c0b6eb28991f58b62869deef