Analysis
-
max time kernel
158s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
18/07/2023, 23:07
Static task
static1
Behavioral task
behavioral1
Sample
f490f9071d29b52c62c3b33240bef515f5d347b3aa5ddab04b5f28a27bb45dbd.exe
Resource
win10v2004-20230703-en
General
-
Target
f490f9071d29b52c62c3b33240bef515f5d347b3aa5ddab04b5f28a27bb45dbd.exe
-
Size
389KB
-
MD5
a151f70de9e3f13901dae1cc9c6824ac
-
SHA1
af7c702c8ad57e92dc24c23a294c293386fbf548
-
SHA256
f490f9071d29b52c62c3b33240bef515f5d347b3aa5ddab04b5f28a27bb45dbd
-
SHA512
7b6a57305c2396dd79a7784ba05ee83910044a824931dcc549be20a2c5bd591bffe02e42074c52a018763055365cf381c01d2d29ea03f467f6a71eef94118693
-
SSDEEP
6144:Kxy+bnr+ep0yN90QEG8NM8fQMG67cYWKZ5tDfOOD61WfVJ0GycXAhkm0ubvw:vMrey90zu8s1Yjz38WdJhycAkxt
Malware Config
Extracted
redline
roma
77.91.68.56:19071
-
auth_value
f099c2cf92834dbc554a94e1456cf576
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x00070000000230b0-145.dat healer behavioral1/files/0x00070000000230b0-146.dat healer behavioral1/memory/4960-147-0x00000000007A0000-0x00000000007AA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" p5261485.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" p5261485.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" p5261485.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" p5261485.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection p5261485.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" p5261485.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 3828 z7152793.exe 4960 p5261485.exe 1508 r4145619.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" p5261485.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce f490f9071d29b52c62c3b33240bef515f5d347b3aa5ddab04b5f28a27bb45dbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f490f9071d29b52c62c3b33240bef515f5d347b3aa5ddab04b5f28a27bb45dbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z7152793.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z7152793.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4960 p5261485.exe 4960 p5261485.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4960 p5261485.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4360 wrote to memory of 3828 4360 f490f9071d29b52c62c3b33240bef515f5d347b3aa5ddab04b5f28a27bb45dbd.exe 85 PID 4360 wrote to memory of 3828 4360 f490f9071d29b52c62c3b33240bef515f5d347b3aa5ddab04b5f28a27bb45dbd.exe 85 PID 4360 wrote to memory of 3828 4360 f490f9071d29b52c62c3b33240bef515f5d347b3aa5ddab04b5f28a27bb45dbd.exe 85 PID 3828 wrote to memory of 4960 3828 z7152793.exe 86 PID 3828 wrote to memory of 4960 3828 z7152793.exe 86 PID 3828 wrote to memory of 1508 3828 z7152793.exe 95 PID 3828 wrote to memory of 1508 3828 z7152793.exe 95 PID 3828 wrote to memory of 1508 3828 z7152793.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\f490f9071d29b52c62c3b33240bef515f5d347b3aa5ddab04b5f28a27bb45dbd.exe"C:\Users\Admin\AppData\Local\Temp\f490f9071d29b52c62c3b33240bef515f5d347b3aa5ddab04b5f28a27bb45dbd.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7152793.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7152793.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5261485.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5261485.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4145619.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4145619.exe3⤵
- Executes dropped EXE
PID:1508
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD53d0c8df74c6186fc8e78ff91d3935419
SHA14351b7dfea46f2080d6896a33134a4d333ddf263
SHA2563f2f546180de0fa87d4acdfbda1d0958112300e2e661c3f93adb6cc1a7a7b3be
SHA512ab3edf8ef2163a986d3e6a9a0d3f258dfce452259819e5ed2d36edf2796a14045bdf3024a3571bd95e65ef631d3f7df2a59f819702c9cee0c4d5d0024014d6cb
-
Filesize
206KB
MD53d0c8df74c6186fc8e78ff91d3935419
SHA14351b7dfea46f2080d6896a33134a4d333ddf263
SHA2563f2f546180de0fa87d4acdfbda1d0958112300e2e661c3f93adb6cc1a7a7b3be
SHA512ab3edf8ef2163a986d3e6a9a0d3f258dfce452259819e5ed2d36edf2796a14045bdf3024a3571bd95e65ef631d3f7df2a59f819702c9cee0c4d5d0024014d6cb
-
Filesize
13KB
MD536f667b781bc85870f67b43f62c6d6b7
SHA13656ee2910328e6a829efcc6abc76283682ceb2f
SHA2563a2426a1885e31f87a9bb661ee8b8291d984c4f930eca67afd2bc8ff52f5bc1d
SHA512b5a5b091a59f571fb4325b7b5942257e1ffbd64be5588707c6b08de5f0be78fde93f93d7d44f9eda2797287219591ef73661d1cf506278e40fc7af8769d66d7a
-
Filesize
13KB
MD536f667b781bc85870f67b43f62c6d6b7
SHA13656ee2910328e6a829efcc6abc76283682ceb2f
SHA2563a2426a1885e31f87a9bb661ee8b8291d984c4f930eca67afd2bc8ff52f5bc1d
SHA512b5a5b091a59f571fb4325b7b5942257e1ffbd64be5588707c6b08de5f0be78fde93f93d7d44f9eda2797287219591ef73661d1cf506278e40fc7af8769d66d7a
-
Filesize
175KB
MD544d3e2ea3587c2df2d6180355d129957
SHA148bf727b6a19269dc56e7b2fd57d880b62435c31
SHA25628f9d1d6436bc7cb38b9e8f3b40ae085e2c438107434c8b6eaa6001ac09863f9
SHA5126a16dd416f0e5d894432c71d8f9e0d791d54a434193226ee659725524a4154a3110758a64a6dd2a9cfb5e096187a0c468e06befc6830afcf97c7e43914db68f9
-
Filesize
175KB
MD544d3e2ea3587c2df2d6180355d129957
SHA148bf727b6a19269dc56e7b2fd57d880b62435c31
SHA25628f9d1d6436bc7cb38b9e8f3b40ae085e2c438107434c8b6eaa6001ac09863f9
SHA5126a16dd416f0e5d894432c71d8f9e0d791d54a434193226ee659725524a4154a3110758a64a6dd2a9cfb5e096187a0c468e06befc6830afcf97c7e43914db68f9