Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:04
Static task
static1
Behavioral task
behavioral1
Sample
dbd819a3d98ac06879e7a0862fe37cf53bee08b5ecf02cb347986cc0cfa67475.exe
Resource
win10v2004-20241007-en
General
-
Target
dbd819a3d98ac06879e7a0862fe37cf53bee08b5ecf02cb347986cc0cfa67475.exe
-
Size
536KB
-
MD5
c2fdb67617643c8acf0ee072812dd61a
-
SHA1
e3c526406b116fba9b981e0cd03ae365f784aee9
-
SHA256
dbd819a3d98ac06879e7a0862fe37cf53bee08b5ecf02cb347986cc0cfa67475
-
SHA512
62c3bd790dd2210cb56951833b7015f1fa5b9fb1eaae92c61a603aac5b3ff49b9f7595852f1c10ffa9e30211cac195a522ed3ebc17e3e98fa7b928970f8ea428
-
SSDEEP
12288:HMr2y90BdVja+/LjzoYYqV7XNIz9AEdLq2JC3:hyajn/LAYYqJXNI7d+2JC3
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cae-12.dat healer behavioral1/memory/5020-15-0x0000000000630000-0x000000000063A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr557941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr557941.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr557941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr557941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr557941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr557941.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3748-22-0x0000000002780000-0x00000000027C6000-memory.dmp family_redline behavioral1/memory/3748-24-0x0000000002A90000-0x0000000002AD4000-memory.dmp family_redline behavioral1/memory/3748-38-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-28-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-26-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-25-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-58-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-88-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-86-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-82-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-80-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-78-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-76-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-72-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-70-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-68-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-66-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-62-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-60-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-56-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-54-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-53-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-50-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-48-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-46-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-44-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-42-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-40-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-36-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-34-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-32-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-30-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-84-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-74-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline behavioral1/memory/3748-64-0x0000000002A90000-0x0000000002ACF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2524 ziPZ9077.exe 5020 jr557941.exe 3748 ku343703.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr557941.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dbd819a3d98ac06879e7a0862fe37cf53bee08b5ecf02cb347986cc0cfa67475.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziPZ9077.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbd819a3d98ac06879e7a0862fe37cf53bee08b5ecf02cb347986cc0cfa67475.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziPZ9077.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku343703.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5020 jr557941.exe 5020 jr557941.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5020 jr557941.exe Token: SeDebugPrivilege 3748 ku343703.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3940 wrote to memory of 2524 3940 dbd819a3d98ac06879e7a0862fe37cf53bee08b5ecf02cb347986cc0cfa67475.exe 84 PID 3940 wrote to memory of 2524 3940 dbd819a3d98ac06879e7a0862fe37cf53bee08b5ecf02cb347986cc0cfa67475.exe 84 PID 3940 wrote to memory of 2524 3940 dbd819a3d98ac06879e7a0862fe37cf53bee08b5ecf02cb347986cc0cfa67475.exe 84 PID 2524 wrote to memory of 5020 2524 ziPZ9077.exe 85 PID 2524 wrote to memory of 5020 2524 ziPZ9077.exe 85 PID 2524 wrote to memory of 3748 2524 ziPZ9077.exe 96 PID 2524 wrote to memory of 3748 2524 ziPZ9077.exe 96 PID 2524 wrote to memory of 3748 2524 ziPZ9077.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbd819a3d98ac06879e7a0862fe37cf53bee08b5ecf02cb347986cc0cfa67475.exe"C:\Users\Admin\AppData\Local\Temp\dbd819a3d98ac06879e7a0862fe37cf53bee08b5ecf02cb347986cc0cfa67475.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPZ9077.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPZ9077.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr557941.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr557941.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku343703.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku343703.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3748
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
394KB
MD5771bf493f5a591bce2849caf1caf9257
SHA114e7d12ef8f322c88b5eab8eab860168c440e3e2
SHA2565c107ae4127bed5e246989105eff6ee68540f544a25ff02dced53f0493d516f6
SHA512d3e423bdeaba27294675852b8d30caad4be58c7e54be6da1b0bc3d3c61fb1cb755c3ea00f6951dba17f12fc2e621fd993af38e25513b8c6333b3085a3cbc7b74
-
Filesize
13KB
MD560fc4b91f19f85d3c6587904fb890317
SHA1b97673f5ddb7762137173de79320a3778bf92f80
SHA256a12d7df9759f70689927eb16c2977957aa7fd7067ec8cd13b087373047b1a8cb
SHA512516f30ca6b81c5896962bf15146ec052e55203767edcac4ea51a79caf4f04c2abedf41579fc99084657ed67ce0d9904130b8365cea9a9d686557a906880283cf
-
Filesize
353KB
MD5911e78ee035b11b5429591909bf9e674
SHA1e4fc90ee2bb202ea47e1fd401cae0568a45b5b68
SHA2569c0f5882d7dcce18e2aba66d62faab7b610b32acbe3099ecaf458f78ba7c9c5e
SHA51253c8254c2053350324e7e6f18c0fdd7c2b1387c3758b8a4516fa684ba2cec4893bc71eb2086aeb0e0cd9027c618ea69b4e789953b1d01c04c60184b0c934091d