Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:14
Static task
static1
Behavioral task
behavioral1
Sample
c59c2c618f11614a9b0e815bef284cb03ee8f2cbd52e2519208d419ad099e711.exe
Resource
win10v2004-20241007-en
General
-
Target
c59c2c618f11614a9b0e815bef284cb03ee8f2cbd52e2519208d419ad099e711.exe
-
Size
560KB
-
MD5
8d205c781a97cf1b463a84bf612d17b8
-
SHA1
582352d8853d4ea48d04cb910e6038c08dc21302
-
SHA256
c59c2c618f11614a9b0e815bef284cb03ee8f2cbd52e2519208d419ad099e711
-
SHA512
6bbaf5d364fd1b09cc1ac73995884728b78c9b9027e04712f66c34dfa14224d1cc8dab324fa806a839c713eda51aea2a97aabc355e7309e40accf53066fd5fff
-
SSDEEP
12288:VMrYy90deVTW3oIdU9R7IX0YVxMSuV3m7tNoeSh0:Fy4Ir7IX1MSR/s0
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b7a-12.dat healer behavioral1/memory/3896-15-0x00000000001D0000-0x00000000001DA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr796711.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr796711.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr796711.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr796711.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr796711.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr796711.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1900-22-0x0000000004D30000-0x0000000004D76000-memory.dmp family_redline behavioral1/memory/1900-24-0x00000000053B0000-0x00000000053F4000-memory.dmp family_redline behavioral1/memory/1900-32-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-34-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-88-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-86-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-84-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-82-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-80-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-78-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-74-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-72-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-70-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-64-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-62-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-60-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-58-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-56-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-54-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-52-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-48-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-46-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-44-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-40-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-38-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-36-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-76-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-68-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-66-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-51-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-43-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-30-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-28-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-26-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline behavioral1/memory/1900-25-0x00000000053B0000-0x00000000053EF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3452 ziKk3467.exe 3896 jr796711.exe 1900 ku570096.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr796711.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c59c2c618f11614a9b0e815bef284cb03ee8f2cbd52e2519208d419ad099e711.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziKk3467.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c59c2c618f11614a9b0e815bef284cb03ee8f2cbd52e2519208d419ad099e711.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziKk3467.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku570096.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3896 jr796711.exe 3896 jr796711.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3896 jr796711.exe Token: SeDebugPrivilege 1900 ku570096.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1612 wrote to memory of 3452 1612 c59c2c618f11614a9b0e815bef284cb03ee8f2cbd52e2519208d419ad099e711.exe 83 PID 1612 wrote to memory of 3452 1612 c59c2c618f11614a9b0e815bef284cb03ee8f2cbd52e2519208d419ad099e711.exe 83 PID 1612 wrote to memory of 3452 1612 c59c2c618f11614a9b0e815bef284cb03ee8f2cbd52e2519208d419ad099e711.exe 83 PID 3452 wrote to memory of 3896 3452 ziKk3467.exe 84 PID 3452 wrote to memory of 3896 3452 ziKk3467.exe 84 PID 3452 wrote to memory of 1900 3452 ziKk3467.exe 97 PID 3452 wrote to memory of 1900 3452 ziKk3467.exe 97 PID 3452 wrote to memory of 1900 3452 ziKk3467.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\c59c2c618f11614a9b0e815bef284cb03ee8f2cbd52e2519208d419ad099e711.exe"C:\Users\Admin\AppData\Local\Temp\c59c2c618f11614a9b0e815bef284cb03ee8f2cbd52e2519208d419ad099e711.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKk3467.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKk3467.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr796711.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr796711.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku570096.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku570096.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
407KB
MD5f67f1938f511d6f8bb2f2eca149aad3f
SHA122e019885c8a527bc14ee52d5f9ea17ee50ce101
SHA25659bead83e900e191bb7c59c20ad4a971a4f2f48072a4303874cc6347ecce5d4e
SHA512e677c699b621b12aad714308c8d5167e215cde883886ead3eb29b56fc34d28371df3e33973e650614dcbd09ab072607a5eb9af0c64a5e82a2f4f53cd0d86eb00
-
Filesize
13KB
MD57539f323ad6573cc5411163782a41686
SHA16de3ad03894abe23362876287e805eb42750a7e5
SHA2565cb680352207537415a9e0703fde3f6bd4ab492813b4aaa8fbf21759d5a0bb6e
SHA51255c300e42eb779fbd4a0ce9d69b2ffec56a9f5d3c046d0c0e8bc3c556876c37af36b179867d7822480756b5b3362a0340e8ddbf1ddc04b1f3c5ae6d73abcd35b
-
Filesize
370KB
MD54cde0b577e98c27e4c4e2e990744d72a
SHA11c67a4774bdaa5ee203e90ddf8f8826c547ab6ab
SHA25617bb62d634eed5396997c945266901c3cf8ff788f3ec433bcba670c657a83266
SHA512a972aa28f3aac90a603c5c39df4bbc4f03aebbd488a1615257ef23dd505c56a854fc089033d00f55138a1dddba19eb6c658b9da6c96ea0275cbbe9f39915585e