Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:38
Static task
static1
Behavioral task
behavioral1
Sample
57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe
Resource
win10v2004-20241007-en
General
-
Target
57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe
-
Size
1.0MB
-
MD5
c40866b8cc6324b234958d8611de3e61
-
SHA1
63616736d158ec488652d6289e0ec2fbc00ed4d5
-
SHA256
57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845
-
SHA512
bd83daccd4974d4a1bbd0d8eeea5f7fd0f88772737bebac6dcdac4e59a640a366c8705161b25b66bc0a4093fe1e2ec7d5a6183d5f7e9010db1cc71aeecad6493
-
SSDEEP
24576:OyCynJOQej1KL4n2f9bXADxrkcUMhcqx5HZFiq:d9nJgjw0ybXI6cUM+S5HZF
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe healer behavioral1/memory/4448-28-0x00000000005C0000-0x00000000005CA000-memory.dmp healer behavioral1/memory/1356-34-0x0000000004840000-0x000000000485A000-memory.dmp healer behavioral1/memory/1356-36-0x0000000007810000-0x0000000007828000-memory.dmp healer behavioral1/memory/1356-37-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1356-64-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1356-62-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1356-60-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1356-58-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1356-56-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1356-54-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1356-52-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1356-50-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1356-48-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1356-47-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1356-44-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1356-42-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1356-40-0x0000000007810000-0x0000000007822000-memory.dmp healer behavioral1/memory/1356-38-0x0000000007810000-0x0000000007822000-memory.dmp healer -
Healer family
-
Processes:
bu150905.execor8709.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bu150905.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bu150905.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bu150905.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bu150905.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection cor8709.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" cor8709.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" cor8709.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection bu150905.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bu150905.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" cor8709.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" cor8709.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" cor8709.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/1660-72-0x0000000004C40000-0x0000000004C86000-memory.dmp family_redline behavioral1/memory/1660-73-0x0000000007750000-0x0000000007794000-memory.dmp family_redline behavioral1/memory/1660-83-0x0000000007750000-0x000000000778E000-memory.dmp family_redline behavioral1/memory/1660-89-0x0000000007750000-0x000000000778E000-memory.dmp family_redline behavioral1/memory/1660-107-0x0000000007750000-0x000000000778E000-memory.dmp family_redline behavioral1/memory/1660-105-0x0000000007750000-0x000000000778E000-memory.dmp family_redline behavioral1/memory/1660-101-0x0000000007750000-0x000000000778E000-memory.dmp family_redline behavioral1/memory/1660-99-0x0000000007750000-0x000000000778E000-memory.dmp family_redline behavioral1/memory/1660-97-0x0000000007750000-0x000000000778E000-memory.dmp family_redline behavioral1/memory/1660-95-0x0000000007750000-0x000000000778E000-memory.dmp family_redline behavioral1/memory/1660-93-0x0000000007750000-0x000000000778E000-memory.dmp family_redline behavioral1/memory/1660-91-0x0000000007750000-0x000000000778E000-memory.dmp family_redline behavioral1/memory/1660-87-0x0000000007750000-0x000000000778E000-memory.dmp family_redline behavioral1/memory/1660-85-0x0000000007750000-0x000000000778E000-memory.dmp family_redline behavioral1/memory/1660-81-0x0000000007750000-0x000000000778E000-memory.dmp family_redline behavioral1/memory/1660-79-0x0000000007750000-0x000000000778E000-memory.dmp family_redline behavioral1/memory/1660-103-0x0000000007750000-0x000000000778E000-memory.dmp family_redline behavioral1/memory/1660-77-0x0000000007750000-0x000000000778E000-memory.dmp family_redline behavioral1/memory/1660-75-0x0000000007750000-0x000000000778E000-memory.dmp family_redline behavioral1/memory/1660-74-0x0000000007750000-0x000000000778E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
Processes:
kina7555.exekina5697.exekina5865.exebu150905.execor8709.exeduq74s84.exepid process 760 kina7555.exe 2432 kina5697.exe 2684 kina5865.exe 4448 bu150905.exe 1356 cor8709.exe 1660 duq74s84.exe -
Processes:
bu150905.execor8709.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" bu150905.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features cor8709.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" cor8709.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exekina7555.exekina5697.exekina5865.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" kina7555.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" kina5697.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" kina5865.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exekina7555.exekina5697.exekina5865.execor8709.exeduq74s84.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kina7555.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kina5697.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kina5865.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cor8709.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language duq74s84.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
bu150905.execor8709.exepid process 4448 bu150905.exe 4448 bu150905.exe 1356 cor8709.exe 1356 cor8709.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
bu150905.execor8709.exeduq74s84.exedescription pid process Token: SeDebugPrivilege 4448 bu150905.exe Token: SeDebugPrivilege 1356 cor8709.exe Token: SeDebugPrivilege 1660 duq74s84.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exekina7555.exekina5697.exekina5865.exedescription pid process target process PID 5060 wrote to memory of 760 5060 57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe kina7555.exe PID 5060 wrote to memory of 760 5060 57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe kina7555.exe PID 5060 wrote to memory of 760 5060 57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe kina7555.exe PID 760 wrote to memory of 2432 760 kina7555.exe kina5697.exe PID 760 wrote to memory of 2432 760 kina7555.exe kina5697.exe PID 760 wrote to memory of 2432 760 kina7555.exe kina5697.exe PID 2432 wrote to memory of 2684 2432 kina5697.exe kina5865.exe PID 2432 wrote to memory of 2684 2432 kina5697.exe kina5865.exe PID 2432 wrote to memory of 2684 2432 kina5697.exe kina5865.exe PID 2684 wrote to memory of 4448 2684 kina5865.exe bu150905.exe PID 2684 wrote to memory of 4448 2684 kina5865.exe bu150905.exe PID 2684 wrote to memory of 1356 2684 kina5865.exe cor8709.exe PID 2684 wrote to memory of 1356 2684 kina5865.exe cor8709.exe PID 2684 wrote to memory of 1356 2684 kina5865.exe cor8709.exe PID 2432 wrote to memory of 1660 2432 kina5697.exe duq74s84.exe PID 2432 wrote to memory of 1660 2432 kina5697.exe duq74s84.exe PID 2432 wrote to memory of 1660 2432 kina5697.exe duq74s84.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe"C:\Users\Admin\AppData\Local\Temp\57ad4ebec76047e3786ae119a4552b19642c69708624a5b042b9ecca75114845.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7555.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7555.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5697.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5865.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu150905.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8709.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duq74s84.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duq74s84.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1660
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
846KB
MD5efb3f7dc161a980e456767d77368a79e
SHA19cb493384739fa7374b59b90a07f3a0e035e102a
SHA256a285e62fef72b6de5eecc96dc727000f5e8d8f9be475e79bf3d3e5ecee2615bc
SHA512d0da782caa79bd816068bd69aa36163871fd017537c4fcb7ce0ce4bc9420ba400e9c4bf3baa6b570be8c1a735c69076063a2dcf64d1ab990fa53c9eb02f59633
-
Filesize
703KB
MD5c731cc53eea4acd32d993915f3ff28cc
SHA17fe81dcfcefc02afc7d96e324d54b4a250abf457
SHA2561f150415d7dcf2c4937fa6fab682f5748ca2640598df038c8da66e44462d2a3e
SHA5121bf8ce97b75aa81176b6edb270d1714e75662d899a3128fae4e22ce8d58003180a1d79903ff7c2364ee465cb4c0eb42c70ac3ff3885198895e6a5ed7b155d43b
-
Filesize
379KB
MD50ba5cbdd0ae133b438180d8f299db198
SHA1fceb77aa6bc73a7f895cea66d49bdf07f32f5aa8
SHA256612f5412574413a534d354b6509913c7f37c7a0be0b70b018421b7d4818e189a
SHA51255632d62bb53d771d8d97e3f91679aba35fe1f7f4d38556de17ac38c80b44065fa6f7a008ad813b1509e6f8d9095a0e7a1c45d80cfa80335c6c7f0c30790b03c
-
Filesize
349KB
MD5327dc9193b963c200221a720d1bffc1e
SHA1753cb3f124a24d4e3692c1d3937d000f1fe1a6fa
SHA2562f8d7eb778622fb4eaac2939258a3d66b727b06f0a844924fa34301525a88883
SHA51254495b7e3c432e7c7db244b14e8ba9f703bcd9d2a0c5ba6b8c6e537dc14483d5c9338132b4dbbcae791ec1757cc4419750abbbde2d4a41833164010bf84943f6
-
Filesize
12KB
MD527754cfee83f58407b0f9370231925df
SHA139fef764c432230ae410b34499c87a35183bd13d
SHA256a04d5f834d98e1fc85d778bee473c067c2d832b9958a183f429a331580582838
SHA512fd8a4c5f0a9343bc0e296f230a47d83f3d7758c253fef271fd15021ca66cd05d02dd6ac286aecc8d3a470ab02c81464b451db35b96b0553072a307b992a04a39
-
Filesize
322KB
MD5d8145143160f8b068d6fcf7e69d56b1a
SHA1253ce4c0fc9f01cbb91e27308c1e8bebe57987b3
SHA256a7bccee8157d7739190295bf131dbe2c9bf87e6bc2e47fb43626b1ad62a7c043
SHA512207b8bd47f90b48a8e5ddc218952866dc5fba4d422fd43b619a2e3c0d24ed3a9dc1fe25d039d24e5bef3a62d87760a6b13d8efc3a97ac4b6d9d5564d4351700c