Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:53
Static task
static1
Behavioral task
behavioral1
Sample
5eb47e4ba02d39756a52ace324caf85b2b6b6f22d55b7470bb5fb1b6a0af568b.exe
Resource
win10v2004-20241007-en
General
-
Target
5eb47e4ba02d39756a52ace324caf85b2b6b6f22d55b7470bb5fb1b6a0af568b.exe
-
Size
522KB
-
MD5
720bd5c70e841b0bf6ec32f99da0ff9f
-
SHA1
fc51f65055248c294f23a089659864eaf120694a
-
SHA256
5eb47e4ba02d39756a52ace324caf85b2b6b6f22d55b7470bb5fb1b6a0af568b
-
SHA512
693340a0f3a8c99c8bf3ca08cf602b719fd46b717b99bee72f2b19f2e8981b4b3d4496c962b047c30584317447b6f1db2b8e4fde39d25cb383dec1ed75cb7e3c
-
SSDEEP
12288:5MrRy907tjVnfMVb50e+lV9+mv6q2dmZPEQjD4I0dY:4yPTkp6q2dwL390dY
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b5d-12.dat healer behavioral1/memory/2776-15-0x0000000000FC0000-0x0000000000FCA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr249612.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr249612.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr249612.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr249612.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr249612.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr249612.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/5016-22-0x0000000002440000-0x0000000002486000-memory.dmp family_redline behavioral1/memory/5016-24-0x00000000050A0000-0x00000000050E4000-memory.dmp family_redline behavioral1/memory/5016-28-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-70-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-68-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-66-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-64-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-62-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-60-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-58-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-56-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-54-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-52-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-50-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-48-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-46-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-44-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-42-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-40-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-38-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-36-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-34-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-32-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-30-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-80-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-26-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-25-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-88-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-86-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-84-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-82-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-78-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-76-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-74-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline behavioral1/memory/5016-72-0x00000000050A0000-0x00000000050DF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1788 ziAi3849.exe 2776 jr249612.exe 5016 ku349692.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr249612.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5eb47e4ba02d39756a52ace324caf85b2b6b6f22d55b7470bb5fb1b6a0af568b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziAi3849.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5400 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5eb47e4ba02d39756a52ace324caf85b2b6b6f22d55b7470bb5fb1b6a0af568b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziAi3849.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku349692.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2776 jr249612.exe 2776 jr249612.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2776 jr249612.exe Token: SeDebugPrivilege 5016 ku349692.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4872 wrote to memory of 1788 4872 5eb47e4ba02d39756a52ace324caf85b2b6b6f22d55b7470bb5fb1b6a0af568b.exe 84 PID 4872 wrote to memory of 1788 4872 5eb47e4ba02d39756a52ace324caf85b2b6b6f22d55b7470bb5fb1b6a0af568b.exe 84 PID 4872 wrote to memory of 1788 4872 5eb47e4ba02d39756a52ace324caf85b2b6b6f22d55b7470bb5fb1b6a0af568b.exe 84 PID 1788 wrote to memory of 2776 1788 ziAi3849.exe 86 PID 1788 wrote to memory of 2776 1788 ziAi3849.exe 86 PID 1788 wrote to memory of 5016 1788 ziAi3849.exe 92 PID 1788 wrote to memory of 5016 1788 ziAi3849.exe 92 PID 1788 wrote to memory of 5016 1788 ziAi3849.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\5eb47e4ba02d39756a52ace324caf85b2b6b6f22d55b7470bb5fb1b6a0af568b.exe"C:\Users\Admin\AppData\Local\Temp\5eb47e4ba02d39756a52ace324caf85b2b6b6f22d55b7470bb5fb1b6a0af568b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAi3849.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAi3849.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr249612.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr249612.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku349692.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku349692.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:5400
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
379KB
MD52734b1d49cbb5d0964925206c63622df
SHA17687bbf7a7a3e29516b7a9de3a51f624e0e5eb80
SHA256249b77421b41510ea257b329907e54dc638067eebc8b989b29a6a9653ac9af52
SHA512925599fb0f1838e33283067cbbe2cf35b779ad7c88949d25f916c467de9629d78782e139f61b509d8b6830e7ace85fe815cd81c96dd2368a6a54219a28b2cc00
-
Filesize
14KB
MD5a84bce1bea711efbf921516f90a72198
SHA128d4c82ce732c31c72a3a936e00e846fe464c94d
SHA2560dd735fb3a9ff9c277a020aea745e365b7d341886f828f924c0b0bf9d1753236
SHA512eed943607c62629d2c38871e3db50184cc25af0fd0c27052058d7a25193e005946ab3732fc2b8683ca5a2a921eacfd83bbc4e7901b54ed15a2608cc69b181cf1
-
Filesize
295KB
MD525fd2c63b1ce9918f4a7c8eea8951286
SHA1aa5952a06fceaa7eae4f20d26fe7bc0877650c51
SHA256e26ce069ac07e64e623ab6cdf313763f0c6a5337ef60088fb904a8f1346ce890
SHA5120ad7e053e02b3b9aa3c79d42355aa129b7e4ab748de4f6814111a421f1ebc5beb9ccab83688f957af5dcecc9b4685d4e0e44e2b041cb5f63d9d849062f519a85