Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2024, 08:57
Static task
static1
Behavioral task
behavioral1
Sample
c154e9667117a6bec2757e7d8a337e0f21e222a476fe4e8e04b772e1f3390ce5.exe
Resource
win10v2004-20241007-en
General
-
Target
c154e9667117a6bec2757e7d8a337e0f21e222a476fe4e8e04b772e1f3390ce5.exe
-
Size
524KB
-
MD5
25c7b136cd199daf260f53739b6e9175
-
SHA1
98bac98918d7f28bd2e52c5ab4c40cb006f05046
-
SHA256
c154e9667117a6bec2757e7d8a337e0f21e222a476fe4e8e04b772e1f3390ce5
-
SHA512
cdae12181720ced2515dd486d12bb54f86daad7deccfc47293f6173a6aa621318d6ac0ff89640464170a814bd75df4828cb6d6582ff90969c7eeaa8ad54d02a8
-
SSDEEP
12288:/Mr2y90DEb1YEEBd6Zg1R8MoqN+inXmB00q5lEwt1:FyfLwdKgMqNRXKvqLJt1
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cb4-12.dat healer behavioral1/memory/4416-15-0x0000000000840000-0x000000000084A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it272862.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it272862.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it272862.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it272862.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it272862.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it272862.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4888-22-0x0000000002400000-0x0000000002446000-memory.dmp family_redline behavioral1/memory/4888-24-0x0000000004AC0000-0x0000000004B04000-memory.dmp family_redline behavioral1/memory/4888-26-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-25-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-34-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-88-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-86-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-84-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-82-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-78-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-76-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-75-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-70-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-68-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-66-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-64-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-62-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-60-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-58-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-56-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-52-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-50-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-48-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-46-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-44-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-42-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-40-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-38-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-32-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-30-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-28-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-80-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-72-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-54-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline behavioral1/memory/4888-36-0x0000000004AC0000-0x0000000004AFF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4112 ziIR5928.exe 4416 it272862.exe 4888 jr448641.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it272862.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c154e9667117a6bec2757e7d8a337e0f21e222a476fe4e8e04b772e1f3390ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziIR5928.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziIR5928.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jr448641.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c154e9667117a6bec2757e7d8a337e0f21e222a476fe4e8e04b772e1f3390ce5.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4416 it272862.exe 4416 it272862.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4416 it272862.exe Token: SeDebugPrivilege 4888 jr448641.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2512 wrote to memory of 4112 2512 c154e9667117a6bec2757e7d8a337e0f21e222a476fe4e8e04b772e1f3390ce5.exe 83 PID 2512 wrote to memory of 4112 2512 c154e9667117a6bec2757e7d8a337e0f21e222a476fe4e8e04b772e1f3390ce5.exe 83 PID 2512 wrote to memory of 4112 2512 c154e9667117a6bec2757e7d8a337e0f21e222a476fe4e8e04b772e1f3390ce5.exe 83 PID 4112 wrote to memory of 4416 4112 ziIR5928.exe 84 PID 4112 wrote to memory of 4416 4112 ziIR5928.exe 84 PID 4112 wrote to memory of 4888 4112 ziIR5928.exe 95 PID 4112 wrote to memory of 4888 4112 ziIR5928.exe 95 PID 4112 wrote to memory of 4888 4112 ziIR5928.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\c154e9667117a6bec2757e7d8a337e0f21e222a476fe4e8e04b772e1f3390ce5.exe"C:\Users\Admin\AppData\Local\Temp\c154e9667117a6bec2757e7d8a337e0f21e222a476fe4e8e04b772e1f3390ce5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIR5928.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIR5928.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it272862.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it272862.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr448641.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr448641.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
382KB
MD57f593a55c667ddb4063427dfb088a65c
SHA19635ba74a012d1eeecbb5862bd1de0b707c561bc
SHA256aa6c30987101cdba88ffce119b2256a1cb9a4b14daa043b924cebf6dc0bc9a40
SHA5125df7dc832e1377c9ff9d1a2828df7d2da6eb867323071ef7d17d8a111299b33dce4fae30b9f0518209a9e96ac4669ce982f149f5ff87ede4a54d0ff9dbcaeafb
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
297KB
MD59a62b42b479535bc49941cebfbd3da8b
SHA10b011cd2a35f4c7d66409a778591c50d83f9ba31
SHA2566696563ef86e04545e90c3f3a2680068e9843e1217751c5e8ffa9f6541d105c5
SHA5125afc00db61d0670aba1ea0fc627e33a24e2ebcd6aa687145fe1c4ee7f78ba0cf215727eec3aa98681c8f8a8afeba73f68215435ea9a8efbd7eec668ae76eaee1