Analysis
-
max time kernel
144s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 02:05
Static task
static1
Behavioral task
behavioral1
Sample
4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe
Resource
win10v2004-20241007-en
General
-
Target
4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe
-
Size
1.2MB
-
MD5
233815be4aa63a05712b08d17a15c5bf
-
SHA1
0d877859b9c88842ee64af0a3285a12e8d397d3a
-
SHA256
4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8
-
SHA512
e269cc24cbd16793eb6724f2bf6d603469311cc3745a5d27c4ed4af43806b8bf3fdfc3293238f9e6a31a6bf325017d919d442612a310da8b2ec730c2629d6475
-
SSDEEP
24576:O0smSB4nN/h6IYD2IBE+QiOkhoZIOoJwHlP/SNhDvuEEGLSth/:O0Fu4nNYLDs1xkGZZFnwhzuEEGL
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
Processes:
resource yara_rule behavioral1/files/0x0006000000019299-40.dat healer behavioral1/memory/2836-42-0x0000000000E60000-0x0000000000E6A000-memory.dmp healer behavioral1/memory/2604-55-0x0000000002C10000-0x0000000002C2A000-memory.dmp healer behavioral1/memory/2604-56-0x0000000002DD0000-0x0000000002DE8000-memory.dmp healer behavioral1/memory/2604-58-0x0000000002DD0000-0x0000000002DE2000-memory.dmp healer behavioral1/memory/2604-57-0x0000000002DD0000-0x0000000002DE2000-memory.dmp healer behavioral1/memory/2604-60-0x0000000002DD0000-0x0000000002DE2000-memory.dmp healer behavioral1/memory/2604-84-0x0000000002DD0000-0x0000000002DE2000-memory.dmp healer behavioral1/memory/2604-82-0x0000000002DD0000-0x0000000002DE2000-memory.dmp healer behavioral1/memory/2604-80-0x0000000002DD0000-0x0000000002DE2000-memory.dmp healer behavioral1/memory/2604-78-0x0000000002DD0000-0x0000000002DE2000-memory.dmp healer behavioral1/memory/2604-76-0x0000000002DD0000-0x0000000002DE2000-memory.dmp healer behavioral1/memory/2604-74-0x0000000002DD0000-0x0000000002DE2000-memory.dmp healer behavioral1/memory/2604-72-0x0000000002DD0000-0x0000000002DE2000-memory.dmp healer behavioral1/memory/2604-70-0x0000000002DD0000-0x0000000002DE2000-memory.dmp healer behavioral1/memory/2604-68-0x0000000002DD0000-0x0000000002DE2000-memory.dmp healer behavioral1/memory/2604-66-0x0000000002DD0000-0x0000000002DE2000-memory.dmp healer behavioral1/memory/2604-64-0x0000000002DD0000-0x0000000002DE2000-memory.dmp healer behavioral1/memory/2604-62-0x0000000002DD0000-0x0000000002DE2000-memory.dmp healer -
Healer family
-
Processes:
bus4051.execon1221.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bus4051.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" con1221.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" con1221.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" con1221.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection bus4051.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bus4051.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bus4051.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bus4051.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bus4051.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" con1221.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" con1221.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
Processes:
resource yara_rule behavioral1/memory/1980-98-0x0000000004C40000-0x0000000004C86000-memory.dmp family_redline behavioral1/memory/1980-99-0x0000000004C80000-0x0000000004CC4000-memory.dmp family_redline behavioral1/memory/1980-109-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/1980-129-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/1980-127-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/1980-125-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/1980-123-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/1980-121-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/1980-119-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/1980-117-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/1980-115-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/1980-113-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/1980-111-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/1980-107-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/1980-105-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/1980-103-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/1980-101-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline behavioral1/memory/1980-100-0x0000000004C80000-0x0000000004CBE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
Processes:
kino1892.exekino6318.exekino2854.exebus4051.execon1221.exedsn74s64.exepid Process 1708 kino1892.exe 1732 kino6318.exe 2336 kino2854.exe 2836 bus4051.exe 2604 con1221.exe 1980 dsn74s64.exe -
Loads dropped DLL 13 IoCs
Processes:
4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exekino1892.exekino6318.exekino2854.execon1221.exedsn74s64.exepid Process 3068 4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe 1708 kino1892.exe 1708 kino1892.exe 1732 kino6318.exe 1732 kino6318.exe 2336 kino2854.exe 2336 kino2854.exe 2336 kino2854.exe 2336 kino2854.exe 2604 con1221.exe 1732 kino6318.exe 1732 kino6318.exe 1980 dsn74s64.exe -
Processes:
bus4051.execon1221.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features bus4051.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" bus4051.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features con1221.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" con1221.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exekino1892.exekino6318.exekino2854.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" kino1892.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" kino6318.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" kino2854.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
kino2854.execon1221.exedsn74s64.exe4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exekino1892.exekino6318.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kino2854.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language con1221.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dsn74s64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kino1892.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kino6318.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
bus4051.execon1221.exepid Process 2836 bus4051.exe 2836 bus4051.exe 2604 con1221.exe 2604 con1221.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
bus4051.execon1221.exedsn74s64.exedescription pid Process Token: SeDebugPrivilege 2836 bus4051.exe Token: SeDebugPrivilege 2604 con1221.exe Token: SeDebugPrivilege 1980 dsn74s64.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exekino1892.exekino6318.exekino2854.exedescription pid Process procid_target PID 3068 wrote to memory of 1708 3068 4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe 30 PID 3068 wrote to memory of 1708 3068 4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe 30 PID 3068 wrote to memory of 1708 3068 4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe 30 PID 3068 wrote to memory of 1708 3068 4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe 30 PID 3068 wrote to memory of 1708 3068 4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe 30 PID 3068 wrote to memory of 1708 3068 4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe 30 PID 3068 wrote to memory of 1708 3068 4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe 30 PID 1708 wrote to memory of 1732 1708 kino1892.exe 31 PID 1708 wrote to memory of 1732 1708 kino1892.exe 31 PID 1708 wrote to memory of 1732 1708 kino1892.exe 31 PID 1708 wrote to memory of 1732 1708 kino1892.exe 31 PID 1708 wrote to memory of 1732 1708 kino1892.exe 31 PID 1708 wrote to memory of 1732 1708 kino1892.exe 31 PID 1708 wrote to memory of 1732 1708 kino1892.exe 31 PID 1732 wrote to memory of 2336 1732 kino6318.exe 32 PID 1732 wrote to memory of 2336 1732 kino6318.exe 32 PID 1732 wrote to memory of 2336 1732 kino6318.exe 32 PID 1732 wrote to memory of 2336 1732 kino6318.exe 32 PID 1732 wrote to memory of 2336 1732 kino6318.exe 32 PID 1732 wrote to memory of 2336 1732 kino6318.exe 32 PID 1732 wrote to memory of 2336 1732 kino6318.exe 32 PID 2336 wrote to memory of 2836 2336 kino2854.exe 33 PID 2336 wrote to memory of 2836 2336 kino2854.exe 33 PID 2336 wrote to memory of 2836 2336 kino2854.exe 33 PID 2336 wrote to memory of 2836 2336 kino2854.exe 33 PID 2336 wrote to memory of 2836 2336 kino2854.exe 33 PID 2336 wrote to memory of 2836 2336 kino2854.exe 33 PID 2336 wrote to memory of 2836 2336 kino2854.exe 33 PID 2336 wrote to memory of 2604 2336 kino2854.exe 34 PID 2336 wrote to memory of 2604 2336 kino2854.exe 34 PID 2336 wrote to memory of 2604 2336 kino2854.exe 34 PID 2336 wrote to memory of 2604 2336 kino2854.exe 34 PID 2336 wrote to memory of 2604 2336 kino2854.exe 34 PID 2336 wrote to memory of 2604 2336 kino2854.exe 34 PID 2336 wrote to memory of 2604 2336 kino2854.exe 34 PID 1732 wrote to memory of 1980 1732 kino6318.exe 36 PID 1732 wrote to memory of 1980 1732 kino6318.exe 36 PID 1732 wrote to memory of 1980 1732 kino6318.exe 36 PID 1732 wrote to memory of 1980 1732 kino6318.exe 36 PID 1732 wrote to memory of 1980 1732 kino6318.exe 36 PID 1732 wrote to memory of 1980 1732 kino6318.exe 36 PID 1732 wrote to memory of 1980 1732 kino6318.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe"C:\Users\Admin\AppData\Local\Temp\4ed3a6ee78b487f150df86542685c682a274432af80d8c529822c308bd01a8f8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1892.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6318.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2854.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4051.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con1221.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsn74s64.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
391KB
MD5715a7b0e3c0218dc84653285d8412b69
SHA198da656a4dc77098db5fb61820bfa4d7d034990a
SHA25631d01e0dd4351edbcb072810ff3b143a54821432e168e116b6d5779d643a455a
SHA512ed6cc658c470ad5d0c60c980d2e453e9fb240f47e649eed67ff4449210c07116d7582e60787a05bc866f443e40500875c66ae5e5b18d48607253febd0841787d
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
836KB
MD5a9a4f433e19b950cd1a448a5353482c2
SHA1b85853920b093c75410ebb1231625dea3f4df93a
SHA256c2aaf884f1659fdbf4e44d1e3ec29617db6c52ce3ebd410ab8339a138481cb11
SHA51228e2bde5400eca3f5c318bc44cca4bc4a0daca069c5302923f51031a886c2573b9a0cce14158887ce278d0a89a367e5750bd1337b62a4d53d7a3fdd595f137a2
-
Filesize
693KB
MD528466bc0e58558080eec755e86b79ca6
SHA10601116c08753c74c7fb7ef29c3454d5f26ee015
SHA2564e60bf62b5e1061afc332db5fbed020790cb25a81bf1b734640223809bc9a4cf
SHA512d66be36fa54ede01457709c1d2d2590c5282c6363f79a5e4fe2cb97a2ad3ac47dbb9f2cde9d6d626b7de71d9651b68685a3bc32ffcf1c00e4df4bd35dbec4cd2
-
Filesize
344KB
MD5ac69bf292ea82d93a379ba646937ce4a
SHA1ce731be984acd03a1f28fd0ec1c0af0f127c30b0
SHA256764d22383b64553d72efa57a9938ca30161a004029a4d28a3093f6a95657551e
SHA512291fd46f26297ce05cba59ff70d31c696dd9ff1eea7edf38c909dd0fa3545f6280412553987aaf7aa71fd66049418f04912db3ece2caa61e32dec7924e754b32
-
Filesize
334KB
MD51845d7115abbbded5df9b33cff8075e9
SHA1380706bc021b2ab8e70160d12a204322b8ffdf68
SHA2563173d3942a07773858280d66153c666a112b17e893c6ed5f21c5efcc193ad5c6
SHA5125b8018fc9c9158e419e924cfad719d3972ae3d723e858f158dd74a13cc208389b7adc40f726ae9db552598f98d1b97d258397ee64b681b78b35933873d8e1575