Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:16
Static task
static1
Behavioral task
behavioral1
Sample
6f0540dddd4b9c4980c24218a04a59d975050778255f7c43aebd0b14024a5354.exe
Resource
win10v2004-20241007-en
General
-
Target
6f0540dddd4b9c4980c24218a04a59d975050778255f7c43aebd0b14024a5354.exe
-
Size
559KB
-
MD5
0adf6cdfa53400d4ddad9088ec6936f3
-
SHA1
c81d1b43b1b4c857badf600b2363ec546c7737f3
-
SHA256
6f0540dddd4b9c4980c24218a04a59d975050778255f7c43aebd0b14024a5354
-
SHA512
da4f4860293ecff62b3583aa44e9766872f16764b78b4480cad3930e01b3654d90eddb93b4e31a1b79202fd31b789cf11b14ef7b44ef794bd1b4b94f25de31b0
-
SSDEEP
12288:5MrMy90KcjXq89cyNaJrdIsoLIu3NbcR03qfCg41Y:Jy9c/cfuNIu3NbYfCg4+
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b8a-12.dat healer behavioral1/memory/3680-15-0x0000000000190000-0x000000000019A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr742437.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr742437.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr742437.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr742437.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr742437.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr742437.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2984-22-0x00000000026E0000-0x0000000002726000-memory.dmp family_redline behavioral1/memory/2984-24-0x0000000004E50000-0x0000000004E94000-memory.dmp family_redline behavioral1/memory/2984-26-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-42-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-88-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-86-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-84-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-82-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-80-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-78-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-76-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-74-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-70-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-68-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-66-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-64-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-62-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-60-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-58-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-56-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-54-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-52-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-50-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-48-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-46-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-40-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-38-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-36-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-35-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-32-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-30-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-28-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-72-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-44-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/2984-25-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3152 ziQz2724.exe 3680 jr742437.exe 2984 ku417607.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr742437.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6f0540dddd4b9c4980c24218a04a59d975050778255f7c43aebd0b14024a5354.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziQz2724.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku417607.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f0540dddd4b9c4980c24218a04a59d975050778255f7c43aebd0b14024a5354.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziQz2724.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3680 jr742437.exe 3680 jr742437.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3680 jr742437.exe Token: SeDebugPrivilege 2984 ku417607.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4528 wrote to memory of 3152 4528 6f0540dddd4b9c4980c24218a04a59d975050778255f7c43aebd0b14024a5354.exe 83 PID 4528 wrote to memory of 3152 4528 6f0540dddd4b9c4980c24218a04a59d975050778255f7c43aebd0b14024a5354.exe 83 PID 4528 wrote to memory of 3152 4528 6f0540dddd4b9c4980c24218a04a59d975050778255f7c43aebd0b14024a5354.exe 83 PID 3152 wrote to memory of 3680 3152 ziQz2724.exe 84 PID 3152 wrote to memory of 3680 3152 ziQz2724.exe 84 PID 3152 wrote to memory of 2984 3152 ziQz2724.exe 95 PID 3152 wrote to memory of 2984 3152 ziQz2724.exe 95 PID 3152 wrote to memory of 2984 3152 ziQz2724.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f0540dddd4b9c4980c24218a04a59d975050778255f7c43aebd0b14024a5354.exe"C:\Users\Admin\AppData\Local\Temp\6f0540dddd4b9c4980c24218a04a59d975050778255f7c43aebd0b14024a5354.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQz2724.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQz2724.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr742437.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr742437.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku417607.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku417607.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
405KB
MD5a86100383bed824324c450608298e0cf
SHA159d631e466aa3f5fa75cca68c173be040c90a7e5
SHA25617b065fe9a3ede26f996cbf7438bba9d1ecf9b0708a5525f361a6cf9d70d7857
SHA512bd2c9267d60b05dee931d46855a11ad17f1aeb71ff45ff35069a0ec9e4c486aaf9b126847a93243e1a7eef436d83276562c95d9595b7e5c02f677f570cc1fb89
-
Filesize
12KB
MD56790fe3da77de30db2d6c91d9965aec2
SHA164cdb5b29da348b690e073e01a069c866c20883b
SHA256302bc48c9de4ce530a7c19b920aa15b396e04b79d9cb7e187216f0f05d3c06ed
SHA512c3418316d77f8d71f825cadaa3cb6c37cc14a102da801129cbde15bd146f14410b7ec6b17f14b25b6f8b19f40163f0c16e73e195919bd4a6def7d4c1aa8e4566
-
Filesize
370KB
MD5d560fa891ae47604175219fa324ea57a
SHA1ec2ac147756d2a466c210b54378cb2c062e0447b
SHA256b47b63d4b8faa3326b729df994d3476ee340d10a25dda85fb4870afa9a0535d8
SHA5121e0d8676b6c2fac926adf71d806ba7e30a872bec117c10be072d13c6ea683145f39df7b59f4a9df238694ea61a630e98010b2760495b85781e4da08526df3822