Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 06:04
Static task
static1
Behavioral task
behavioral1
Sample
e6e5e196fbfaa4a85202fb131d63cf1eb879917e3be9d414670d142190b16a6d.exe
Resource
win10v2004-20241007-en
General
-
Target
e6e5e196fbfaa4a85202fb131d63cf1eb879917e3be9d414670d142190b16a6d.exe
-
Size
529KB
-
MD5
8db7077d73099a17b8ba7f6e9af7d018
-
SHA1
f25a67af6048634a77b163f4d9933c6a394c8f9d
-
SHA256
e6e5e196fbfaa4a85202fb131d63cf1eb879917e3be9d414670d142190b16a6d
-
SHA512
8a38d3f3767fe84e7bd2caa4c1bcbc66f9b36697596d455d2b184e7a123d4f10789eb15f5bc957484bcdf183ebc3cfb461f60f6d72e678993856fc320f7a850e
-
SSDEEP
12288:OMrey906CKGh2o2q7B6FFRueVtOyk4IenTnojj9NKGn:My1CKGMor7YFFowtBxXTnwKGn
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c67-12.dat healer behavioral1/memory/4332-15-0x0000000000F00000-0x0000000000F0A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr286572.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr286572.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr286572.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr286572.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr286572.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr286572.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4880-22-0x0000000004B50000-0x0000000004B96000-memory.dmp family_redline behavioral1/memory/4880-24-0x0000000007770000-0x00000000077B4000-memory.dmp family_redline behavioral1/memory/4880-28-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-36-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-88-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-86-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-85-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-82-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-80-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-78-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-76-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-74-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-72-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-70-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-66-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-64-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-62-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-60-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-58-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-56-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-54-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-52-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-50-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-48-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-44-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-42-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-40-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-39-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-34-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-32-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-30-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-68-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-46-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-26-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline behavioral1/memory/4880-25-0x0000000007770000-0x00000000077AF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 728 zied9492.exe 4332 jr286572.exe 4880 ku586553.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr286572.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e6e5e196fbfaa4a85202fb131d63cf1eb879917e3be9d414670d142190b16a6d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zied9492.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1500 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e6e5e196fbfaa4a85202fb131d63cf1eb879917e3be9d414670d142190b16a6d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zied9492.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku586553.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4332 jr286572.exe 4332 jr286572.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4332 jr286572.exe Token: SeDebugPrivilege 4880 ku586553.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2160 wrote to memory of 728 2160 e6e5e196fbfaa4a85202fb131d63cf1eb879917e3be9d414670d142190b16a6d.exe 84 PID 2160 wrote to memory of 728 2160 e6e5e196fbfaa4a85202fb131d63cf1eb879917e3be9d414670d142190b16a6d.exe 84 PID 2160 wrote to memory of 728 2160 e6e5e196fbfaa4a85202fb131d63cf1eb879917e3be9d414670d142190b16a6d.exe 84 PID 728 wrote to memory of 4332 728 zied9492.exe 85 PID 728 wrote to memory of 4332 728 zied9492.exe 85 PID 728 wrote to memory of 4880 728 zied9492.exe 96 PID 728 wrote to memory of 4880 728 zied9492.exe 96 PID 728 wrote to memory of 4880 728 zied9492.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6e5e196fbfaa4a85202fb131d63cf1eb879917e3be9d414670d142190b16a6d.exe"C:\Users\Admin\AppData\Local\Temp\e6e5e196fbfaa4a85202fb131d63cf1eb879917e3be9d414670d142190b16a6d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zied9492.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zied9492.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr286572.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr286572.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku586553.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku586553.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4880
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1500
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
387KB
MD5f2e841d9825bce941452cd4a4705fb44
SHA18e49b724ae9a8048ae0854a016a65a84d23a672a
SHA256fb1542d60b3f7e3d23212ce3dc00cd063e2355be893ea6d8d5259a1d61c70bba
SHA512116f89914f6f08b86b65acaead7a9810ac36622b1f9c3606978a0ec931b0cecdf375fd4b34516b05ad1655884e2e70a2d3aeb8b0df24d76d1b70f63dbaf531f4
-
Filesize
12KB
MD56f858ee16547a7381b4ecddc7127a656
SHA1b9b4f2f7ec996af57b3f207b98a67bb19fd1036b
SHA256a6f7fc155c50da283e5d9dd1789102cff9ba2b2dd8001b6cd7abe258dd768401
SHA512e43a4d37b1eaac52848f09a3f3cacf110509e74050ae830098c7e7699973b7d0798eaa2466f86497dc0595e8d6e02305c0dd81db264b21209fd3d3d32c429a03
-
Filesize
342KB
MD5a01456712d8d79185143f2f145523df2
SHA10450e0b082bf714d648f3e23707b43084696bef5
SHA25625573f531a6056635ecdfa5d925451ac7af23ef218e81ff891e1a3e2092bf777
SHA5120982a66e6f2c88852164a1601b693136a0b567cf245fb3c4802525acc8d522deb879facb0db609c61ed6f38f6ea260f2c26c5454a17492782947f1af70c4b8d7