Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:46
Static task
static1
Behavioral task
behavioral1
Sample
672fe2093565b07b9894e3a92cd067f1d1595166b5417794b7877eacd90aa153.exe
Resource
win10v2004-20241007-en
General
-
Target
672fe2093565b07b9894e3a92cd067f1d1595166b5417794b7877eacd90aa153.exe
-
Size
561KB
-
MD5
2fef668d92724195625e1d92cbdbc51d
-
SHA1
b0e4d44ea9234176c367206a513653f9b1f80be8
-
SHA256
672fe2093565b07b9894e3a92cd067f1d1595166b5417794b7877eacd90aa153
-
SHA512
811d476ba30b2c1d058cbe9a3493a0a3aad6a0452b1b86bdcf86363eea5aaea8999c5e75d00798111cb10a9c73a1c4e9441688a90d49467262a8d52becc488ab
-
SSDEEP
12288:kMrGy908nilYgZz/NDw8LTbdEXPMkULCFHQMZBcGh:6yVnfY/95LTaEwHQwBrh
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c76-12.dat healer behavioral1/memory/1280-15-0x00000000005E0000-0x00000000005EA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr772868.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr772868.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr772868.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr772868.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr772868.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr772868.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4376-22-0x0000000004E70000-0x0000000004EB6000-memory.dmp family_redline behavioral1/memory/4376-24-0x0000000004F30000-0x0000000004F74000-memory.dmp family_redline behavioral1/memory/4376-34-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-40-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-88-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-86-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-82-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-80-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-78-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-76-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-74-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-72-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-70-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-66-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-64-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-62-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-60-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-59-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-56-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-54-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-52-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-50-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-46-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-44-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-43-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-38-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-36-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-84-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-68-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-48-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-32-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-30-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-28-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-26-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline behavioral1/memory/4376-25-0x0000000004F30000-0x0000000004F6F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2092 ziLp6772.exe 1280 jr772868.exe 4376 ku631971.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr772868.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 672fe2093565b07b9894e3a92cd067f1d1595166b5417794b7877eacd90aa153.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziLp6772.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 672fe2093565b07b9894e3a92cd067f1d1595166b5417794b7877eacd90aa153.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziLp6772.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku631971.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1280 jr772868.exe 1280 jr772868.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1280 jr772868.exe Token: SeDebugPrivilege 4376 ku631971.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4904 wrote to memory of 2092 4904 672fe2093565b07b9894e3a92cd067f1d1595166b5417794b7877eacd90aa153.exe 83 PID 4904 wrote to memory of 2092 4904 672fe2093565b07b9894e3a92cd067f1d1595166b5417794b7877eacd90aa153.exe 83 PID 4904 wrote to memory of 2092 4904 672fe2093565b07b9894e3a92cd067f1d1595166b5417794b7877eacd90aa153.exe 83 PID 2092 wrote to memory of 1280 2092 ziLp6772.exe 84 PID 2092 wrote to memory of 1280 2092 ziLp6772.exe 84 PID 2092 wrote to memory of 4376 2092 ziLp6772.exe 97 PID 2092 wrote to memory of 4376 2092 ziLp6772.exe 97 PID 2092 wrote to memory of 4376 2092 ziLp6772.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\672fe2093565b07b9894e3a92cd067f1d1595166b5417794b7877eacd90aa153.exe"C:\Users\Admin\AppData\Local\Temp\672fe2093565b07b9894e3a92cd067f1d1595166b5417794b7877eacd90aa153.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLp6772.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLp6772.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr772868.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr772868.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku631971.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku631971.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
407KB
MD5ac9302362f40969c2f5b106deffa5f85
SHA1116110ee39e98cf50c1163c3e8734365dd51a75f
SHA2569734876e56127779c16c56169e29afe98627f7b8c78daddffd2a6b215d23a14d
SHA512541ac86f7afaf2697c21c22de02c7365cb6ee5f4039510e85c9e3e0a3c924d424283003c2d5a83e4556bc18b90095b5a53e5265db61918d4ded7ff100e737d8b
-
Filesize
12KB
MD514eb297a713e4ef5115503f47f1945e3
SHA143c61e204d9a2453eef79a03ba733d64ab620518
SHA256f8b8831a73eefa6069f52d3f21981d4dd6ddda47082dcabb98111a2fdb50fedc
SHA512d1bf72f37c50fc3354d6b6f0f84e253be93985965e70ab59492858fa696041bcd1d62d5807ccb2dec1bffcce11a9a97b8bbd794fe94d6e9beb083ef5beb68f3f
-
Filesize
372KB
MD5d27ff91ccdcd0a00d9182b5c9e53e055
SHA1f9623c3f3cc2cfab207f714d8403901f03a3a110
SHA2564f9ad77b99653cd4be088bd7c754e898aabcce5b1c3d127be721ba47622ccd30
SHA512c73d6cf52ba9916e7cf6deec3413622aece1b7509976cbd04800b166d2e8ecbcb21f82590ceef2bcfe37f481d3006ba6ed48895fc4138baad1ee7d97518a372b