Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:28
Static task
static1
Behavioral task
behavioral1
Sample
83aa1c152fa566df19c05b9467c52ac7dce00910c726e598c4b7d18da4f8c3bf.exe
Resource
win10v2004-20241007-en
General
-
Target
83aa1c152fa566df19c05b9467c52ac7dce00910c726e598c4b7d18da4f8c3bf.exe
-
Size
548KB
-
MD5
82a7ce1e00dd2bd014a9377728b4bb43
-
SHA1
1d9802d23b7fdd3eb056a4a3d4074261b01397af
-
SHA256
83aa1c152fa566df19c05b9467c52ac7dce00910c726e598c4b7d18da4f8c3bf
-
SHA512
33736400c369cd5a2cf2c797fc559d683ece26c7ba754edc9061330ea69a255160afb763cdc7928759d6f33c104d6308b7bb6547c10d2bfd52ae1b89867ae020
-
SSDEEP
12288:/MrIy90m3dxQZuvCkD+FbIgKV2eRdeDQBnNyTvtK/1:bytGg6yleDQBwvo1
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr408652.exe healer behavioral1/memory/4900-15-0x0000000000C60000-0x0000000000C6A000-memory.dmp healer -
Healer family
-
Processes:
jr408652.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr408652.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr408652.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr408652.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr408652.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr408652.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr408652.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/1020-22-0x0000000002800000-0x0000000002846000-memory.dmp family_redline behavioral1/memory/1020-24-0x00000000029E0000-0x0000000002A24000-memory.dmp family_redline behavioral1/memory/1020-38-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-88-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-86-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-84-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-82-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-80-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-78-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-76-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-74-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-72-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-70-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-68-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-66-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-64-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-62-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-58-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-56-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-54-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-52-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-50-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-48-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-46-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-44-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-42-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-40-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-36-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-34-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-32-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-30-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-28-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-60-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-26-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline behavioral1/memory/1020-25-0x00000000029E0000-0x0000000002A1F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
ziVQ4082.exejr408652.exeku112877.exepid process 2620 ziVQ4082.exe 4900 jr408652.exe 1020 ku112877.exe -
Processes:
jr408652.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr408652.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
83aa1c152fa566df19c05b9467c52ac7dce00910c726e598c4b7d18da4f8c3bf.exeziVQ4082.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 83aa1c152fa566df19c05b9467c52ac7dce00910c726e598c4b7d18da4f8c3bf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziVQ4082.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
83aa1c152fa566df19c05b9467c52ac7dce00910c726e598c4b7d18da4f8c3bf.exeziVQ4082.exeku112877.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 83aa1c152fa566df19c05b9467c52ac7dce00910c726e598c4b7d18da4f8c3bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziVQ4082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku112877.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jr408652.exepid process 4900 jr408652.exe 4900 jr408652.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jr408652.exeku112877.exedescription pid process Token: SeDebugPrivilege 4900 jr408652.exe Token: SeDebugPrivilege 1020 ku112877.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
83aa1c152fa566df19c05b9467c52ac7dce00910c726e598c4b7d18da4f8c3bf.exeziVQ4082.exedescription pid process target process PID 872 wrote to memory of 2620 872 83aa1c152fa566df19c05b9467c52ac7dce00910c726e598c4b7d18da4f8c3bf.exe ziVQ4082.exe PID 872 wrote to memory of 2620 872 83aa1c152fa566df19c05b9467c52ac7dce00910c726e598c4b7d18da4f8c3bf.exe ziVQ4082.exe PID 872 wrote to memory of 2620 872 83aa1c152fa566df19c05b9467c52ac7dce00910c726e598c4b7d18da4f8c3bf.exe ziVQ4082.exe PID 2620 wrote to memory of 4900 2620 ziVQ4082.exe jr408652.exe PID 2620 wrote to memory of 4900 2620 ziVQ4082.exe jr408652.exe PID 2620 wrote to memory of 1020 2620 ziVQ4082.exe ku112877.exe PID 2620 wrote to memory of 1020 2620 ziVQ4082.exe ku112877.exe PID 2620 wrote to memory of 1020 2620 ziVQ4082.exe ku112877.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\83aa1c152fa566df19c05b9467c52ac7dce00910c726e598c4b7d18da4f8c3bf.exe"C:\Users\Admin\AppData\Local\Temp\83aa1c152fa566df19c05b9467c52ac7dce00910c726e598c4b7d18da4f8c3bf.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVQ4082.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVQ4082.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr408652.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr408652.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku112877.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku112877.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
395KB
MD50a5c1c26817e4b9a4b5678c7e4babc06
SHA1054d79279e8ed4214f323a2e6d5323c6f8cce31c
SHA2564c9e4709d6ef4225411f284d9a8b1942e36fffa0131640eebb59745a0e50f40e
SHA512549978af491767c41958a2ee9c492b095797b6a827f42bd82b58c390c16cadc4fd8a5b7dd08bf9c25c98904dd713e6c0962f4672c19c159a8b8cb7eadb0bf3aa
-
Filesize
11KB
MD567369e7b49da79f802e07489260ce88a
SHA19dfedc73f6ea2ab163aaa38ce118c5f125650af2
SHA256cd0f756e67b429b0d2d2b81ba12b7d8a5725cde7ab6c742f00109ebb98c9c7dd
SHA5126c30afb8caa5980d580902970bb6d33e7d92b36c2f5a76707b5ad0d5d6ecf7c851ea492ec28aa0e1c65952cb12d8bec12f1b596f7a05badfe6c64afa931bfedc
-
Filesize
348KB
MD54f2a747f3e5429597e18a6831a48cd69
SHA1147cc2c044ef0295eb52eee0692da7f2576eb6ff
SHA2560a75d3543bf158d130d0eb70f7cd6323d2ba546772a6e5a69b551eb8824e7a6f
SHA51264c187610ab12389f7caac722b38b7002ce5c243a456af0eb828fe719e6dac87864ceb30535b6a6e79e909f79c2baf5ba7984567182576b72765af952de6ce64