Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:54
Static task
static1
Behavioral task
behavioral1
Sample
3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe
Resource
win10v2004-20241007-en
General
-
Target
3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe
-
Size
693KB
-
MD5
13e7465ea80d98db3c705f2d1514dc58
-
SHA1
0cceb60c32215991807f4eb1aab27119743159e7
-
SHA256
3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173
-
SHA512
2f89d36e8e5d1af7e0c4097ad57505715c9f5fc219881c438263724713beb1401ce8e8def80f905ec7c71762d317b0cd85f640722ac8c2c83e68074a45e259ec
-
SSDEEP
12288:kBVTbILUBFnob9ROF52dVW5iXygBfovnzMd6T0BplqHvnLM8d:WRAUBFo7V1XyiovzvIPlSvL5d
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral2/files/0x0008000000023cb0-16.dat healer behavioral2/memory/2312-19-0x0000000000390000-0x000000000039A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr053814.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr053814.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr053814.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr053814.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr053814.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr053814.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 34 IoCs
resource yara_rule behavioral2/memory/2128-30-0x0000000004A80000-0x0000000004AC6000-memory.dmp family_redline behavioral2/memory/2128-32-0x0000000007160000-0x00000000071A4000-memory.dmp family_redline behavioral2/memory/2128-38-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-50-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-94-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-92-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-90-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-88-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-84-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-82-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-80-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-78-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-76-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-72-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-70-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-69-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-66-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-65-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-62-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-60-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-58-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-56-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-54-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-48-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-46-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-44-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-42-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-40-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-86-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-74-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-52-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-36-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-34-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/2128-33-0x0000000007160000-0x000000000719E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3760 ziOc8233.exe 2312 jr053814.exe 2128 ku613286.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr053814.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziOc8233.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4412 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku613286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziOc8233.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2312 jr053814.exe 2312 jr053814.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2312 jr053814.exe Token: SeDebugPrivilege 2128 ku613286.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3136 wrote to memory of 3760 3136 3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe 83 PID 3136 wrote to memory of 3760 3136 3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe 83 PID 3136 wrote to memory of 3760 3136 3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe 83 PID 3760 wrote to memory of 2312 3760 ziOc8233.exe 85 PID 3760 wrote to memory of 2312 3760 ziOc8233.exe 85 PID 3760 wrote to memory of 2128 3760 ziOc8233.exe 93 PID 3760 wrote to memory of 2128 3760 ziOc8233.exe 93 PID 3760 wrote to memory of 2128 3760 ziOc8233.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe"C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4412
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
406KB
MD5fbb0766c66e33ee3a53e9ed2b827daa0
SHA18928d09d37a301d996657da261f2697ba3a647fd
SHA25659b04f3e7728eb2f28ea01087a66a2c8ba6edcc36f43c81dbf61da5a5e99c7b1
SHA512d973971cec47db5b79905c93853ed456d6dae1420992a668f74917d0d3eb7f2b7baebbba658b79289457ae1d032424db214a51ef7229ce77c7bdb74f42540494
-
Filesize
12KB
MD56e8f52ddef9bef053648d152ac59f057
SHA15c54bbcd7e25c9518c0f431357cc79ac64af1de8
SHA25607a913a067031ab6c5b18b73b6026320586bea449bc6f9d183fa72553bb17d49
SHA5127f740f706ebda245c4f3a0224b42f292fd3fb681f6ba4bad9a0b4c9469c4652a11bd1b8bb2f3b7cb5a82ccd06e22bef047fad1041b95538ef58b990fc4a9cd78
-
Filesize
379KB
MD5746c4dd70fed84f4a332eb0472cd09b1
SHA1009678bae4c4fe11393e8196f91d98122273e7df
SHA2565f7919f529a13f35bd52dd31bae98948a6e130e29785b3dcc99e238d5bfdfc43
SHA51282b2db294024f50e3394058361fe8582e43927040aa975995a14be143f22bf04ea98c17114c7cbd3d0e8a9fb275eb9e169aa84d74d6656247e77d8f369fe12a0