Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:52
Static task
static1
Behavioral task
behavioral1
Sample
cc4797d21d1392d6012dcf759bd349fb9196516393739f82f85b23fd7e1663ea.exe
Resource
win10v2004-20241007-en
General
-
Target
cc4797d21d1392d6012dcf759bd349fb9196516393739f82f85b23fd7e1663ea.exe
-
Size
530KB
-
MD5
3f90ea2885baa22de3fefc23d2c5f70e
-
SHA1
bf7945f5484b8f5e11060b2a72a240b35e81d6f4
-
SHA256
cc4797d21d1392d6012dcf759bd349fb9196516393739f82f85b23fd7e1663ea
-
SHA512
0b63e1e61b3ac11963ce77e82df9748c920db592785c756de600abd9cb58e1cda9b218dd6be87db64bf1aa5ab303202d99081c74d6d9530e6ac31731ac6b916d
-
SSDEEP
12288:0Mray90nUVhfBm+2EdgrVi50KVmQwqB5a9tYMw:WyzfUiqU5pAQ76Y
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cb4-12.dat healer behavioral1/memory/4720-15-0x00000000001F0000-0x00000000001FA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr199365.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr199365.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr199365.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr199365.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr199365.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr199365.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4692-22-0x0000000004A40000-0x0000000004A86000-memory.dmp family_redline behavioral1/memory/4692-24-0x0000000007180000-0x00000000071C4000-memory.dmp family_redline behavioral1/memory/4692-74-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-56-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-36-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-30-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-28-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-26-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-25-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-88-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-86-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-84-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-82-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-80-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-78-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-76-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-72-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-70-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-68-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-66-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-64-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-62-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-60-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-58-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-54-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-52-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-50-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-48-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-46-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-44-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-42-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-40-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-38-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-34-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline behavioral1/memory/4692-32-0x0000000007180000-0x00000000071BF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2276 ziZa4751.exe 4720 jr199365.exe 4692 ku949742.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr199365.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cc4797d21d1392d6012dcf759bd349fb9196516393739f82f85b23fd7e1663ea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziZa4751.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5492 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziZa4751.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku949742.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cc4797d21d1392d6012dcf759bd349fb9196516393739f82f85b23fd7e1663ea.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4720 jr199365.exe 4720 jr199365.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4720 jr199365.exe Token: SeDebugPrivilege 4692 ku949742.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2276 2520 cc4797d21d1392d6012dcf759bd349fb9196516393739f82f85b23fd7e1663ea.exe 83 PID 2520 wrote to memory of 2276 2520 cc4797d21d1392d6012dcf759bd349fb9196516393739f82f85b23fd7e1663ea.exe 83 PID 2520 wrote to memory of 2276 2520 cc4797d21d1392d6012dcf759bd349fb9196516393739f82f85b23fd7e1663ea.exe 83 PID 2276 wrote to memory of 4720 2276 ziZa4751.exe 84 PID 2276 wrote to memory of 4720 2276 ziZa4751.exe 84 PID 2276 wrote to memory of 4692 2276 ziZa4751.exe 95 PID 2276 wrote to memory of 4692 2276 ziZa4751.exe 95 PID 2276 wrote to memory of 4692 2276 ziZa4751.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc4797d21d1392d6012dcf759bd349fb9196516393739f82f85b23fd7e1663ea.exe"C:\Users\Admin\AppData\Local\Temp\cc4797d21d1392d6012dcf759bd349fb9196516393739f82f85b23fd7e1663ea.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZa4751.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZa4751.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr199365.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr199365.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku949742.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku949742.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4692
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:5492
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD5850d01d4082f8626c4923409d360f3ac
SHA1e4ae7a985e2b432dcbcbcb0a213f1f6027e21024
SHA25667696f461fa94b5ff7ce494cf24b85b2b360c33c2063c1671b604770145046ac
SHA512bb5977f637b30696ea9a7037a180e51c151688b762076a7d0d71f22ce31ec8a5c18de227958aebd886ed9ebb2b1d92258362265203687cf8564be238adf947fe
-
Filesize
11KB
MD56c88aae9b0a0b7c5c05df6ea88bcddf3
SHA178646b7905bcc655b3ee0503a1f9ce4e1253beb2
SHA25604f174f46d4a10267782c1c412d8aed0db51f2ae38a9dabe93fd7003f8eb3e1a
SHA512a48f6f76f3103ba91d10847447b48d5f2f5acf7c828256cad234686edd6ba616a9599a8ffc2ae24fc30b907244e9af78b5bd20941288d337339f079c4c9a1a35
-
Filesize
354KB
MD5a3739aba2cdaf9d2780f5e686a6af626
SHA1569ed2494d43cf7d6c498410997a12024fd95ba2
SHA25698bd37155160a745f6cc02ae4f02eeeed0b3ce92e175e0d326a8db580b00a8c4
SHA512db256c8050c30461815b66f3e8768555baa9cea3914c4536c18000d6408d5bc9f581a839b80889e5759dbad630091c6b87d44df8a8c23089ddb7049a20befe35