Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:26
Static task
static1
Behavioral task
behavioral1
Sample
010f82df02d1882b2c6eaf20b9e081acfaa6516b559136c7004334b7e21f932b.exe
Resource
win10v2004-20241007-en
General
-
Target
010f82df02d1882b2c6eaf20b9e081acfaa6516b559136c7004334b7e21f932b.exe
-
Size
530KB
-
MD5
e1379ba20a0c2a7ef945b2f41e4f8de8
-
SHA1
02977836018040a671fb14412ae2da93a788dd16
-
SHA256
010f82df02d1882b2c6eaf20b9e081acfaa6516b559136c7004334b7e21f932b
-
SHA512
cead85d3223ad16c001374188092bcd51a24f1ec161825ca09c3e919b1a569fa9be0dc674c06bc274842dd7cad2198f54d9b7cf29dd4c4610f9ff09067520bca
-
SSDEEP
12288:1Mrey90+6INXaBA8ozfQEtXrnXFyCRYE8ZxtY3NgF8/D8fC:fyX6INXf8Af9pXnRYE8ztYK7K
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr895113.exe healer behavioral1/memory/3660-15-0x0000000000930000-0x000000000093A000-memory.dmp healer -
Healer family
-
Processes:
jr895113.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr895113.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr895113.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr895113.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr895113.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr895113.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr895113.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/3108-21-0x0000000004C80000-0x0000000004CC6000-memory.dmp family_redline behavioral1/memory/3108-23-0x0000000004E70000-0x0000000004EB4000-memory.dmp family_redline behavioral1/memory/3108-27-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-34-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-87-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-85-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-83-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-81-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-79-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-75-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-73-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-72-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-69-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-67-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-65-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-63-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-61-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-59-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-57-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-53-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-51-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-49-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-47-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-45-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-43-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-41-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-37-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-35-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-31-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-29-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-77-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-55-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-39-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-25-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline behavioral1/memory/3108-24-0x0000000004E70000-0x0000000004EAF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
ziko3445.exejr895113.exeku715792.exepid process 3632 ziko3445.exe 3660 jr895113.exe 3108 ku715792.exe -
Processes:
jr895113.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr895113.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
010f82df02d1882b2c6eaf20b9e081acfaa6516b559136c7004334b7e21f932b.exeziko3445.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 010f82df02d1882b2c6eaf20b9e081acfaa6516b559136c7004334b7e21f932b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziko3445.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 3324 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
010f82df02d1882b2c6eaf20b9e081acfaa6516b559136c7004334b7e21f932b.exeziko3445.exeku715792.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 010f82df02d1882b2c6eaf20b9e081acfaa6516b559136c7004334b7e21f932b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziko3445.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku715792.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jr895113.exepid process 3660 jr895113.exe 3660 jr895113.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jr895113.exeku715792.exedescription pid process Token: SeDebugPrivilege 3660 jr895113.exe Token: SeDebugPrivilege 3108 ku715792.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
010f82df02d1882b2c6eaf20b9e081acfaa6516b559136c7004334b7e21f932b.exeziko3445.exedescription pid process target process PID 1416 wrote to memory of 3632 1416 010f82df02d1882b2c6eaf20b9e081acfaa6516b559136c7004334b7e21f932b.exe ziko3445.exe PID 1416 wrote to memory of 3632 1416 010f82df02d1882b2c6eaf20b9e081acfaa6516b559136c7004334b7e21f932b.exe ziko3445.exe PID 1416 wrote to memory of 3632 1416 010f82df02d1882b2c6eaf20b9e081acfaa6516b559136c7004334b7e21f932b.exe ziko3445.exe PID 3632 wrote to memory of 3660 3632 ziko3445.exe jr895113.exe PID 3632 wrote to memory of 3660 3632 ziko3445.exe jr895113.exe PID 3632 wrote to memory of 3108 3632 ziko3445.exe ku715792.exe PID 3632 wrote to memory of 3108 3632 ziko3445.exe ku715792.exe PID 3632 wrote to memory of 3108 3632 ziko3445.exe ku715792.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\010f82df02d1882b2c6eaf20b9e081acfaa6516b559136c7004334b7e21f932b.exe"C:\Users\Admin\AppData\Local\Temp\010f82df02d1882b2c6eaf20b9e081acfaa6516b559136c7004334b7e21f932b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziko3445.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziko3445.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr895113.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr895113.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku715792.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku715792.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3324
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD5976d25d13d596c75a10ba56e26a4ad75
SHA19aa555135ad4fd3e1be6797282ab2384c7550a09
SHA2568dd93c8debbc414f03aa2474b7c60662bfcf38065fba1617bb0e1e6cf6851ebb
SHA5121bc82646dd764d7b62509058eb24f3dd12d29410994c19244324422d0c7ffc1f90c65dec92cb013abbaa1a599749a9c90353027bc6775a3a0829e2b640a417a5
-
Filesize
11KB
MD5ecaac2c7ac400479849800ac78638814
SHA17182afc3594b6da3476dcf7e27c1700ef821f5c6
SHA25614c7ff4c1a51aff2666a65c5fc953360fc279492b2ecf9d0e60055ae4e661bcc
SHA51261c1b6e186b27d8cab49f99c9ab1926310e36f4bda30cb668bb3ea6f4dfef64cc0757ab3b15c53d390472f4e7260a2ff18f13cab66f41d562100e85600dc70f0
-
Filesize
354KB
MD55b7471c04fdd2bf85f9c7414e2d1b88d
SHA1d28a587c0d27f169e32126241f86354c91ebefa0
SHA25690d9a829c42c06ac94fd973d9fe135772e9c643795250deab9ec6d0649e396c2
SHA5128310b86c36b8eda7af0278d1562ab9928aae6147f6ad2f65e55df415eb43f988c0e2fc75e46881f1a5823506e3b1c44585fa2d770e9b55bc0b1425508ce369c5