Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:40
Static task
static1
Behavioral task
behavioral1
Sample
3499cbe4e494c920199e61526e99e28f5a3aed1ebbb911b08ec97336b7d83abd.exe
Resource
win10v2004-20241007-en
General
-
Target
3499cbe4e494c920199e61526e99e28f5a3aed1ebbb911b08ec97336b7d83abd.exe
-
Size
559KB
-
MD5
07b76e56d013b70571aa6d593701045a
-
SHA1
4811aab2d66addf6f2fb369c6d13f9d3db8e07fa
-
SHA256
3499cbe4e494c920199e61526e99e28f5a3aed1ebbb911b08ec97336b7d83abd
-
SHA512
af99bb224a49996fdf673c7e4fa8b33e8fd1c4970f986f3a430e800371db5a1d08baf191998f0dcced318b1065d003267a7bb8f47ab744577af04a5ffa366e0d
-
SSDEEP
12288:5Mr7y90Jr/SjyLQqEsLDSxUFagg9MFuJwds/Qz/W/DDhV69xg:eym+jlUlg9MEj/QTaDNV69K
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c90-12.dat healer behavioral1/memory/4484-15-0x00000000008E0000-0x00000000008EA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr533923.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr533923.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr533923.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr533923.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr533923.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr533923.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/5048-22-0x0000000004E80000-0x0000000004EC6000-memory.dmp family_redline behavioral1/memory/5048-24-0x00000000054F0000-0x0000000005534000-memory.dmp family_redline behavioral1/memory/5048-28-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-36-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-88-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-84-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-83-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-80-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-78-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-76-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-74-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-72-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-70-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-68-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-66-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-62-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-60-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-58-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-56-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-54-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-52-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-50-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-48-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-46-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-42-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-40-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-39-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-34-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-32-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-30-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-86-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-64-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-44-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-26-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline behavioral1/memory/5048-25-0x00000000054F0000-0x000000000552F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3616 ziTi2861.exe 4484 jr533923.exe 5048 ku743758.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr533923.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3499cbe4e494c920199e61526e99e28f5a3aed1ebbb911b08ec97336b7d83abd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziTi2861.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3204 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3499cbe4e494c920199e61526e99e28f5a3aed1ebbb911b08ec97336b7d83abd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziTi2861.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku743758.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4484 jr533923.exe 4484 jr533923.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4484 jr533923.exe Token: SeDebugPrivilege 5048 ku743758.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1052 wrote to memory of 3616 1052 3499cbe4e494c920199e61526e99e28f5a3aed1ebbb911b08ec97336b7d83abd.exe 84 PID 1052 wrote to memory of 3616 1052 3499cbe4e494c920199e61526e99e28f5a3aed1ebbb911b08ec97336b7d83abd.exe 84 PID 1052 wrote to memory of 3616 1052 3499cbe4e494c920199e61526e99e28f5a3aed1ebbb911b08ec97336b7d83abd.exe 84 PID 3616 wrote to memory of 4484 3616 ziTi2861.exe 86 PID 3616 wrote to memory of 4484 3616 ziTi2861.exe 86 PID 3616 wrote to memory of 5048 3616 ziTi2861.exe 93 PID 3616 wrote to memory of 5048 3616 ziTi2861.exe 93 PID 3616 wrote to memory of 5048 3616 ziTi2861.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\3499cbe4e494c920199e61526e99e28f5a3aed1ebbb911b08ec97336b7d83abd.exe"C:\Users\Admin\AppData\Local\Temp\3499cbe4e494c920199e61526e99e28f5a3aed1ebbb911b08ec97336b7d83abd.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTi2861.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTi2861.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr533923.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr533923.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku743758.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku743758.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3204
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
405KB
MD5acfa868b13dbf3e79b7d56f4b110418b
SHA1ef394ee77e917aa53cb6552c4e8e03a3b6df6035
SHA256e324ea6673016b0de367d395e7191e4b0801ad1dbc8199bab85525edfcc02c93
SHA5121746742c0d594afa1be8e4af9cae53e302ddba5d3983ff6f912d07566fb2bd85fa4d7b5b622c3a1fbb1dc469d890b4d146cf7a8be7762b07d9cb6eefe8682b98
-
Filesize
12KB
MD5223eaf1cad299c0ed7e67067398b4563
SHA18633c28a5aa38c5741a37464b7e9d4372ffa1ab2
SHA256e901b004d6ba77cb69784c0a9b87b0fcbf5aedd6a47a99dd46772ee4422c3c70
SHA5121262a85ee3236ad981e97dd61482497a0fda45d81062f7447918c81c390694ad4ed0796ea41643a5be7e9708f7c914725785ed2ec504b3d373a4a5fb65690f51
-
Filesize
370KB
MD50cf655ac70715e92bbe7c51e32fd2e18
SHA17e855b6103c2b0200b9901a6875aa3d9592a0caf
SHA2568e0536100223410eb1bbb68c8cadba1d407e998bb9b4a8986e88f38653809920
SHA512661940b18224451c6a255e883dd0f236888844bc4a4c08f623d6ead957808562a5d677e1497dea4e095ed59e77e13b9335d91415356e3e83ae2a042789d23fef