Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:35
Static task
static1
Behavioral task
behavioral1
Sample
3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exe
Resource
win10v2004-20241007-en
General
-
Target
3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exe
-
Size
560KB
-
MD5
41f7e6200b6fa0809125ab71a3a5f6b6
-
SHA1
e6f25f817d299d829008a35c43a98d17ab428e05
-
SHA256
3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e
-
SHA512
0180ceb5cad4020253c3a6df44788953cb8e154e645df31a083b246d1199bdb78048e907dea3d965fee473732877d8759358b76c53cc8936af9f74f04b3c11b1
-
SSDEEP
12288:EMrwy90g8Vj8uxsP2Q05gvZ220GS2h3vZ4GoPGdV7:MyL8VjWZOgR22rf3hv5/7
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1416-15-0x00000000002E0000-0x00000000002EA000-memory.dmp healer C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe healer -
Healer family
-
Processes:
jr397995.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr397995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr397995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr397995.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr397995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr397995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr397995.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/2668-22-0x00000000027E0000-0x0000000002826000-memory.dmp family_redline behavioral1/memory/2668-24-0x0000000004E20000-0x0000000004E64000-memory.dmp family_redline behavioral1/memory/2668-32-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-30-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-28-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-26-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-25-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-46-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-88-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-86-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-85-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-82-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-81-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-78-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-74-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-72-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-70-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-66-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-64-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-62-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-60-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-58-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-56-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-54-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-52-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-50-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-44-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-42-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-40-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-38-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-36-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-34-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-76-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-68-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline behavioral1/memory/2668-48-0x0000000004E20000-0x0000000004E5F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
zipG3882.exejr397995.exeku181363.exepid process 2896 zipG3882.exe 1416 jr397995.exe 2668 ku181363.exe -
Processes:
jr397995.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr397995.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exezipG3882.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zipG3882.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exezipG3882.exeku181363.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zipG3882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku181363.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jr397995.exepid process 1416 jr397995.exe 1416 jr397995.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jr397995.exeku181363.exedescription pid process Token: SeDebugPrivilege 1416 jr397995.exe Token: SeDebugPrivilege 2668 ku181363.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exezipG3882.exedescription pid process target process PID 3348 wrote to memory of 2896 3348 3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exe zipG3882.exe PID 3348 wrote to memory of 2896 3348 3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exe zipG3882.exe PID 3348 wrote to memory of 2896 3348 3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exe zipG3882.exe PID 2896 wrote to memory of 1416 2896 zipG3882.exe jr397995.exe PID 2896 wrote to memory of 1416 2896 zipG3882.exe jr397995.exe PID 2896 wrote to memory of 2668 2896 zipG3882.exe ku181363.exe PID 2896 wrote to memory of 2668 2896 zipG3882.exe ku181363.exe PID 2896 wrote to memory of 2668 2896 zipG3882.exe ku181363.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exe"C:\Users\Admin\AppData\Local\Temp\3b9b6be08022faa402737b82cc3aee06b8adda6c54d9884fb841fc4408fde07e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipG3882.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipG3882.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr397995.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku181363.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku181363.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2668
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
406KB
MD5453caf4621b7526ca21145b49d2182ba
SHA1c3635af0cba2e6116e3929d5f7709256ee48c83c
SHA2566e901c14b05d47af830581d7cd25acb6f700fe4acd93c4308b6c827423153608
SHA512299fa64b1aa8a66a53f58eb47df810d5bf3eaf24401ab409a16504042a506334bafe996668d0398de95dd83e820242f0aa07a489b7cdb5cb8684f513aaa3a0f2
-
Filesize
11KB
MD5b78b5dc0c84dc01601e6c148f8630fbd
SHA1a60b5a7c82be01561245f1c7d4f3fb5db3b0d0df
SHA256ae8d23ea29924ba92b9bff0a42c084d7a9099b3a3a7323f0452f88faa210ef7b
SHA5127d3189336a486852068fb968ede4c90e0dd6006f341c28ea1a26b5f299d354d0dd1612ff5d88340f802da613188186b14da0a0b0ba76cfc40645ca201d56e12f
-
Filesize
372KB
MD5fbe17bf3c93046aa153d79a8b2da1ff9
SHA18d46ee807f4e5e2e8e8e49704af4f09be8ef2ea3
SHA256bdfd37922ec2f475fd64694052767b7e81c5994570e967f0a3536936849de712
SHA512de1f1cf28f4b5bd9765d02b9981425401563a5480843b8204b12cfbd37fd3773d5d613d179ed3331e3a970813d1d49614ee24c1d215acea129af813b574530e9