Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:03
Static task
static1
Behavioral task
behavioral1
Sample
280b79428262c8e13ee954554ff21db5c9678005ddf2ac25b15f732fa2fa558a.exe
Resource
win10v2004-20241007-en
General
-
Target
280b79428262c8e13ee954554ff21db5c9678005ddf2ac25b15f732fa2fa558a.exe
-
Size
531KB
-
MD5
a961a35be33e1bca8a587e1f53a91401
-
SHA1
d159b731aa45184d316c6afd54b7cd6a1562dffc
-
SHA256
280b79428262c8e13ee954554ff21db5c9678005ddf2ac25b15f732fa2fa558a
-
SHA512
3e3537093e9166121d88679b0abfc43ebcd6914295fcea5b7be7e4d2bfca4b8ddeca6b5a98d8ea423bb70628acfdeeca4e3e3d3b3c4452930d23379a203202d0
-
SSDEEP
12288:uMrKy90lCGHWhFN/vFktYyVcy7uXWH2/JLS9t57mol58:AyKUN/tk6icURH2B+9t57mol+
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b7f-12.dat healer behavioral1/memory/3472-15-0x0000000000BA0000-0x0000000000BAA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr736897.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr736897.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr736897.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr736897.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr736897.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr736897.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3308-21-0x0000000004280000-0x00000000042C6000-memory.dmp family_redline behavioral1/memory/3308-23-0x0000000004360000-0x00000000043A4000-memory.dmp family_redline behavioral1/memory/3308-37-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-41-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-88-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-85-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-84-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-81-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-80-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-77-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-75-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-73-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-71-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-69-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-65-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-63-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-61-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-59-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-57-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-55-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-53-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-51-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-47-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-45-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-43-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-39-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-35-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-33-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-31-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-29-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-67-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-49-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-27-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-25-0x0000000004360000-0x000000000439F000-memory.dmp family_redline behavioral1/memory/3308-24-0x0000000004360000-0x000000000439F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1716 ziVa5625.exe 3472 jr736897.exe 3308 ku142413.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr736897.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 280b79428262c8e13ee954554ff21db5c9678005ddf2ac25b15f732fa2fa558a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziVa5625.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 280b79428262c8e13ee954554ff21db5c9678005ddf2ac25b15f732fa2fa558a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziVa5625.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku142413.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3472 jr736897.exe 3472 jr736897.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3472 jr736897.exe Token: SeDebugPrivilege 3308 ku142413.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2204 wrote to memory of 1716 2204 280b79428262c8e13ee954554ff21db5c9678005ddf2ac25b15f732fa2fa558a.exe 83 PID 2204 wrote to memory of 1716 2204 280b79428262c8e13ee954554ff21db5c9678005ddf2ac25b15f732fa2fa558a.exe 83 PID 2204 wrote to memory of 1716 2204 280b79428262c8e13ee954554ff21db5c9678005ddf2ac25b15f732fa2fa558a.exe 83 PID 1716 wrote to memory of 3472 1716 ziVa5625.exe 84 PID 1716 wrote to memory of 3472 1716 ziVa5625.exe 84 PID 1716 wrote to memory of 3308 1716 ziVa5625.exe 102 PID 1716 wrote to memory of 3308 1716 ziVa5625.exe 102 PID 1716 wrote to memory of 3308 1716 ziVa5625.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\280b79428262c8e13ee954554ff21db5c9678005ddf2ac25b15f732fa2fa558a.exe"C:\Users\Admin\AppData\Local\Temp\280b79428262c8e13ee954554ff21db5c9678005ddf2ac25b15f732fa2fa558a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVa5625.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVa5625.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr736897.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr736897.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3472
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku142413.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku142413.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD56e0dddf64796e83dbe48e8a178d8e3d6
SHA1da10464b550e83b1f3dd15df9930ab1f5656d9dd
SHA256aa7eb1b0a094eda81ea36e0b00eadcf06ee6c50b16140d566e95284e0a712bb1
SHA512d445e30403e89e224f8a504c0f475770e107ab68b8a3f9f63197621419d8fcd82d54d2eee3e9a39bba7c3742616ea88d4f680b19fd007f093465859609ebcf50
-
Filesize
12KB
MD5ecb0d7641a1fb55403b9001fc5a0f4b8
SHA11e138381632da076c3418f721e52395211cc41ec
SHA25656adc93b7704813c279512a78f39ae263bc77b773d80e6382a5baaa97113cd76
SHA5126d7436f34d48c0f9d116c06e87f1a3134760a65cc74b3cffb12872d0203b2d6258c20b8001572201b42172ac3b407bf856db93ea3f17b30acefd0c82877f0588
-
Filesize
435KB
MD57dc2f03d9190b39989e27bbbf40dd554
SHA1d0863b6c724cc3a1a3f3cbb9052bd8a7bee87005
SHA2562a68d3f9378ccf02f5797148ce2a6854c51323d1b061f27e74fb8ff64cfa5dfd
SHA5126910feca07c484bb8c726315f1e608c7cc18aac0abe6fd89b36701f26774db60f2043c852ba6684819cdd48a601353c652f91d72f47dfcbfbccc2f6c6088ab96