Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 06:06
Static task
static1
Behavioral task
behavioral1
Sample
6d0539ca7847e68365a0cc6559b4498522abc74af8b508fd72a6f7ed46741437.exe
Resource
win10v2004-20241007-en
General
-
Target
6d0539ca7847e68365a0cc6559b4498522abc74af8b508fd72a6f7ed46741437.exe
-
Size
533KB
-
MD5
5ea25d0fb1c378c1ed9363cb006e7b37
-
SHA1
b68a61b3ca1043fefd6c1fd9767566d0872d65d1
-
SHA256
6d0539ca7847e68365a0cc6559b4498522abc74af8b508fd72a6f7ed46741437
-
SHA512
033ff2059dbdeb00aa8620720bd66e198d9078339215f633f8dd2540530fa4131033dd15bfe65c8efed13f74a52dd01b9082dc57bc87ae239b962b87cb55c8fd
-
SSDEEP
12288:WMrYy90R82+jc2eDMVQzCTInHAFLGEGOburaSiEycE/S8Q:ay2+QPMVQzkeifbrSilc2lQ
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b9a-12.dat healer behavioral1/memory/2200-15-0x0000000000F40000-0x0000000000F4A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr635052.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr635052.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr635052.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr635052.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr635052.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr635052.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4248-21-0x00000000024E0000-0x0000000002526000-memory.dmp family_redline behavioral1/memory/4248-23-0x00000000027B0000-0x00000000027F4000-memory.dmp family_redline behavioral1/memory/4248-41-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-87-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-85-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-81-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-79-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-77-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-73-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-71-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-69-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-67-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-65-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-63-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-61-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-59-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-57-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-55-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-53-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-51-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-49-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-47-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-45-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-43-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-39-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-37-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-35-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-33-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-31-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-29-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-83-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-27-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-75-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-25-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline behavioral1/memory/4248-24-0x00000000027B0000-0x00000000027EF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3712 ziQd5799.exe 2200 jr635052.exe 4248 ku845070.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr635052.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziQd5799.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6d0539ca7847e68365a0cc6559b4498522abc74af8b508fd72a6f7ed46741437.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku845070.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d0539ca7847e68365a0cc6559b4498522abc74af8b508fd72a6f7ed46741437.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziQd5799.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2200 jr635052.exe 2200 jr635052.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2200 jr635052.exe Token: SeDebugPrivilege 4248 ku845070.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3480 wrote to memory of 3712 3480 6d0539ca7847e68365a0cc6559b4498522abc74af8b508fd72a6f7ed46741437.exe 83 PID 3480 wrote to memory of 3712 3480 6d0539ca7847e68365a0cc6559b4498522abc74af8b508fd72a6f7ed46741437.exe 83 PID 3480 wrote to memory of 3712 3480 6d0539ca7847e68365a0cc6559b4498522abc74af8b508fd72a6f7ed46741437.exe 83 PID 3712 wrote to memory of 2200 3712 ziQd5799.exe 84 PID 3712 wrote to memory of 2200 3712 ziQd5799.exe 84 PID 3712 wrote to memory of 4248 3712 ziQd5799.exe 92 PID 3712 wrote to memory of 4248 3712 ziQd5799.exe 92 PID 3712 wrote to memory of 4248 3712 ziQd5799.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d0539ca7847e68365a0cc6559b4498522abc74af8b508fd72a6f7ed46741437.exe"C:\Users\Admin\AppData\Local\Temp\6d0539ca7847e68365a0cc6559b4498522abc74af8b508fd72a6f7ed46741437.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQd5799.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQd5799.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr635052.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr635052.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku845070.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku845070.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
391KB
MD5966db888c737048a3b94f4f3ba611adf
SHA16764bbe581c694d1091cabcc045e0cd563c6fda4
SHA2563b14d0c66b1dfc197426847bdf0fdebc41a94178a15ade8cc032300d89dadb52
SHA512452ad1e4142fee83364ec885975f4f4bc8c9b6d86d446c905f45ea38f630eea281d4cd0e746fe5336a9f6e2743441c3106d3542e9e39fc0b98c34bd74bc418a9
-
Filesize
11KB
MD5b1012939445665048847458f18e14b06
SHA109fddb3f24f89d154dac1acda18a8582b439765e
SHA256e135361042ba8f18b123c3797892db31a74ae696747214968cc22b27c1d362e8
SHA5123a441f9e06d1cecfe439369013c24cef115ff261b2e94af8270ae0e9d1910bc9f329cdceb82eed3141a14dc6f6b1a9a7efe0a6ce4e7f861f1d683d9dc6bc0b08
-
Filesize
318KB
MD5221061fdddeef5fc266a4476d50c34fc
SHA1e42041f27eacc744ca3a483a764e08cdf5322058
SHA256a8ba9853d3df05560fc9323ce0d439abebd999cc19d830089105915cff1a5bfd
SHA512558e19cc472715de0930600716c0e2a8efdef23d200719af9646a8341f22f4a131bb89d5b6566dbf72013465e734eab3a11ed80a163abf92c3ddaef113534ad5