Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:35
Static task
static1
Behavioral task
behavioral1
Sample
9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe
Resource
win10v2004-20241007-en
General
-
Target
9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe
-
Size
536KB
-
MD5
8c5bc31110f153369d841d8c1db415d6
-
SHA1
0042afb33eaad26f927c726c40176934183d44ee
-
SHA256
9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752
-
SHA512
3d51deec1debd3e6422117612eab27060b44a9f04e7160af724d90813a652464fb0858a4060c2f27535a23e473432ea749175f857d9d975ff47d23f24036716a
-
SSDEEP
12288:sMrpy90aOFcgvzSJh5c7aXikNCzM3GAAe/Qq:Ny3g6O7aJNCyAe/Qq
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr831530.exe healer behavioral1/memory/3728-15-0x0000000000BA0000-0x0000000000BAA000-memory.dmp healer -
Healer family
-
Processes:
jr831530.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr831530.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr831530.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr831530.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr831530.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr831530.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr831530.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/4724-22-0x0000000002A30000-0x0000000002A76000-memory.dmp family_redline behavioral1/memory/4724-24-0x00000000053F0000-0x0000000005434000-memory.dmp family_redline behavioral1/memory/4724-88-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-86-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-84-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-83-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-80-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-78-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-76-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-72-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-70-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-68-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-66-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-64-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-62-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-60-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-58-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-54-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-52-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-50-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-48-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-46-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-44-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-42-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-38-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-36-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-34-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-32-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-30-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-28-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-74-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-56-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-40-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-26-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4724-25-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
zirU4155.exejr831530.exeku144836.exepid process 2240 zirU4155.exe 3728 jr831530.exe 4724 ku144836.exe -
Processes:
jr831530.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr831530.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exezirU4155.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zirU4155.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exezirU4155.exeku144836.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zirU4155.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku144836.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jr831530.exepid process 3728 jr831530.exe 3728 jr831530.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jr831530.exeku144836.exedescription pid process Token: SeDebugPrivilege 3728 jr831530.exe Token: SeDebugPrivilege 4724 ku144836.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exezirU4155.exedescription pid process target process PID 2360 wrote to memory of 2240 2360 9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe zirU4155.exe PID 2360 wrote to memory of 2240 2360 9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe zirU4155.exe PID 2360 wrote to memory of 2240 2360 9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe zirU4155.exe PID 2240 wrote to memory of 3728 2240 zirU4155.exe jr831530.exe PID 2240 wrote to memory of 3728 2240 zirU4155.exe jr831530.exe PID 2240 wrote to memory of 4724 2240 zirU4155.exe ku144836.exe PID 2240 wrote to memory of 4724 2240 zirU4155.exe ku144836.exe PID 2240 wrote to memory of 4724 2240 zirU4155.exe ku144836.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe"C:\Users\Admin\AppData\Local\Temp\9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirU4155.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirU4155.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr831530.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr831530.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku144836.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku144836.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4724
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
394KB
MD52201f315f2196b7b2c32c75e1f252e02
SHA19a05f9426d2c37410369c1baf79980a00122981d
SHA25608889995bdb39b5920e9ca2df77c2638bff585753b53a8fda1a7ec02132b1eec
SHA512ed20cdfd5f6b153a17da8bc9676811edb6186d71746105e1baf0a76419c020fc149d86d2d059cb69ee0c323353a42fe1529d119c74d48a6e611b812835940a71
-
Filesize
13KB
MD5bfc4914c1d154d714a51126951cded5a
SHA121a3062f146c02130b09a9291f4e55504ded7d4f
SHA2569cef3d78a925f48fecc2b2b427fd3c5784452eb3a9b340f7c8a1085fd9730917
SHA512bedf770131c479316f1934e95201fe9b1e8b756f6210877f2dda0a80ded705a3f18c103bfa572f35eec9cd11a41d1487fdc15d6c11e9460a2cc6c141fcc1ee43
-
Filesize
353KB
MD549a25beddfd767b6833cf7433d352636
SHA1e0be941d92078d72691e97016fd602863860581a
SHA256e9ed5f96acf16293f0c69ca9f21d690db73f318036ddab7a032c6a30664c12f3
SHA51260b5dd4717a8acc43a36154d24bc135f9fc70b26cd4ed090e9a78e83c6d948161b7cc0198b421a0befefec73ec1ef192641d7c153ec179795d7896693d41f227