Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:16
Static task
static1
Behavioral task
behavioral1
Sample
e63d83f97928105429aaaf903d883bc38b97b4da489689471b1eff0860a950d1.exe
Resource
win10v2004-20241007-en
General
-
Target
e63d83f97928105429aaaf903d883bc38b97b4da489689471b1eff0860a950d1.exe
-
Size
530KB
-
MD5
8a3d49d23c51d5e3ef460effc0e92c91
-
SHA1
53ee2e6ba0fec988d4c12b38546e5914b90808a7
-
SHA256
e63d83f97928105429aaaf903d883bc38b97b4da489689471b1eff0860a950d1
-
SHA512
742d411e735ccbe182d3490371a965c0c0b5699d5bb384026fa9671ce9de684e2ba9b529c85e118a82ba03a7511c4858569f5a7caef4f22ec41eee50c6127c60
-
SSDEEP
6144:Kjy+bnr+ap0yN90QEMug1ZHHaZvSOVkotJuyEBktv8UNk8Hz7478sTN4/PjSShvD:9Mr6y90WZ6pBE+pkM/u8sJkSeo0DKxW
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b96-12.dat healer behavioral1/memory/4524-15-0x00000000006E0000-0x00000000006EA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr117199.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr117199.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr117199.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr117199.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr117199.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr117199.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/944-22-0x0000000004A80000-0x0000000004AC6000-memory.dmp family_redline behavioral1/memory/944-24-0x0000000007190000-0x00000000071D4000-memory.dmp family_redline behavioral1/memory/944-34-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-36-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-32-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-76-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-48-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-30-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-28-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-26-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-25-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-88-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-86-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-84-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-82-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-80-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-78-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-74-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-72-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-70-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-68-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-66-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-64-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-62-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-60-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-58-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-56-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-54-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-52-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-50-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-46-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-44-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-42-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-41-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline behavioral1/memory/944-38-0x0000000007190000-0x00000000071CF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2880 ziLi3938.exe 4524 jr117199.exe 944 ku214496.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr117199.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e63d83f97928105429aaaf903d883bc38b97b4da489689471b1eff0860a950d1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziLi3938.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e63d83f97928105429aaaf903d883bc38b97b4da489689471b1eff0860a950d1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziLi3938.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku214496.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4524 jr117199.exe 4524 jr117199.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4524 jr117199.exe Token: SeDebugPrivilege 944 ku214496.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2880 2076 e63d83f97928105429aaaf903d883bc38b97b4da489689471b1eff0860a950d1.exe 83 PID 2076 wrote to memory of 2880 2076 e63d83f97928105429aaaf903d883bc38b97b4da489689471b1eff0860a950d1.exe 83 PID 2076 wrote to memory of 2880 2076 e63d83f97928105429aaaf903d883bc38b97b4da489689471b1eff0860a950d1.exe 83 PID 2880 wrote to memory of 4524 2880 ziLi3938.exe 84 PID 2880 wrote to memory of 4524 2880 ziLi3938.exe 84 PID 2880 wrote to memory of 944 2880 ziLi3938.exe 93 PID 2880 wrote to memory of 944 2880 ziLi3938.exe 93 PID 2880 wrote to memory of 944 2880 ziLi3938.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\e63d83f97928105429aaaf903d883bc38b97b4da489689471b1eff0860a950d1.exe"C:\Users\Admin\AppData\Local\Temp\e63d83f97928105429aaaf903d883bc38b97b4da489689471b1eff0860a950d1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLi3938.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLi3938.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr117199.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr117199.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku214496.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku214496.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:944
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD57ae88c5d0b16e24c11b2b7fc193c8da1
SHA15044b75b8f3cad9c9276cdf9f76595028d6a1390
SHA256c85f1fb580e1df77ffb3ab2c2e1d90cb2d09b5a295c2d5ca914cdb6eeeabf4aa
SHA512ad600faa4f9f47f108eff38a5a7e58590d84daf275612a38f16898930dcff51e64202b993f09896d78f075b49166b1b15a7fb8412c9ccb6b9336b1d37e1b7795
-
Filesize
11KB
MD58b6ba4a9bce622ab6c2382f237094790
SHA15aa259129e10b8aebcc3901f358d7691a9c7b489
SHA2565f45ef1c639aa7a86920811f451d3dfd28dda4072095a33f45211a948697f863
SHA51224323f4e99ce982f339585ee3fd38557d17d75082e73db51b98cc07e65486c0a25e917282147123c7f65c5ec472fd4a42fffc7a47c5e6017880635d112bdd7c3
-
Filesize
355KB
MD55ef0693cb43dbe4e7dfa7ebd20873d0b
SHA13b589818fd017cd1a2730d4e9662d51f1de9bfc2
SHA256c14ffcc37b9ba5d0127b3fe47247326a990c901f8930097040035acf0b7c5067
SHA5128d25f1b2d5666a15cd6638370732fbf5ab4ecb5eccd76028721de196c647f4113134e3cb7383a69d563742f2e9133243992e90bf41e9d09d04355019da7793f0