Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:55
Static task
static1
Behavioral task
behavioral1
Sample
1dd38f00eb8f89df958fc3aa81dd66caffda72fb4ba1243eb2037a9f707410a7.exe
Resource
win10v2004-20241007-en
General
-
Target
1dd38f00eb8f89df958fc3aa81dd66caffda72fb4ba1243eb2037a9f707410a7.exe
-
Size
536KB
-
MD5
538e4747dbe26a62e0724939fa86316f
-
SHA1
7f7d76ab8d5494226b937f90a3e8b2352a5fab2d
-
SHA256
1dd38f00eb8f89df958fc3aa81dd66caffda72fb4ba1243eb2037a9f707410a7
-
SHA512
abd1289356983c7d2fd89894d41efc5edb6eb67dc137378cfd52bbf22a1643b51ccfa4a9aa470bdefbc2a3da6b4cf26ecc406f1c256f478563c1125609466659
-
SSDEEP
12288:NMrUy90iapGs3/BV2SMrCNfzsBGjQyqrS8hLa1zG/:lypkBVdPNf8IVqe80k
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023ca2-12.dat healer behavioral1/memory/4516-15-0x0000000000370000-0x000000000037A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr754102.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr754102.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr754102.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr754102.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr754102.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr754102.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4256-22-0x00000000027B0000-0x00000000027F6000-memory.dmp family_redline behavioral1/memory/4256-24-0x00000000029A0000-0x00000000029E4000-memory.dmp family_redline behavioral1/memory/4256-32-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-26-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-25-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-40-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-88-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-86-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-84-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-82-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-80-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-78-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-76-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-74-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-72-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-68-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-66-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-64-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-62-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-60-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-58-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-56-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-54-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-52-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-50-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-48-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-44-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-42-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-38-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-36-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-34-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-30-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-28-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-70-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline behavioral1/memory/4256-46-0x00000000029A0000-0x00000000029DF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1652 ziks8555.exe 4516 jr754102.exe 4256 ku035444.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr754102.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1dd38f00eb8f89df958fc3aa81dd66caffda72fb4ba1243eb2037a9f707410a7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziks8555.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dd38f00eb8f89df958fc3aa81dd66caffda72fb4ba1243eb2037a9f707410a7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziks8555.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku035444.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4516 jr754102.exe 4516 jr754102.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4516 jr754102.exe Token: SeDebugPrivilege 4256 ku035444.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4848 wrote to memory of 1652 4848 1dd38f00eb8f89df958fc3aa81dd66caffda72fb4ba1243eb2037a9f707410a7.exe 83 PID 4848 wrote to memory of 1652 4848 1dd38f00eb8f89df958fc3aa81dd66caffda72fb4ba1243eb2037a9f707410a7.exe 83 PID 4848 wrote to memory of 1652 4848 1dd38f00eb8f89df958fc3aa81dd66caffda72fb4ba1243eb2037a9f707410a7.exe 83 PID 1652 wrote to memory of 4516 1652 ziks8555.exe 84 PID 1652 wrote to memory of 4516 1652 ziks8555.exe 84 PID 1652 wrote to memory of 4256 1652 ziks8555.exe 96 PID 1652 wrote to memory of 4256 1652 ziks8555.exe 96 PID 1652 wrote to memory of 4256 1652 ziks8555.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dd38f00eb8f89df958fc3aa81dd66caffda72fb4ba1243eb2037a9f707410a7.exe"C:\Users\Admin\AppData\Local\Temp\1dd38f00eb8f89df958fc3aa81dd66caffda72fb4ba1243eb2037a9f707410a7.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziks8555.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziks8555.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr754102.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr754102.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku035444.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku035444.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4256
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
394KB
MD54436957519126b68a9981a9061c1f537
SHA1e95c2b4f93151163f76219397f96232bfe1ab930
SHA256ef76196c809f878c2130466c3818c09f5d4cd5d3c431983b64d539cefba4ac2e
SHA512a3107f282294ea959b2f88f1c03b825208cb94bdd042c51b27a4a5b1a687ee1f475c70b063c16dbcb4420bb4413bd9f3063d744bd4e5309c1de9a49003ee2e5a
-
Filesize
13KB
MD54c840579d0620506cbba3e720d11c58d
SHA1479efac5882d21ee370fe6267eccf0f247ef2d92
SHA256fe2fc725c2f0377519dabbcd533006b28590a8be472d05ba165d9c26c8d245ff
SHA512534e4cde891382eb76f79ec21220afd4d6a7e78e691db310b6bf95a617be8d95ad69e9787151aa0654b2f9cbb13842772f200b758a800c0d2cb138f8a39df246
-
Filesize
353KB
MD5b06310eeca7343d6c12ad2c21d5c89a3
SHA1cbefc6d4caff549ffe061dce2515409815e16ee9
SHA2561b910b65033f84f4e1d3a22cadae1a2b5177f9f75919e076b690229d2883cd61
SHA512d6ae34879c3be8309d6df457d3a93e599dc472049a56eb0926032ad15573850e8adaa4667cda3e5057bf49ef703bf44dfcc53704853f68750e7fb33633fc465f