Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:13
Static task
static1
Behavioral task
behavioral1
Sample
a6950dc7f22b29d3d7c16eb7367b806756f439df693778306592bbe546cb19cc.exe
Resource
win10v2004-20241007-en
General
-
Target
a6950dc7f22b29d3d7c16eb7367b806756f439df693778306592bbe546cb19cc.exe
-
Size
530KB
-
MD5
55d3028cdabdd6dcd511f462d648b6c9
-
SHA1
bee78b575fab1a312a9fd47bf09cedbe11dad1cd
-
SHA256
a6950dc7f22b29d3d7c16eb7367b806756f439df693778306592bbe546cb19cc
-
SHA512
901f052a681083d3e2f347c528dfb17d3d6895483a5bbf48f0ba47c75d700d20a74d521391ba46c5fb4edf555a79c296ac7a7f4c2ef13f6d727133890256d3f1
-
SSDEEP
12288:pMryy90RoJxDCYTsHRcEcG7In5KTEQDqBK+IVudnQ3dcBBh4//:/yjxDsHRc7G7IQgQmUVCYSBhs/
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023c32-12.dat healer behavioral1/memory/4876-15-0x0000000000E80000-0x0000000000E8A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr921264.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr921264.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr921264.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr921264.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr921264.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr921264.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1680-22-0x0000000004B60000-0x0000000004BA6000-memory.dmp family_redline behavioral1/memory/1680-24-0x0000000004C30000-0x0000000004C74000-memory.dmp family_redline behavioral1/memory/1680-28-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-34-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-88-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-86-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-84-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-82-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-78-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-76-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-74-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-72-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-70-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-66-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-64-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-62-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-60-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-58-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-56-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-54-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-52-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-50-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-48-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-44-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-42-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-40-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-38-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-36-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-32-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-30-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-80-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-68-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-46-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-26-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/1680-25-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4028 zifa8819.exe 4876 jr921264.exe 1680 ku160113.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr921264.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a6950dc7f22b29d3d7c16eb7367b806756f439df693778306592bbe546cb19cc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zifa8819.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6950dc7f22b29d3d7c16eb7367b806756f439df693778306592bbe546cb19cc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zifa8819.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku160113.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4876 jr921264.exe 4876 jr921264.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4876 jr921264.exe Token: SeDebugPrivilege 1680 ku160113.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4036 wrote to memory of 4028 4036 a6950dc7f22b29d3d7c16eb7367b806756f439df693778306592bbe546cb19cc.exe 83 PID 4036 wrote to memory of 4028 4036 a6950dc7f22b29d3d7c16eb7367b806756f439df693778306592bbe546cb19cc.exe 83 PID 4036 wrote to memory of 4028 4036 a6950dc7f22b29d3d7c16eb7367b806756f439df693778306592bbe546cb19cc.exe 83 PID 4028 wrote to memory of 4876 4028 zifa8819.exe 84 PID 4028 wrote to memory of 4876 4028 zifa8819.exe 84 PID 4028 wrote to memory of 1680 4028 zifa8819.exe 93 PID 4028 wrote to memory of 1680 4028 zifa8819.exe 93 PID 4028 wrote to memory of 1680 4028 zifa8819.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6950dc7f22b29d3d7c16eb7367b806756f439df693778306592bbe546cb19cc.exe"C:\Users\Admin\AppData\Local\Temp\a6950dc7f22b29d3d7c16eb7367b806756f439df693778306592bbe546cb19cc.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifa8819.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifa8819.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr921264.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr921264.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku160113.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku160113.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD5f841fec3f4df7083bf6de6ccf99515c1
SHA1b79838110ef73b5c4ae43f4a3725cae1ff450770
SHA2568e2bf6237fa3cf2bfeda429c9cfaa555fe1abd00b5bc66f4757f8a1019eddffb
SHA51256230682973a3766f90dd0614c444bc836ec44ac2f4e0df97c6f47abbad7d9ed9213d12d818728aeb32c02902b9cdcc67d966c3f3442824bd8646f9fe52277f6
-
Filesize
11KB
MD551ca1ac1040845b78480127865ac0378
SHA13bd4dd4d620728117aa090dc828d17da6f6eb8c8
SHA25627d0fa6fd2d83136684d43fc81540375e2e047e5a1aecd793a576879fd0fd781
SHA5124f9cabf1e71089acbcae35a180226b5fb4dd03f084bab03c85ac10a77545d0730d6cfbd8f80ed85e9337e6f2a99cc5431db90ce892fca908bb09d9c62d5b404d
-
Filesize
354KB
MD5de56f93ce99fbf36b7e5a61ae658957f
SHA1f21d85b14bf3c6f15736476c45116654229db695
SHA25636e5ae30d1b625dda266cdb6b2581414d0cbdec060a379d57399787ed6ba7fa0
SHA51269430d624db52bb999075d01c5e857469e1ad96c0941b29a2919ae7b346aad2e17bdae6b438f3586601906c8d194331b4bab871560b9420d5e96aca401008ca5