Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:54
Static task
static1
Behavioral task
behavioral1
Sample
dcfe9e9f71f1e4cce690eb704be414e864dc1ab0b4a2639180b0326d166f5853.exe
Resource
win10v2004-20241007-en
General
-
Target
dcfe9e9f71f1e4cce690eb704be414e864dc1ab0b4a2639180b0326d166f5853.exe
-
Size
549KB
-
MD5
16ed0f40bed4cc376abd5754a65bfe4d
-
SHA1
1e2f142d12eda48fc5c852ec2e640a38fe6d38fc
-
SHA256
dcfe9e9f71f1e4cce690eb704be414e864dc1ab0b4a2639180b0326d166f5853
-
SHA512
60774ba978ab99689ce4ab706e1dd93b9d7f4ca15ef5ee36a6dc5f972481c317547d7ee83d1403c1f47fb6fa5e54fe39135cae4079ea9c85891225fd532c6ca3
-
SSDEEP
12288:SMrWy90VQpN5TCMmk/ehfs+7fRdQKXwqV0mpw:IyT5wk/e++LoVYw
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023ca4-12.dat healer behavioral1/memory/3760-15-0x0000000000080000-0x000000000008A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr620443.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr620443.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr620443.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr620443.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr620443.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr620443.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4156-22-0x00000000026C0000-0x0000000002706000-memory.dmp family_redline behavioral1/memory/4156-24-0x00000000053F0000-0x0000000005434000-memory.dmp family_redline behavioral1/memory/4156-30-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-40-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-88-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-86-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-84-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-82-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-80-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-78-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-76-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-74-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-70-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-68-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-66-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-64-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-62-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-60-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-58-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-56-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-54-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-52-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-50-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-46-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-44-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-42-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-38-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-36-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-34-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-32-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-72-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-48-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-28-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-26-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline behavioral1/memory/4156-25-0x00000000053F0000-0x000000000542F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1640 ziCi5751.exe 3760 jr620443.exe 4156 ku310422.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr620443.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dcfe9e9f71f1e4cce690eb704be414e864dc1ab0b4a2639180b0326d166f5853.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziCi5751.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5432 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dcfe9e9f71f1e4cce690eb704be414e864dc1ab0b4a2639180b0326d166f5853.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziCi5751.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku310422.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3760 jr620443.exe 3760 jr620443.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3760 jr620443.exe Token: SeDebugPrivilege 4156 ku310422.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1408 wrote to memory of 1640 1408 dcfe9e9f71f1e4cce690eb704be414e864dc1ab0b4a2639180b0326d166f5853.exe 83 PID 1408 wrote to memory of 1640 1408 dcfe9e9f71f1e4cce690eb704be414e864dc1ab0b4a2639180b0326d166f5853.exe 83 PID 1408 wrote to memory of 1640 1408 dcfe9e9f71f1e4cce690eb704be414e864dc1ab0b4a2639180b0326d166f5853.exe 83 PID 1640 wrote to memory of 3760 1640 ziCi5751.exe 84 PID 1640 wrote to memory of 3760 1640 ziCi5751.exe 84 PID 1640 wrote to memory of 4156 1640 ziCi5751.exe 95 PID 1640 wrote to memory of 4156 1640 ziCi5751.exe 95 PID 1640 wrote to memory of 4156 1640 ziCi5751.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcfe9e9f71f1e4cce690eb704be414e864dc1ab0b4a2639180b0326d166f5853.exe"C:\Users\Admin\AppData\Local\Temp\dcfe9e9f71f1e4cce690eb704be414e864dc1ab0b4a2639180b0326d166f5853.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCi5751.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCi5751.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr620443.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr620443.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3760
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku310422.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku310422.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:5432
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
395KB
MD580f9c2f4a1f197968919b332a3c20f7e
SHA124a2312e0a1fa239616f4c362f0d8ed00da91a15
SHA2565e170f4884d5f8a8910f13a690d94ff280596b63f0cfa1742aa58655d69fe9cc
SHA5125540fbaed06547a93cbd9330c3a75638692f3694c2b090788afc2e61c3976d5046becea095536a1e48f99d35256eaa209f3219d842baed5f0caca8ae761cac65
-
Filesize
11KB
MD59ac65ad985162c88145e943c28e9bc40
SHA102122075323a797ef5b0cfc46c3bb99dda6c8f37
SHA256a2abe6970228004f0743ae8e5e4fc52a7a75e878d0ab216aae4b5d3149712efa
SHA51243e3f933c20981a8f9e1f9bb1fa8bfdd0078b5cde20a6d88b67ebd6b668ce6d0fdcb468ca4a528b935da55487457c343037bdb75c7fd1a779fa188800c238d0c
-
Filesize
348KB
MD5b26a8d97780cc5861a4e8db2501d43b8
SHA117ccf73ee26c1c7e7ec6f7a3cac7e8cb53a82da2
SHA25695677eceb508add96a6bba40bc90f9b739a247466087cc55a396de9d23e24a06
SHA51236388c58bc0ea170f98b706ff108889299998e955c80b925f147a7f6b66bede448933c1bbfac2eda00d50c4e66a6dc50e0944a355de57788b4847e41395f854a