Analysis
-
max time kernel
116s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 20:29
Static task
static1
Behavioral task
behavioral1
Sample
b5809eef6113aed8d1ea58805175ec479c093cfa86d62107e30c544dcd0ae5baN.exe
Resource
win10v2004-20241007-en
General
-
Target
b5809eef6113aed8d1ea58805175ec479c093cfa86d62107e30c544dcd0ae5baN.exe
-
Size
536KB
-
MD5
1f72d5e71e0b4fac92ef6578b0f6b520
-
SHA1
b6abcc8347780604dc1f84450c14e70a471c03a2
-
SHA256
b5809eef6113aed8d1ea58805175ec479c093cfa86d62107e30c544dcd0ae5ba
-
SHA512
cf7ac65ddc345f81a276dc35269341de5dc3a15d7a6e259fb797136aad52cdca1c479ad8ed5f90192ac3e4536d30f18cec0b1a2afef0c7b8a28c9602643d90e0
-
SSDEEP
12288:LMr8y90eFp4Ei0tRt0+GLnT3EJ8+DR8aeZfBp:PyzFCx0tRt/GDT0J8aeZP
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023cb6-12.dat healer behavioral1/memory/4784-15-0x0000000000310000-0x000000000031A000-memory.dmp healer -
Healer family
-
Processes:
jr252405.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr252405.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr252405.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr252405.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr252405.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr252405.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr252405.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/3512-22-0x00000000024A0000-0x00000000024E6000-memory.dmp family_redline behavioral1/memory/3512-24-0x0000000002530000-0x0000000002574000-memory.dmp family_redline behavioral1/memory/3512-30-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-28-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-26-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-25-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-42-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-88-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-86-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-84-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-80-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-78-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-76-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-74-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-72-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-70-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-68-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-64-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-62-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-60-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-58-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-56-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-54-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-52-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-50-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-48-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-46-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-40-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-38-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-36-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-34-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-32-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-82-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-66-0x0000000002530000-0x000000000256F000-memory.dmp family_redline behavioral1/memory/3512-44-0x0000000002530000-0x000000000256F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
ziko1979.exejr252405.exeku283026.exepid Process 1980 ziko1979.exe 4784 jr252405.exe 3512 ku283026.exe -
Processes:
jr252405.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr252405.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b5809eef6113aed8d1ea58805175ec479c093cfa86d62107e30c544dcd0ae5baN.exeziko1979.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b5809eef6113aed8d1ea58805175ec479c093cfa86d62107e30c544dcd0ae5baN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziko1979.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b5809eef6113aed8d1ea58805175ec479c093cfa86d62107e30c544dcd0ae5baN.exeziko1979.exeku283026.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b5809eef6113aed8d1ea58805175ec479c093cfa86d62107e30c544dcd0ae5baN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziko1979.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ku283026.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jr252405.exepid Process 4784 jr252405.exe 4784 jr252405.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jr252405.exeku283026.exedescription pid Process Token: SeDebugPrivilege 4784 jr252405.exe Token: SeDebugPrivilege 3512 ku283026.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b5809eef6113aed8d1ea58805175ec479c093cfa86d62107e30c544dcd0ae5baN.exeziko1979.exedescription pid Process procid_target PID 2028 wrote to memory of 1980 2028 b5809eef6113aed8d1ea58805175ec479c093cfa86d62107e30c544dcd0ae5baN.exe 84 PID 2028 wrote to memory of 1980 2028 b5809eef6113aed8d1ea58805175ec479c093cfa86d62107e30c544dcd0ae5baN.exe 84 PID 2028 wrote to memory of 1980 2028 b5809eef6113aed8d1ea58805175ec479c093cfa86d62107e30c544dcd0ae5baN.exe 84 PID 1980 wrote to memory of 4784 1980 ziko1979.exe 85 PID 1980 wrote to memory of 4784 1980 ziko1979.exe 85 PID 1980 wrote to memory of 3512 1980 ziko1979.exe 95 PID 1980 wrote to memory of 3512 1980 ziko1979.exe 95 PID 1980 wrote to memory of 3512 1980 ziko1979.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5809eef6113aed8d1ea58805175ec479c093cfa86d62107e30c544dcd0ae5baN.exe"C:\Users\Admin\AppData\Local\Temp\b5809eef6113aed8d1ea58805175ec479c093cfa86d62107e30c544dcd0ae5baN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziko1979.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziko1979.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr252405.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr252405.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku283026.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku283026.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
382KB
MD56b87024cba8409bfdd3ec28ab0840fb3
SHA1cf7a9688818259221a09c14dc45effd49660e018
SHA25687bad030c63cc33105fe9e2a8a2dfd73afb9568861be9122e49f6ef660fcc14e
SHA5124b4bc0d62d6bbf62e63233b0340f982a5e09555af2d9aca3cc46666b174ebd1e22b1fc469ffca398c4ceba2fc79a824d158990a916a1b731ddb2fe44c01d9bec
-
Filesize
13KB
MD5c07e7dd09767fc403da8db079ee85538
SHA11eaa2f6f4217f2927d9be1a8d1fb52e1d4e1b028
SHA256d967abdd02a35ed38f41f70d66ded44595a7343fcfdcdf2c4ca7abbd691421be
SHA512b189fdb21ad8d81840eeae2e1e14f3d972b9844af7589cbc193b6de9061f79b54b3726ba5c2551b68a86c82dbe1c17d76ef9e465960f5578a949837d5c2c7848
-
Filesize
311KB
MD5a0ae2f9a9ce483075bc2bb8b2803045a
SHA1533869845256977e3dbe29489ffbe4582a79339c
SHA256325c76ceb7c0fad76e6554adfd954a0b8aed24f3942a71fbbb25b288071afb22
SHA5121443808e4d17a5c232abb23daf20f51de362806a5d3cc78b530d87d8d5bc5f9c6884b741c7469f1eceb49ac0813f2a732936cb70886d35bf436dc4de5163958c