Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 19:57
Static task
static1
Behavioral task
behavioral1
Sample
b1bc7740a21953e93c778bad7dd5f95ce5eb0ca858caedbafb1f6b2e70753f05.exe
Resource
win10v2004-20241007-en
General
-
Target
b1bc7740a21953e93c778bad7dd5f95ce5eb0ca858caedbafb1f6b2e70753f05.exe
-
Size
522KB
-
MD5
2922a6f758ffc232991550b189627da6
-
SHA1
e82fda861c639e1f52a35fe17938354763cf117d
-
SHA256
b1bc7740a21953e93c778bad7dd5f95ce5eb0ca858caedbafb1f6b2e70753f05
-
SHA512
623585ebcd08de8ee8008d1415b76d0e24369e12a88a7d79dc543e03f6a17ce0e9f6e322d93336bc65c3747ee426998a9b1f0c505af185bc61b3c6b0882e6929
-
SSDEEP
12288:DMr7y90tAmHUVEajAbkuyrfhnmsTrLi/6ioe:EyGAUxacjy7hmsT6iioe
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c7c-12.dat healer behavioral1/memory/4444-15-0x0000000000D50000-0x0000000000D5A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr648116.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr648116.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr648116.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr648116.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr648116.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr648116.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/948-22-0x0000000004A40000-0x0000000004A86000-memory.dmp family_redline behavioral1/memory/948-24-0x0000000004AC0000-0x0000000004B04000-memory.dmp family_redline behavioral1/memory/948-30-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-36-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-88-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-86-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-84-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-80-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-78-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-76-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-72-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-70-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-68-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-66-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-64-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-62-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-61-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-56-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-54-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-52-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-50-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-48-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-46-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-44-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-42-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-40-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-38-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-34-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-32-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-82-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-74-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-58-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-28-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-26-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/948-25-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 2228 ziVh2895.exe 4444 jr648116.exe 948 ku606694.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr648116.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b1bc7740a21953e93c778bad7dd5f95ce5eb0ca858caedbafb1f6b2e70753f05.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziVh2895.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku606694.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1bc7740a21953e93c778bad7dd5f95ce5eb0ca858caedbafb1f6b2e70753f05.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziVh2895.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4444 jr648116.exe 4444 jr648116.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4444 jr648116.exe Token: SeDebugPrivilege 948 ku606694.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1600 wrote to memory of 2228 1600 b1bc7740a21953e93c778bad7dd5f95ce5eb0ca858caedbafb1f6b2e70753f05.exe 83 PID 1600 wrote to memory of 2228 1600 b1bc7740a21953e93c778bad7dd5f95ce5eb0ca858caedbafb1f6b2e70753f05.exe 83 PID 1600 wrote to memory of 2228 1600 b1bc7740a21953e93c778bad7dd5f95ce5eb0ca858caedbafb1f6b2e70753f05.exe 83 PID 2228 wrote to memory of 4444 2228 ziVh2895.exe 84 PID 2228 wrote to memory of 4444 2228 ziVh2895.exe 84 PID 2228 wrote to memory of 948 2228 ziVh2895.exe 96 PID 2228 wrote to memory of 948 2228 ziVh2895.exe 96 PID 2228 wrote to memory of 948 2228 ziVh2895.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1bc7740a21953e93c778bad7dd5f95ce5eb0ca858caedbafb1f6b2e70753f05.exe"C:\Users\Admin\AppData\Local\Temp\b1bc7740a21953e93c778bad7dd5f95ce5eb0ca858caedbafb1f6b2e70753f05.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVh2895.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVh2895.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr648116.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr648116.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku606694.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku606694.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:948
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD5df42bd21157cc67fad9949d41c1b9e4b
SHA1f11b5da9d4b78edfea24d3f113b66767f9324aeb
SHA2562359247cae8aab023d705f935ba69209c1fa1a35caf7c0daa1c91934a43e9e2a
SHA5120b661b0487a32b35281c58e17fbf28e8b8fbfc74f399ffd25677ae996a8c8d226544d44dfe539f5f37c742e2ccf9731efb828b5dbf8cdf16f7ba3ba10a645d1b
-
Filesize
15KB
MD5fd19abf7c35262c58d46f3e7da054ce6
SHA15b988629ebaae0f71e903a87f262be0b0217dfb0
SHA256d8e08e2b04ea44b70b7b98ab693ca7d2309998dbf85e9232985218b2de4a2360
SHA5127ff06dc81736869741149ac3776e7d8d53e39c4c7296959145edf53df69fc8a2bb0213a17fae8f82bd648cc128eaff512f2fb794ba27420d65a0b35ca21a9fab
-
Filesize
295KB
MD58e9cdab1e9fab42bafe8d8d1112d567a
SHA1aecc0d3392a7e3b00155379741616c92e23e5926
SHA256a0648f39c8ec9405c67aaf8850446baeb0fb1a23cc8a445e98e3c68f18961c0e
SHA512d1be3611b1797831d4b89a29d1d8014b62c21d068e6b4b61a629869255b201fb379c06b9708017b653674f1b3c9573605249dccc19359fd12976848fbce345c9