Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:00
Static task
static1
Behavioral task
behavioral1
Sample
bc1b53a7b100f7b087f09510e15e22541dd866ba61c3459c6c21e8cf335a0e7d.exe
Resource
win10v2004-20241007-en
General
-
Target
bc1b53a7b100f7b087f09510e15e22541dd866ba61c3459c6c21e8cf335a0e7d.exe
-
Size
533KB
-
MD5
a603448fb53c14840fbe3dc80af090ad
-
SHA1
7d93f13febe497712a783526d0402d8b2f9317b1
-
SHA256
bc1b53a7b100f7b087f09510e15e22541dd866ba61c3459c6c21e8cf335a0e7d
-
SHA512
4833827ae042df03c9c45b75186821aa056f436396b37fb478c8e7b011040cc7a1cc5403d2ff5e9531b14ecc8265e9756d6cd8a6816e786bf94cbe7c8df0273f
-
SSDEEP
12288:+MrOy90XZXjIXKRQVRQ7pwcNt6UR+3LqxYfTAEni:cysxEyyetP+3Gxd
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b82-12.dat healer behavioral1/memory/2824-15-0x00000000005F0000-0x00000000005FA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr072505.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr072505.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr072505.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr072505.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr072505.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr072505.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4332-22-0x0000000003B40000-0x0000000003B86000-memory.dmp family_redline behavioral1/memory/4332-24-0x0000000006170000-0x00000000061B4000-memory.dmp family_redline behavioral1/memory/4332-80-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-88-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-86-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-84-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-82-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-78-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-76-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-74-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-72-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-70-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-68-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-66-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-64-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-62-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-58-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-56-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-55-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-52-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-50-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-48-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-46-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-44-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-42-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-40-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-38-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-34-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-32-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-30-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-60-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-36-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-28-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-26-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline behavioral1/memory/4332-25-0x0000000006170000-0x00000000061AF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1004 zitK7345.exe 2824 jr072505.exe 4332 ku859820.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr072505.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bc1b53a7b100f7b087f09510e15e22541dd866ba61c3459c6c21e8cf335a0e7d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zitK7345.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc1b53a7b100f7b087f09510e15e22541dd866ba61c3459c6c21e8cf335a0e7d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zitK7345.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku859820.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2824 jr072505.exe 2824 jr072505.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2824 jr072505.exe Token: SeDebugPrivilege 4332 ku859820.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2644 wrote to memory of 1004 2644 bc1b53a7b100f7b087f09510e15e22541dd866ba61c3459c6c21e8cf335a0e7d.exe 83 PID 2644 wrote to memory of 1004 2644 bc1b53a7b100f7b087f09510e15e22541dd866ba61c3459c6c21e8cf335a0e7d.exe 83 PID 2644 wrote to memory of 1004 2644 bc1b53a7b100f7b087f09510e15e22541dd866ba61c3459c6c21e8cf335a0e7d.exe 83 PID 1004 wrote to memory of 2824 1004 zitK7345.exe 84 PID 1004 wrote to memory of 2824 1004 zitK7345.exe 84 PID 1004 wrote to memory of 4332 1004 zitK7345.exe 97 PID 1004 wrote to memory of 4332 1004 zitK7345.exe 97 PID 1004 wrote to memory of 4332 1004 zitK7345.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc1b53a7b100f7b087f09510e15e22541dd866ba61c3459c6c21e8cf335a0e7d.exe"C:\Users\Admin\AppData\Local\Temp\bc1b53a7b100f7b087f09510e15e22541dd866ba61c3459c6c21e8cf335a0e7d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitK7345.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitK7345.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr072505.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr072505.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku859820.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku859820.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
391KB
MD53c324482bd6f133f600c1a875117cfb2
SHA1a9e52bb0985756a4056c39ac322b77f8dce89f7c
SHA256b21d6cfe73bd0dc4dd96c87bb57eed42f361fbd36764d4dcae479a13b37a712e
SHA512f1c47debd83a810295af5c4cd2446f31c6fd780e5304089d237caf91bf790d7d754f61d779d9f63b20c4d21a317f64f779c79db053e834aff45d1451710c8cd8
-
Filesize
11KB
MD56b32fa9f5272a83ceb3f05207a463819
SHA1798a35e9ea7d24e61351abffd312c37b7ee1045a
SHA25641aedc3e975128a3476e2bd9140c729d88e14d2da0b08857be9172b6984884e6
SHA5121312da29742211db5870fee66c49d9b8558bc808dc22fd4990b98d8b6e20045096c926db28bbfaceb95c31c5f80943760fd8ad80bedaafe0edefd4b0dfc54b0b
-
Filesize
359KB
MD54834b62718b45fd61a7cccf21f8a337c
SHA1d52af29d841782fc4216abeda848bfb7f8e77508
SHA256f46e8db2d9f55994ee5a090a3e00c88c39b722ef0e18cbba91f4e8f827c15ca2
SHA512fd2d6ba98fdb977f3d59813eec0a981028d3ca40c33a035c22e5bde273cb1d758e98a46b99e8e586bad4f8ce3f011665ebd6a4769ea0173709adca4d249c7846