Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:37
Static task
static1
Behavioral task
behavioral1
Sample
eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17.exe
Resource
win10v2004-20241007-en
General
-
Target
eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17.exe
-
Size
534KB
-
MD5
f27c3a44077d86d1241a828198edb25e
-
SHA1
9c9c1de87743f48abc5313158b956744428ef891
-
SHA256
eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17
-
SHA512
a8ee872c284b2afd2a132d149c574def25a9fd241f9542f77ab7d763721012e6ac36969ccdb9324ad4d075c616c151f8728a940f9f3b93f95aa59977f19b2b8e
-
SSDEEP
12288:8Mrqy90xiysURW8IAU9zNZRrnOzcPq8ejga/Hyypa3cC:2y9UR2JNZRjOQPq84gCyyc
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023cbc-12.dat healer behavioral1/memory/4508-15-0x0000000000250000-0x000000000025A000-memory.dmp healer -
Healer family
-
Processes:
jr259004.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr259004.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr259004.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr259004.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr259004.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr259004.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr259004.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/1184-22-0x0000000002400000-0x0000000002446000-memory.dmp family_redline behavioral1/memory/1184-24-0x0000000004A90000-0x0000000004AD4000-memory.dmp family_redline behavioral1/memory/1184-38-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-40-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-88-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-86-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-84-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-82-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-80-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-78-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-74-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-72-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-70-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-68-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-67-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-64-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-62-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-60-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-58-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-54-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-52-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-50-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-48-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-46-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-44-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-42-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-36-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-34-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-32-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-30-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-76-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-56-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-28-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-26-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline behavioral1/memory/1184-25-0x0000000004A90000-0x0000000004ACF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
ziKS0509.exejr259004.exeku241737.exepid Process 2316 ziKS0509.exe 4508 jr259004.exe 1184 ku241737.exe -
Processes:
jr259004.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr259004.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ziKS0509.exeeb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziKS0509.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17.exeziKS0509.exeku241737.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziKS0509.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku241737.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jr259004.exepid Process 4508 jr259004.exe 4508 jr259004.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jr259004.exeku241737.exedescription pid Process Token: SeDebugPrivilege 4508 jr259004.exe Token: SeDebugPrivilege 1184 ku241737.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17.exeziKS0509.exedescription pid Process procid_target PID 4624 wrote to memory of 2316 4624 eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17.exe 83 PID 4624 wrote to memory of 2316 4624 eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17.exe 83 PID 4624 wrote to memory of 2316 4624 eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17.exe 83 PID 2316 wrote to memory of 4508 2316 ziKS0509.exe 85 PID 2316 wrote to memory of 4508 2316 ziKS0509.exe 85 PID 2316 wrote to memory of 1184 2316 ziKS0509.exe 93 PID 2316 wrote to memory of 1184 2316 ziKS0509.exe 93 PID 2316 wrote to memory of 1184 2316 ziKS0509.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17.exe"C:\Users\Admin\AppData\Local\Temp\eb2b024f3cf020f0bc5e16f2801a5b6427cd55fbeec71a84f6c4494001033b17.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKS0509.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKS0509.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr259004.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr259004.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku241737.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku241737.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD5dc0d71bf9a02f9a3a3b1fef4e0e05017
SHA1cdfb2382ad11f7db4e9e54e65e23d9b9648789be
SHA2564eac5a3e91e1ae821fe627ec1a3b49a2e67a2a939efa6810501ed27de8af3468
SHA512ac0241e240bd06fe1db993d09a2d454003b467733b79b3cb440e445dcb2da59d66283a37d5d0be9b6853bd096a192ae8e1cbc2c1669ff2e0f02d2e0976e21eb3
-
Filesize
11KB
MD5a3d71b9db9a228e626df3b5448dbc524
SHA1dd2ad4854f7c11066100938da37eca086361d2aa
SHA256ef335f42bc51496098c0e43a8670e7bc724ca58dff29fd839c489f03c7cb038f
SHA512f3a9eaa3155828b648e6d167d8f4d50a9b2f06e5eb3e5f5499738f299aaa04ed9aa17557fd7334176680ed3dd99b684433c8d0ada10c2fc1dff5e071e9dff1cf
-
Filesize
295KB
MD5b4edb1a1dc8641e4633706e116ccd813
SHA12c180deda8bfefe89736a218b76f93a6b730c08d
SHA256ea1115aea50b6cfa335d5d4c5cc7f2cb541782810bfee3193fc06850cc0cd714
SHA51291113e688cc2814c068fd0dfd956d0240d6d17d61af7bc94e178656d3a97ba2d0e2557b28ebe327e7fcb93c9c59634c8f10d225d2c023c56ae6b28172185b3c2