Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 02:41
Static task
static1
Behavioral task
behavioral1
Sample
0b9694e55e07f5e4bd36ad492acd8dc5418037aa435be0be5cec229d34fa4b0a.exe
Resource
win10v2004-20241007-en
General
-
Target
0b9694e55e07f5e4bd36ad492acd8dc5418037aa435be0be5cec229d34fa4b0a.exe
-
Size
538KB
-
MD5
ecb2b2ef13d92f47463495047075a9cd
-
SHA1
6e5eac4ee84e2274cb773a7aa0c399456622ba29
-
SHA256
0b9694e55e07f5e4bd36ad492acd8dc5418037aa435be0be5cec229d34fa4b0a
-
SHA512
dce351b4abe07ad67ee7962694d4972b8e08c7d70314f455739eca4ac162befdae9bf2b25b8b763e72f4687fc8545115bba6b3b2658806b9bd002e5ed087ebf9
-
SSDEEP
12288:MMrMy90cVGM8m3CKq6PONI2J9bSwPQxBl+oNtrGjBp/J6ZcB5FvEo:gyOc3tz2NdvYxBlJtIYEEo
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c5c-13.dat healer behavioral1/memory/3372-15-0x00000000007B0000-0x00000000007BA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr078130.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr078130.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr078130.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr078130.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr078130.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr078130.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4464-22-0x00000000027B0000-0x00000000027F6000-memory.dmp family_redline behavioral1/memory/4464-24-0x00000000029A0000-0x00000000029E4000-memory.dmp family_redline behavioral1/memory/4464-46-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-44-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-86-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-84-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-82-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-80-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-78-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-76-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-74-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-72-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-70-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-68-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-66-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-64-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-62-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-60-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-56-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-54-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-52-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-50-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-48-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-42-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-40-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-39-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-36-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-34-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-32-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-88-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-58-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-30-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-28-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-26-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4464-25-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2072 ziFK3663.exe 3372 jr078130.exe 4464 ku412332.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr078130.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziFK3663.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0b9694e55e07f5e4bd36ad492acd8dc5418037aa435be0be5cec229d34fa4b0a.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0b9694e55e07f5e4bd36ad492acd8dc5418037aa435be0be5cec229d34fa4b0a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziFK3663.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku412332.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3372 jr078130.exe 3372 jr078130.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3372 jr078130.exe Token: SeDebugPrivilege 4464 ku412332.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2072 1956 0b9694e55e07f5e4bd36ad492acd8dc5418037aa435be0be5cec229d34fa4b0a.exe 83 PID 1956 wrote to memory of 2072 1956 0b9694e55e07f5e4bd36ad492acd8dc5418037aa435be0be5cec229d34fa4b0a.exe 83 PID 1956 wrote to memory of 2072 1956 0b9694e55e07f5e4bd36ad492acd8dc5418037aa435be0be5cec229d34fa4b0a.exe 83 PID 2072 wrote to memory of 3372 2072 ziFK3663.exe 84 PID 2072 wrote to memory of 3372 2072 ziFK3663.exe 84 PID 2072 wrote to memory of 4464 2072 ziFK3663.exe 98 PID 2072 wrote to memory of 4464 2072 ziFK3663.exe 98 PID 2072 wrote to memory of 4464 2072 ziFK3663.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b9694e55e07f5e4bd36ad492acd8dc5418037aa435be0be5cec229d34fa4b0a.exe"C:\Users\Admin\AppData\Local\Temp\0b9694e55e07f5e4bd36ad492acd8dc5418037aa435be0be5cec229d34fa4b0a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziFK3663.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziFK3663.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr078130.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr078130.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku412332.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku412332.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
396KB
MD5f2c2ce9afc9270bae6bd8f07c7b8b21b
SHA1c2179c8cd20760d9849368dcfadca7fe1793bf11
SHA2568cd23bf75529d35c37e6d7041c18d357f6797cc2a02a1cdd692de7b588268353
SHA5124f4b17b7ecf9bef9358cadd30155ded786a59c0e9f20dd01a35eabaf56477a9608be27f183b48efbba7e33aca96feb419d3fc5b79b0173e6456b0c37d7bfb365
-
Filesize
13KB
MD575f93dd94c0b93390c9c54ef58de90d6
SHA160f18851afc81e2bf55aac2ba4fce7fc10911c2c
SHA256583d2cbd1c5bc2a9460a5a12488bd9692ddff97b052cc466eb706ee4be6ef301
SHA51205dd7176dfc62bc1fd17bc051159a33cd81c0b8327120ce6fbe6f995ae9b4833a786da21b4f802bceab18bcb816b7bc8e6ac16e1610635ebe02ab8ebedfecb08
-
Filesize
353KB
MD5143391a07a92cba5212348d9190d48af
SHA1f14d1851d38e3be640dabd802376258e7a14ecac
SHA2567d11d1a3b71e5b44fb5a5308d0785cbb5ec3981d1ad51973e24dca094b6e2ce0
SHA5122b6f6e47e597510cd12c77b3b2dbab4bd9b76af2e8fe279812780833c6645a876654d5b74f68e32d8ae05f2f4b9ef50c78959927ebd038ea59c354c21d2d1ed1