Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:25
Static task
static1
Behavioral task
behavioral1
Sample
91b1f2defa00283007804cdd0cb25a3cb30d52e53e684d695381c0ddfb365e4c.exe
Resource
win10v2004-20241007-en
General
-
Target
91b1f2defa00283007804cdd0cb25a3cb30d52e53e684d695381c0ddfb365e4c.exe
-
Size
536KB
-
MD5
7cc7840a92f5287f455d037a428a3c12
-
SHA1
4511b1f6ba45718b72ae8589204808d367e036ac
-
SHA256
91b1f2defa00283007804cdd0cb25a3cb30d52e53e684d695381c0ddfb365e4c
-
SHA512
54758c4509252d1c400366ca57026ac247e42c40e245d1cfe995c6e8f3398d9af86581a55482f883b0c6ceb37fe00d81c3966c4e0326f7c24c3cb1eab2646244
-
SSDEEP
12288:oMrIy90Uo1Spi4DHeBiyNCz4DZ2LyIHY3nRS:wynHjTyNCi29HY3o
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c9e-12.dat healer behavioral1/memory/3012-15-0x0000000000BC0000-0x0000000000BCA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr607469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr607469.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr607469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr607469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr607469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr607469.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4900-21-0x0000000002820000-0x0000000002866000-memory.dmp family_redline behavioral1/memory/4900-23-0x0000000004E60000-0x0000000004EA4000-memory.dmp family_redline behavioral1/memory/4900-25-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-38-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-87-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-83-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-81-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-80-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-77-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-75-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-73-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-71-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-69-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-67-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-65-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-63-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-61-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-59-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-55-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-53-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-51-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-49-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-47-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-46-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-41-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-39-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-35-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-33-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-32-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-29-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-27-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-85-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-57-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-43-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline behavioral1/memory/4900-24-0x0000000004E60000-0x0000000004E9F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1248 ziZs4183.exe 3012 jr607469.exe 4900 ku573081.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr607469.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 91b1f2defa00283007804cdd0cb25a3cb30d52e53e684d695381c0ddfb365e4c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziZs4183.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 91b1f2defa00283007804cdd0cb25a3cb30d52e53e684d695381c0ddfb365e4c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziZs4183.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku573081.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3012 jr607469.exe 3012 jr607469.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3012 jr607469.exe Token: SeDebugPrivilege 4900 ku573081.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1228 wrote to memory of 1248 1228 91b1f2defa00283007804cdd0cb25a3cb30d52e53e684d695381c0ddfb365e4c.exe 83 PID 1228 wrote to memory of 1248 1228 91b1f2defa00283007804cdd0cb25a3cb30d52e53e684d695381c0ddfb365e4c.exe 83 PID 1228 wrote to memory of 1248 1228 91b1f2defa00283007804cdd0cb25a3cb30d52e53e684d695381c0ddfb365e4c.exe 83 PID 1248 wrote to memory of 3012 1248 ziZs4183.exe 85 PID 1248 wrote to memory of 3012 1248 ziZs4183.exe 85 PID 1248 wrote to memory of 4900 1248 ziZs4183.exe 92 PID 1248 wrote to memory of 4900 1248 ziZs4183.exe 92 PID 1248 wrote to memory of 4900 1248 ziZs4183.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\91b1f2defa00283007804cdd0cb25a3cb30d52e53e684d695381c0ddfb365e4c.exe"C:\Users\Admin\AppData\Local\Temp\91b1f2defa00283007804cdd0cb25a3cb30d52e53e684d695381c0ddfb365e4c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZs4183.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZs4183.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr607469.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr607469.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku573081.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku573081.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
394KB
MD5938722fa5f471af6fadb0b8fe4c2a3b2
SHA1a69f237c13cfec61710791f456c3251155f141c3
SHA256b239348fa0b7974b3b2c8d0713ac5bb70b6abc9a1c42d0e54848bb441940f420
SHA512346d496220835e2c90acef4f89abdb315deafe1bf2bc1af60eda6237c6c12d7b0e2f9125fcfb339338b0ddfdae161afcb03b8736f0d901bb4743aa9b532e2b98
-
Filesize
13KB
MD54e3dc94cd5ce065af5b9df86565be9f7
SHA1cbacfae0390941a8f0bb603acdcb66583a5672a5
SHA256a7d16596dc2ab52b51d73f17ff3a47d4909779ee279d8a02e96f25bfdace8958
SHA5123f83600a1d73b17b486634a3ea953ddc8d71b333739c26c011b7e5bb146ab2d261bcc66d6a66b302e9df834c4912ec1ec3f7b34e46ab3e5c5f49633278c422ac
-
Filesize
353KB
MD530ee015405ea994646904a8f5ec69dab
SHA1e0fa2cd119ca10b3311b18da7acb86f180b0f3cc
SHA256bbb422ad5159e12bc3c72c01e1733eff81e4d0c3c46cbe37fa48f36eacf0e7d8
SHA512a30ad46ecd159fabf891ca0dabdb6de1ce19fa83a8308d6af8be1d069bb447755d722705ec726dee879b31080276729535bd00d41b8b3eaeb7971da3bb65222c