Analysis
-
max time kernel
116s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 19:39
Static task
static1
Behavioral task
behavioral1
Sample
27cb78261446f75ec6bdcda2a106a78e689e111da270961c81a18dcafb145240N.exe
Resource
win10v2004-20241007-en
General
-
Target
27cb78261446f75ec6bdcda2a106a78e689e111da270961c81a18dcafb145240N.exe
-
Size
537KB
-
MD5
8411d781e8e9b23759b1a6444f172160
-
SHA1
81b0502da91bc0870fd098ef2ad7f7fce8c7dd36
-
SHA256
3906529fd66a07cec749b97e43dd02ee1a7f458543911af5400d369555fd6b7d
-
SHA512
1e1ab34fd38b3566e4db2025247bfcd1fedd94f3cecfe7f076972a7c5cf053e692c92bc5b3f59a324a3ab87011358c2dff0ba947e4d2a3fc87b447efb1cbae02
-
SSDEEP
12288:QMrby90M4uhV8fRN+ucZUjDH3wRyIQr554xqtENFaWLOE:by/4A4/GZsXwRG95AsE
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023ca0-12.dat healer behavioral1/memory/2128-15-0x0000000000F70000-0x0000000000F7A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr724678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr724678.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr724678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr724678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr724678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr724678.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4072-22-0x00000000026F0000-0x0000000002736000-memory.dmp family_redline behavioral1/memory/4072-24-0x0000000004DE0000-0x0000000004E24000-memory.dmp family_redline behavioral1/memory/4072-28-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-60-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-88-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-84-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-82-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-80-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-78-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-76-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-74-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-70-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-68-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-66-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-64-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-56-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-54-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-52-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-50-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-48-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-46-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-44-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-42-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-40-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-38-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-36-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-34-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-32-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-30-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-86-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-73-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-62-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-59-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-26-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline behavioral1/memory/4072-25-0x0000000004DE0000-0x0000000004E1F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2152 ziRE4437.exe 2128 jr724678.exe 4072 ku207183.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr724678.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 27cb78261446f75ec6bdcda2a106a78e689e111da270961c81a18dcafb145240N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziRE4437.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27cb78261446f75ec6bdcda2a106a78e689e111da270961c81a18dcafb145240N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziRE4437.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku207183.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2128 jr724678.exe 2128 jr724678.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2128 jr724678.exe Token: SeDebugPrivilege 4072 ku207183.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2740 wrote to memory of 2152 2740 27cb78261446f75ec6bdcda2a106a78e689e111da270961c81a18dcafb145240N.exe 83 PID 2740 wrote to memory of 2152 2740 27cb78261446f75ec6bdcda2a106a78e689e111da270961c81a18dcafb145240N.exe 83 PID 2740 wrote to memory of 2152 2740 27cb78261446f75ec6bdcda2a106a78e689e111da270961c81a18dcafb145240N.exe 83 PID 2152 wrote to memory of 2128 2152 ziRE4437.exe 84 PID 2152 wrote to memory of 2128 2152 ziRE4437.exe 84 PID 2152 wrote to memory of 4072 2152 ziRE4437.exe 94 PID 2152 wrote to memory of 4072 2152 ziRE4437.exe 94 PID 2152 wrote to memory of 4072 2152 ziRE4437.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\27cb78261446f75ec6bdcda2a106a78e689e111da270961c81a18dcafb145240N.exe"C:\Users\Admin\AppData\Local\Temp\27cb78261446f75ec6bdcda2a106a78e689e111da270961c81a18dcafb145240N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRE4437.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRE4437.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr724678.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr724678.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku207183.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku207183.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4072
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
395KB
MD587fb3375b9f2c7c49ef330a6df05e24c
SHA133f02cae469de429708f569b5d6e1c136ca54e58
SHA256b967dee6f606b56ee572902143f7fd3c83d26cb3f7cefb718f090ce966a4e38c
SHA512c3af1bc838ca3eb44fb66cd6d3aee10a57cf9d1c4ef8af104c358bd750bd34663611f055b5679870960785c2009594a1a1c4db037af5dcebfdd47069ae3946fa
-
Filesize
13KB
MD5e53ce5a11aa42ea91b2b879b707b0f27
SHA137593c16ba8560a23f0a6036ad6a9d4f1466f791
SHA256d59ae5dd2494e1548a1c9a1b0ff4db0298942e6c0e3cbe1e2cac55abc446d169
SHA512f5e2f84423fd7c50ffb037cc7e02b4d945be77249e47783c902c9c5f7dd254a308580a3d8a96d796317a50c8dc4b8ce33f2410f21af4d2b6795029e2b443c173
-
Filesize
352KB
MD5725e15819e6abc58fdca02e388e0e7d2
SHA1629a18547c586508dc4d000993e5572e89281f9b
SHA2567d775eee3b29f64ccbb96fe63b6926e1e39cc1aa1b23b148b9edfae8176124a2
SHA5127a20a67d9751afdc060c90e7be2aa4718ed4f2ed5edbd05ebde7f2d0d067afa2a70556026b5cf5732108a001e39d0f972d86e52828a1f8a307a040ef7c9227fa