Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:53
Static task
static1
Behavioral task
behavioral1
Sample
d87ffba1438c0cc6fcf5cd5ddf197c3818f0d9f1de7ba31eba36dd8d43e40267.exe
Resource
win10v2004-20241007-en
General
-
Target
d87ffba1438c0cc6fcf5cd5ddf197c3818f0d9f1de7ba31eba36dd8d43e40267.exe
-
Size
530KB
-
MD5
b72b254d47df922dba89fcb0e41d1afa
-
SHA1
c951ff8257edf86bb979e80a8dbbfe0af37c2327
-
SHA256
d87ffba1438c0cc6fcf5cd5ddf197c3818f0d9f1de7ba31eba36dd8d43e40267
-
SHA512
c60a196146afe076eb686c3c1a249cafa2d82401a3aaba6f276fea2f87244b279967cdc5d25f3d095b06c6eb472fe36976e98c80bd88a0085a9af7b9be1f5321
-
SSDEEP
12288:iMrGy9011xNcL+kQ5bbafwlH4R0ACWlIgazkIX1uoXXwS:Ayex+Qb2asnOTX8oXAS
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c99-12.dat healer behavioral1/memory/2852-15-0x0000000000D50000-0x0000000000D5A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr517190.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr517190.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr517190.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr517190.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr517190.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr517190.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/444-21-0x0000000004AF0000-0x0000000004B36000-memory.dmp family_redline behavioral1/memory/444-23-0x0000000004D00000-0x0000000004D44000-memory.dmp family_redline behavioral1/memory/444-24-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-27-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-88-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-85-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-83-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-81-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-79-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-77-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-75-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-73-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-71-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-69-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-67-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-65-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-63-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-61-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-59-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-57-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-55-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-53-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-51-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-49-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-47-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-45-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-43-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-41-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-39-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-37-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-35-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-33-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-31-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-29-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline behavioral1/memory/444-25-0x0000000004D00000-0x0000000004D3F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4940 ziqV5700.exe 2852 jr517190.exe 444 ku191503.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr517190.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d87ffba1438c0cc6fcf5cd5ddf197c3818f0d9f1de7ba31eba36dd8d43e40267.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziqV5700.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d87ffba1438c0cc6fcf5cd5ddf197c3818f0d9f1de7ba31eba36dd8d43e40267.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziqV5700.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku191503.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2852 jr517190.exe 2852 jr517190.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2852 jr517190.exe Token: SeDebugPrivilege 444 ku191503.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1316 wrote to memory of 4940 1316 d87ffba1438c0cc6fcf5cd5ddf197c3818f0d9f1de7ba31eba36dd8d43e40267.exe 85 PID 1316 wrote to memory of 4940 1316 d87ffba1438c0cc6fcf5cd5ddf197c3818f0d9f1de7ba31eba36dd8d43e40267.exe 85 PID 1316 wrote to memory of 4940 1316 d87ffba1438c0cc6fcf5cd5ddf197c3818f0d9f1de7ba31eba36dd8d43e40267.exe 85 PID 4940 wrote to memory of 2852 4940 ziqV5700.exe 87 PID 4940 wrote to memory of 2852 4940 ziqV5700.exe 87 PID 4940 wrote to memory of 444 4940 ziqV5700.exe 98 PID 4940 wrote to memory of 444 4940 ziqV5700.exe 98 PID 4940 wrote to memory of 444 4940 ziqV5700.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\d87ffba1438c0cc6fcf5cd5ddf197c3818f0d9f1de7ba31eba36dd8d43e40267.exe"C:\Users\Admin\AppData\Local\Temp\d87ffba1438c0cc6fcf5cd5ddf197c3818f0d9f1de7ba31eba36dd8d43e40267.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqV5700.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqV5700.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr517190.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr517190.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku191503.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku191503.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:444
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD58659ca6aaaed0fced9835a7726ca2d97
SHA188c50142b2ce64b36640c45d812ff44d40c3e4c4
SHA25667bdbc2bfb93f463a0f12a5b3b947908359a6a1ce190a231e6cf7e18b4ff9691
SHA512a89d36e9decf8189792944c1d8c6388d7902178bf45f18bb080097d54eabec5925e5b84620af179412f18ff5f57584ef2b6884da59d84521ca0b0b5fb4133240
-
Filesize
11KB
MD58a218172360fc67288ee893727ba20c0
SHA1f5c67ef1f36664bf9ffd895110b3533a7475f7a1
SHA256b68c7f3c88249ba27bdba10392426e28705a9217d48970dddc384cad684c766c
SHA5129acb449a84e08477b3652ec54e6f708c89455d45c41795de78232de238d0b25d08dbb281f273e2e1f3191f4408cb700de883fec9105adbce7b60e163f841a05b
-
Filesize
355KB
MD55986939f835819469c44b5017b85f2bb
SHA1b8e877ced22bb6d7d6ef0fa48f8d988a89e5e8a5
SHA256dfc57c684baf3dc08b9e4a0e6602d3b6ec6ae92d1ab560cf1b52798550ef6f36
SHA512ff4e1bbc3ded46c1281c3ad46dff4df6a4778373b0814a9d9ef9d38f2276ff304c41782259fb3b91d69dc474e1af3bcde059112cdb074decdec31b6ed29b6e56