Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:44
Static task
static1
Behavioral task
behavioral1
Sample
c4ecd3a7c140cbc4b26410fe075fb5eb090f1fe2fd6fa0e2414b38a6c2a7a922.exe
Resource
win10v2004-20241007-en
General
-
Target
c4ecd3a7c140cbc4b26410fe075fb5eb090f1fe2fd6fa0e2414b38a6c2a7a922.exe
-
Size
534KB
-
MD5
94f167e814ce25ff263d64413dacdb71
-
SHA1
fd6926797210a870024a3054108d8a656f31fcce
-
SHA256
c4ecd3a7c140cbc4b26410fe075fb5eb090f1fe2fd6fa0e2414b38a6c2a7a922
-
SHA512
30f80b9e6332e09ad8534f953780e0606a681426a8b9673539b8f696dd1ca73cee8287423018c65b8baa5199a56ec915ed0448f75745ba830a65e292a400fa76
-
SSDEEP
12288:7Mriy90pQ09IhnMtFYXXKFzcbCWDYBwMMpP8YE:VyEQbnqFzUCMywnQ
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960641.exe healer behavioral1/memory/752-15-0x0000000000A40000-0x0000000000A4A000-memory.dmp healer -
Healer family
-
Processes:
jr960641.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr960641.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr960641.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr960641.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr960641.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr960641.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr960641.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/3764-22-0x0000000002510000-0x0000000002556000-memory.dmp family_redline behavioral1/memory/3764-24-0x00000000050B0000-0x00000000050F4000-memory.dmp family_redline behavioral1/memory/3764-66-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-82-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-86-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-84-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-80-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-78-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-76-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-74-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-72-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-70-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-68-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-64-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-62-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-60-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-58-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-56-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-54-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-52-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-50-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-48-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-46-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-42-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-40-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-38-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-36-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-34-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-32-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-30-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-88-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-44-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-28-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-26-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline behavioral1/memory/3764-25-0x00000000050B0000-0x00000000050EF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
ziQC4532.exejr960641.exeku085498.exepid process 3460 ziQC4532.exe 752 jr960641.exe 3764 ku085498.exe -
Processes:
jr960641.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr960641.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c4ecd3a7c140cbc4b26410fe075fb5eb090f1fe2fd6fa0e2414b38a6c2a7a922.exeziQC4532.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c4ecd3a7c140cbc4b26410fe075fb5eb090f1fe2fd6fa0e2414b38a6c2a7a922.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziQC4532.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c4ecd3a7c140cbc4b26410fe075fb5eb090f1fe2fd6fa0e2414b38a6c2a7a922.exeziQC4532.exeku085498.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c4ecd3a7c140cbc4b26410fe075fb5eb090f1fe2fd6fa0e2414b38a6c2a7a922.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziQC4532.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku085498.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jr960641.exepid process 752 jr960641.exe 752 jr960641.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jr960641.exeku085498.exedescription pid process Token: SeDebugPrivilege 752 jr960641.exe Token: SeDebugPrivilege 3764 ku085498.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c4ecd3a7c140cbc4b26410fe075fb5eb090f1fe2fd6fa0e2414b38a6c2a7a922.exeziQC4532.exedescription pid process target process PID 820 wrote to memory of 3460 820 c4ecd3a7c140cbc4b26410fe075fb5eb090f1fe2fd6fa0e2414b38a6c2a7a922.exe ziQC4532.exe PID 820 wrote to memory of 3460 820 c4ecd3a7c140cbc4b26410fe075fb5eb090f1fe2fd6fa0e2414b38a6c2a7a922.exe ziQC4532.exe PID 820 wrote to memory of 3460 820 c4ecd3a7c140cbc4b26410fe075fb5eb090f1fe2fd6fa0e2414b38a6c2a7a922.exe ziQC4532.exe PID 3460 wrote to memory of 752 3460 ziQC4532.exe jr960641.exe PID 3460 wrote to memory of 752 3460 ziQC4532.exe jr960641.exe PID 3460 wrote to memory of 3764 3460 ziQC4532.exe ku085498.exe PID 3460 wrote to memory of 3764 3460 ziQC4532.exe ku085498.exe PID 3460 wrote to memory of 3764 3460 ziQC4532.exe ku085498.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4ecd3a7c140cbc4b26410fe075fb5eb090f1fe2fd6fa0e2414b38a6c2a7a922.exe"C:\Users\Admin\AppData\Local\Temp\c4ecd3a7c140cbc4b26410fe075fb5eb090f1fe2fd6fa0e2414b38a6c2a7a922.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQC4532.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQC4532.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960641.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr960641.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku085498.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku085498.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3764
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
392KB
MD50c5145e81a61700e8d0da8e47b34059d
SHA116fc010adfb17bad9da5e34a352a645791cd896d
SHA256df2e4511945476602f3af5cc347bffdd1dacb41cf9d40a0c1727a9358bd7b9c1
SHA5127893485adcdcd4d56500045ce3c100daeda2dbf87bcacee4591e9cf32d820812e9b6a086b4fb6e48249bd9c2baf3c50527894a708cd9dcfb8648070f1417a2a5
-
Filesize
11KB
MD57f701014771a9ef8d06c498b3734cdb4
SHA109c5b8d831f3940f1921d8e2cd00f1d464cb47dc
SHA256b1f5b845cae48b901546620acb31987b7e081242a34b517d31f1589ef1ddb299
SHA51278af338bc4e9a309d76c43417970ba6c7a4f53fb730739cc118faf04aea7e2c4e69b98b8efdfc4699836fc2f0e8530e47742cf50efe8ca2a1cf066111d4f4d6d
-
Filesize
319KB
MD553bba0bc55ab1eee43ce020307b7cf8e
SHA147a52eaeb0933f2924cce206a0931dadee719386
SHA256999dac0598925e1f9fbccc9fcaa8ce539d46bed5e40c1da4073e5ff9794a422c
SHA512a400de016058e6c2596513b3096ffe3894afe04e77e8eadcf89cb4ee89ce02a8e2787b08da3559cb833dcc5645f001021b8819746372e4c26de48cccdcf194f5