Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:06
Static task
static1
Behavioral task
behavioral1
Sample
39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c.exe
Resource
win10v2004-20241007-en
General
-
Target
39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c.exe
-
Size
537KB
-
MD5
80c75cf87c2d87eab5d5e02299ad09f9
-
SHA1
e648fd62e3cc0237eddbbeb4798f56ac4b9e538c
-
SHA256
39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c
-
SHA512
2519d355a31841dab39f767caebebb17f19c3d284e2c5eefbdd7ed58f74b2ad41744994192f99ea94c981403a3224d118f897c6bf019ab715995ccbb2c65027d
-
SSDEEP
12288:sMryy90uxEMUZHTHVXdmI6LiNPz6iXTJxvN:uyAz1oI6LiNPBXTJxF
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c7b-12.dat healer behavioral1/memory/2648-15-0x00000000008F0000-0x00000000008FA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr904134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr904134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr904134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr904134.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr904134.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr904134.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3184-21-0x0000000002700000-0x0000000002746000-memory.dmp family_redline behavioral1/memory/3184-23-0x0000000002800000-0x0000000002844000-memory.dmp family_redline behavioral1/memory/3184-35-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-39-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-37-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-33-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-31-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-73-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-61-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-47-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-41-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-87-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-85-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-83-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-81-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-79-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-77-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-75-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-71-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-69-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-67-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-65-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-63-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-59-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-57-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-55-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-53-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-51-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-49-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-45-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-43-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-29-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-27-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-25-0x0000000002800000-0x000000000283F000-memory.dmp family_redline behavioral1/memory/3184-24-0x0000000002800000-0x000000000283F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 348 zibt7449.exe 2648 jr904134.exe 3184 ku419500.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr904134.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zibt7449.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zibt7449.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku419500.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2648 jr904134.exe 2648 jr904134.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2648 jr904134.exe Token: SeDebugPrivilege 3184 ku419500.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2244 wrote to memory of 348 2244 39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c.exe 85 PID 2244 wrote to memory of 348 2244 39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c.exe 85 PID 2244 wrote to memory of 348 2244 39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c.exe 85 PID 348 wrote to memory of 2648 348 zibt7449.exe 86 PID 348 wrote to memory of 2648 348 zibt7449.exe 86 PID 348 wrote to memory of 3184 348 zibt7449.exe 92 PID 348 wrote to memory of 3184 348 zibt7449.exe 92 PID 348 wrote to memory of 3184 348 zibt7449.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c.exe"C:\Users\Admin\AppData\Local\Temp\39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibt7449.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibt7449.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku419500.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku419500.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
394KB
MD578003b1ea497f6f84f7afad641859118
SHA1fc8afa0ba93ff6fdb32b3e676b552702108fbf70
SHA256dc126269651b47efa91d6bc1a6b1605a8a18cdd5356df33741bbdd670123ef1b
SHA51272d5728ed0afa62881ebe54cf999f8868f75e130dba166d945666367ab821413d3cb02ad985e4683524f18c358560cd61159fb21186755c48b26b33fdcc34252
-
Filesize
13KB
MD5a2a8ebd2d93bb408c2d46f89c35b9311
SHA16b4c7e88f6153783580daf181ce95c1ad51d96bf
SHA256a2bbb490986f915ee0fcffee1d57bbd8bd86e38089332ebfa1d7c9a2ce8900fa
SHA512ee3b4fb8a8dcc407fda4cc916159a1d07392c6cabb92ab80009a1cc719a27cb2c91944ec79b602886b325d493ea80111959f824317833705a48036608c1a5431
-
Filesize
353KB
MD511aff3a44973cce6d628ed29341607b4
SHA1c20444542e2a0c8081cfc47c793e2a02826f8f89
SHA256d035c4ca01bf0cee293a8e35ff34768355c8748567108fdd5dfa3c4d89816d3c
SHA51276eae33deb8ebea5d725b134c923711513fd6f1eb642310ac504685f1411727610f4ef7ea7db3f2c085807d5c3b8a32fcf2d46ff634d49f5b10cb94e2336f0a7