Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 06:06
Static task
static1
Behavioral task
behavioral1
Sample
2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe
Resource
win10v2004-20241007-en
General
-
Target
2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe
-
Size
1005KB
-
MD5
9ce451537135de1aca37dd0a74935dcd
-
SHA1
3afede24e8c651eff921bb8813fd09a939cc0b2a
-
SHA256
2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e
-
SHA512
8802c04362a0a1d60666d4bd19ac60f26f0dbcd282d7021b7a393733d75607390d12e8f90cce5c0d361716b35b25a6ab7d73a55c8fe22d8fb9840b736c0ed4df
-
SSDEEP
24576:kybvmv8/JcYDcCNrwebxx9ZEcB2DMT/v4d:zV/JcScGws7Vzv
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x000b000000023b80-26.dat healer behavioral1/memory/3688-28-0x0000000000A10000-0x0000000000A1A000-memory.dmp healer behavioral1/memory/232-34-0x0000000002480000-0x000000000249A000-memory.dmp healer behavioral1/memory/232-36-0x0000000004A80000-0x0000000004A98000-memory.dmp healer behavioral1/memory/232-37-0x0000000004A80000-0x0000000004A92000-memory.dmp healer behavioral1/memory/232-48-0x0000000004A80000-0x0000000004A92000-memory.dmp healer behavioral1/memory/232-64-0x0000000004A80000-0x0000000004A92000-memory.dmp healer behavioral1/memory/232-62-0x0000000004A80000-0x0000000004A92000-memory.dmp healer behavioral1/memory/232-60-0x0000000004A80000-0x0000000004A92000-memory.dmp healer behavioral1/memory/232-58-0x0000000004A80000-0x0000000004A92000-memory.dmp healer behavioral1/memory/232-54-0x0000000004A80000-0x0000000004A92000-memory.dmp healer behavioral1/memory/232-53-0x0000000004A80000-0x0000000004A92000-memory.dmp healer behavioral1/memory/232-50-0x0000000004A80000-0x0000000004A92000-memory.dmp healer behavioral1/memory/232-46-0x0000000004A80000-0x0000000004A92000-memory.dmp healer behavioral1/memory/232-44-0x0000000004A80000-0x0000000004A92000-memory.dmp healer behavioral1/memory/232-42-0x0000000004A80000-0x0000000004A92000-memory.dmp healer behavioral1/memory/232-40-0x0000000004A80000-0x0000000004A92000-memory.dmp healer behavioral1/memory/232-38-0x0000000004A80000-0x0000000004A92000-memory.dmp healer behavioral1/memory/232-56-0x0000000004A80000-0x0000000004A92000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" cor7376.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" cor7376.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bus8535.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bus8535.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bus8535.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bus8535.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bus8535.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection bus8535.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection cor7376.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" cor7376.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" cor7376.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" cor7376.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3296-72-0x0000000002300000-0x0000000002346000-memory.dmp family_redline behavioral1/memory/3296-73-0x00000000050E0000-0x0000000005124000-memory.dmp family_redline behavioral1/memory/3296-79-0x00000000050E0000-0x000000000511E000-memory.dmp family_redline behavioral1/memory/3296-87-0x00000000050E0000-0x000000000511E000-memory.dmp family_redline behavioral1/memory/3296-107-0x00000000050E0000-0x000000000511E000-memory.dmp family_redline behavioral1/memory/3296-105-0x00000000050E0000-0x000000000511E000-memory.dmp family_redline behavioral1/memory/3296-101-0x00000000050E0000-0x000000000511E000-memory.dmp family_redline behavioral1/memory/3296-99-0x00000000050E0000-0x000000000511E000-memory.dmp family_redline behavioral1/memory/3296-97-0x00000000050E0000-0x000000000511E000-memory.dmp family_redline behavioral1/memory/3296-96-0x00000000050E0000-0x000000000511E000-memory.dmp family_redline behavioral1/memory/3296-93-0x00000000050E0000-0x000000000511E000-memory.dmp family_redline behavioral1/memory/3296-91-0x00000000050E0000-0x000000000511E000-memory.dmp family_redline behavioral1/memory/3296-90-0x00000000050E0000-0x000000000511E000-memory.dmp family_redline behavioral1/memory/3296-85-0x00000000050E0000-0x000000000511E000-memory.dmp family_redline behavioral1/memory/3296-83-0x00000000050E0000-0x000000000511E000-memory.dmp family_redline behavioral1/memory/3296-81-0x00000000050E0000-0x000000000511E000-memory.dmp family_redline behavioral1/memory/3296-103-0x00000000050E0000-0x000000000511E000-memory.dmp family_redline behavioral1/memory/3296-77-0x00000000050E0000-0x000000000511E000-memory.dmp family_redline behavioral1/memory/3296-75-0x00000000050E0000-0x000000000511E000-memory.dmp family_redline behavioral1/memory/3296-74-0x00000000050E0000-0x000000000511E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 764 kino7013.exe 2156 kino9492.exe 5112 kino1171.exe 3688 bus8535.exe 232 cor7376.exe 3296 dRy02s07.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" bus8535.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features cor7376.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" cor7376.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" kino7013.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" kino9492.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" kino1171.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kino7013.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kino9492.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kino1171.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cor7376.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dRy02s07.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3688 bus8535.exe 3688 bus8535.exe 232 cor7376.exe 232 cor7376.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3688 bus8535.exe Token: SeDebugPrivilege 232 cor7376.exe Token: SeDebugPrivilege 3296 dRy02s07.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4892 wrote to memory of 764 4892 2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe 84 PID 4892 wrote to memory of 764 4892 2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe 84 PID 4892 wrote to memory of 764 4892 2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe 84 PID 764 wrote to memory of 2156 764 kino7013.exe 86 PID 764 wrote to memory of 2156 764 kino7013.exe 86 PID 764 wrote to memory of 2156 764 kino7013.exe 86 PID 2156 wrote to memory of 5112 2156 kino9492.exe 87 PID 2156 wrote to memory of 5112 2156 kino9492.exe 87 PID 2156 wrote to memory of 5112 2156 kino9492.exe 87 PID 5112 wrote to memory of 3688 5112 kino1171.exe 88 PID 5112 wrote to memory of 3688 5112 kino1171.exe 88 PID 5112 wrote to memory of 232 5112 kino1171.exe 97 PID 5112 wrote to memory of 232 5112 kino1171.exe 97 PID 5112 wrote to memory of 232 5112 kino1171.exe 97 PID 2156 wrote to memory of 3296 2156 kino9492.exe 100 PID 2156 wrote to memory of 3296 2156 kino9492.exe 100 PID 2156 wrote to memory of 3296 2156 kino9492.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe"C:\Users\Admin\AppData\Local\Temp\2d3c174563a5657e25737a228ba313f3f7602f65adb1a2506f5b4bf7433b616e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7013.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7013.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9492.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1171.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8535.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7376.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:232
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dRy02s07.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dRy02s07.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3296
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
823KB
MD5570dd305660eca093e1784a864ea1ad5
SHA10aeaed648472b42cb436bc7d8142e03fbe591cb6
SHA256f4c291cb1ec7df991fbb2b9adac537e7956d262d92d50c3829cfa824058b661b
SHA5129f4ed7174d17da17f887357432689b780daf8525db5097cb3fc63a82ec88f97fb9c2efdbcba1ce6479cb04071e375e1ff2c86282f535711010f0ac73b1d6b0c3
-
Filesize
681KB
MD580d2bacba68ec9dd5841bb3c8d356055
SHA1610e66e03d42ece00e942770566b7464d766571e
SHA256ed53879b7b89ea9927d775f1f6a0e544c3040fe9248d5786b98b1b3cc0ea30e9
SHA5125bfe93c81194ce76599adfca3bb9c5fb150504c31adc43d5a1688f531a350c17d74cf73ac89a2f66aede23836c1114dcef3a7b8edd7f433a96651717dd46e261
-
Filesize
470KB
MD5a36d8541e6bf00b56e6c2b9990833bcf
SHA19f1fc299eb443ceb8801dda3b939ddc2275cb43a
SHA256cb3d2b46de974c63aae6bd4537bc5f95cadaca52ca08ad8274c1add817f81daa
SHA512823fef42ff2594781524a1d584f9ced7349a64927242253ad3f16f81a8e68d3ebaf6939d1584584107cea3a017c21e8fbbe9cefd53fdf3711225a77c4f347c39
-
Filesize
337KB
MD5ee72c631338fad60efd2ed9de67e96f8
SHA11993d8d86b5af095ff7f052f38a5228a1a5695ce
SHA256d5b776ca6f2991e94f80eae424fb4710ee0431182cd4210c2b80b8206ebda1ab
SHA5120828282df18fd826116a1913993fadee30402e787e6f082ca63ee99c1e671f322ec90162683c7cdb17a3859e278c5bf70fd48dcac6a5778fe6de82862da165f5
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
411KB
MD53e1e1d0dc6be7d3ad3c50e164e79aa5a
SHA11875e9b16f548098ae0ca1a892a6c3962197e784
SHA256d60f628516102a2a7e57b722c18752f1f8c70ff059d4ba86fe86db3dbaf1a64e
SHA51234b9318db017de4142f0b6a6b4116707a9a2593eb5a7db9d38e1b75bff86f084657d0cfdeeeb7be7c406db972e426192b7d953e43487bd4a4bf223cbbce45c0b