Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:38
Static task
static1
Behavioral task
behavioral1
Sample
39ee3ea72f6ee38fdd04e3e504358ae78826f7525abcbbf4c43a2c3af59c003d.exe
Resource
win10v2004-20241007-en
General
-
Target
39ee3ea72f6ee38fdd04e3e504358ae78826f7525abcbbf4c43a2c3af59c003d.exe
-
Size
534KB
-
MD5
519d4dfee6d6073460722d83fc9a6c98
-
SHA1
300fbcd1fcc9acf48b6133ba263fd4c0a3e7c2be
-
SHA256
39ee3ea72f6ee38fdd04e3e504358ae78826f7525abcbbf4c43a2c3af59c003d
-
SHA512
70cee8a3493c3087e455821db313b42413e95330f7c9a771e9dbf76a3960ddf1e9d61cffcb008528331fa44ee2368b5abe2957d7324fa94e0fd88977135a0a3a
-
SSDEEP
12288:KMryy90QyNEpRtGj12HYScdbb3WWIRs7l2igEpMrhz:cyGNEfm2433jusAnY8hz
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0009000000023c03-12.dat healer behavioral1/memory/3672-15-0x0000000000040000-0x000000000004A000-memory.dmp healer -
Healer family
-
Processes:
jr624350.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr624350.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr624350.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr624350.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr624350.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr624350.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr624350.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/5012-22-0x0000000004B90000-0x0000000004BD6000-memory.dmp family_redline behavioral1/memory/5012-24-0x00000000051E0000-0x0000000005224000-memory.dmp family_redline behavioral1/memory/5012-34-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-38-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-88-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-86-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-84-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-82-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-80-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-78-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-76-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-74-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-72-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-70-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-68-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-66-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-64-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-60-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-58-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-56-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-54-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-52-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-50-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-48-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-46-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-44-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-42-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-40-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-36-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-32-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-30-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-28-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-62-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-26-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline behavioral1/memory/5012-25-0x00000000051E0000-0x000000000521F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
ziRX1796.exejr624350.exeku028797.exepid Process 3808 ziRX1796.exe 3672 jr624350.exe 5012 ku028797.exe -
Processes:
jr624350.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr624350.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
39ee3ea72f6ee38fdd04e3e504358ae78826f7525abcbbf4c43a2c3af59c003d.exeziRX1796.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 39ee3ea72f6ee38fdd04e3e504358ae78826f7525abcbbf4c43a2c3af59c003d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziRX1796.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 3460 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ziRX1796.exeku028797.exe39ee3ea72f6ee38fdd04e3e504358ae78826f7525abcbbf4c43a2c3af59c003d.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziRX1796.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku028797.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 39ee3ea72f6ee38fdd04e3e504358ae78826f7525abcbbf4c43a2c3af59c003d.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jr624350.exepid Process 3672 jr624350.exe 3672 jr624350.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jr624350.exeku028797.exedescription pid Process Token: SeDebugPrivilege 3672 jr624350.exe Token: SeDebugPrivilege 5012 ku028797.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
39ee3ea72f6ee38fdd04e3e504358ae78826f7525abcbbf4c43a2c3af59c003d.exeziRX1796.exedescription pid Process procid_target PID 740 wrote to memory of 3808 740 39ee3ea72f6ee38fdd04e3e504358ae78826f7525abcbbf4c43a2c3af59c003d.exe 85 PID 740 wrote to memory of 3808 740 39ee3ea72f6ee38fdd04e3e504358ae78826f7525abcbbf4c43a2c3af59c003d.exe 85 PID 740 wrote to memory of 3808 740 39ee3ea72f6ee38fdd04e3e504358ae78826f7525abcbbf4c43a2c3af59c003d.exe 85 PID 3808 wrote to memory of 3672 3808 ziRX1796.exe 87 PID 3808 wrote to memory of 3672 3808 ziRX1796.exe 87 PID 3808 wrote to memory of 5012 3808 ziRX1796.exe 95 PID 3808 wrote to memory of 5012 3808 ziRX1796.exe 95 PID 3808 wrote to memory of 5012 3808 ziRX1796.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\39ee3ea72f6ee38fdd04e3e504358ae78826f7525abcbbf4c43a2c3af59c003d.exe"C:\Users\Admin\AppData\Local\Temp\39ee3ea72f6ee38fdd04e3e504358ae78826f7525abcbbf4c43a2c3af59c003d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRX1796.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRX1796.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr624350.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr624350.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku028797.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku028797.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3460
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
392KB
MD509fe6ff05df5de6d5210e77a726373da
SHA1b6f4c516087879362bf3be58b633056ad55b1323
SHA25655cb7ed0521fd0ff93b2d3ba7231ceb469f06b0964a67b1cc857d0afeb688c90
SHA512999ef816cd0ab085386d35233c3f335fa89219517317aa4e8a884aff94f7467556883cfd179c51487223acccacdf4ff49b49e6d0161e7c104f939b3fe83f8df4
-
Filesize
12KB
MD5fb91eb9f56ec57168f60ae2e245db685
SHA16acebb1f996c7b387141d7faaf39600bd876abf1
SHA25680bad4098fbf1079be9b5863cdd18e067807b9ada8b8102bb4dd6655e43abc76
SHA51241623e457c33fc204bbe46649d3b2de48c60ed43a99b2bc1819bd8ef62d50c11abd797228eadca9435d0c5ae3f2d8e5da3e5268fbc7d4f6111828930f30a1d87
-
Filesize
319KB
MD59ae13ee0a939b2857533236343e09077
SHA13dbcd4caba2c2a3142264eca6580d3d988df0169
SHA256243fa215f6d26afbea2848915e3c7010e4d4eb50d137fed90a0a040938b350eb
SHA5129d5639ab105bc90d2434f8133a0e2a466954bec88aa412c002c6e78652eee7534d2a798aaa805d3378504fee27bbee91f8de332061e6c6c31a18e91a6094ef37