Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
18/07/2023, 14:25
Static task
static1
Behavioral task
behavioral1
Sample
996b2f6c1339f7062a7f84fb604c11a87a209541ba064215cc68abc3affc29a9.exe
Resource
win10v2004-20230703-en
General
-
Target
996b2f6c1339f7062a7f84fb604c11a87a209541ba064215cc68abc3affc29a9.exe
-
Size
388KB
-
MD5
34c46cc93785e979881fb48c2fb93657
-
SHA1
91b387cdcdaed54b6fd687de4958abb1ef7aeee6
-
SHA256
996b2f6c1339f7062a7f84fb604c11a87a209541ba064215cc68abc3affc29a9
-
SHA512
bf4dc8df4b5c618a480d6143bd11ddaad25284648926e5e45458e4e5c803bd50ab285003d83daeb9a96ba6d7359911fc576beb5586b3a8a6e042f2c844015a81
-
SSDEEP
6144:Kny+bnr+Tp0yN90QEH+ixm4oXTxfU4+hAL25ZX7outpQPlE5rgjuuVvn17:NMrzy90YiU5egOZLounGE5rgrR
Malware Config
Extracted
redline
roma
77.91.68.56:19071
-
auth_value
f099c2cf92834dbc554a94e1456cf576
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x000800000002320e-145.dat healer behavioral1/files/0x000800000002320e-146.dat healer behavioral1/memory/4600-147-0x00000000002A0000-0x00000000002AA000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection p9429285.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" p9429285.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" p9429285.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" p9429285.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" p9429285.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" p9429285.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 4840 z1092742.exe 4600 p9429285.exe 3696 r4007988.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" p9429285.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 996b2f6c1339f7062a7f84fb604c11a87a209541ba064215cc68abc3affc29a9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 996b2f6c1339f7062a7f84fb604c11a87a209541ba064215cc68abc3affc29a9.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z1092742.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z1092742.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4600 p9429285.exe 4600 p9429285.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4600 p9429285.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3676 wrote to memory of 4840 3676 996b2f6c1339f7062a7f84fb604c11a87a209541ba064215cc68abc3affc29a9.exe 85 PID 3676 wrote to memory of 4840 3676 996b2f6c1339f7062a7f84fb604c11a87a209541ba064215cc68abc3affc29a9.exe 85 PID 3676 wrote to memory of 4840 3676 996b2f6c1339f7062a7f84fb604c11a87a209541ba064215cc68abc3affc29a9.exe 85 PID 4840 wrote to memory of 4600 4840 z1092742.exe 86 PID 4840 wrote to memory of 4600 4840 z1092742.exe 86 PID 4840 wrote to memory of 3696 4840 z1092742.exe 92 PID 4840 wrote to memory of 3696 4840 z1092742.exe 92 PID 4840 wrote to memory of 3696 4840 z1092742.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\996b2f6c1339f7062a7f84fb604c11a87a209541ba064215cc68abc3affc29a9.exe"C:\Users\Admin\AppData\Local\Temp\996b2f6c1339f7062a7f84fb604c11a87a209541ba064215cc68abc3affc29a9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1092742.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1092742.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9429285.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9429285.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4600
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4007988.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4007988.exe3⤵
- Executes dropped EXE
PID:3696
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD50284c2d99e9fecdc6c834c877b235320
SHA1a2e341c5b572fcb8315a2cfd8a287a9e42f66f7b
SHA25621963649619f64bf19221f89c85478e5c576b9bf9cf109e3bc3a5b644b02a98e
SHA512e8d6fdc9352e4f8325d05b00e7ef740066ed22dcef9980e7225b7a215a82035a70548b8ed9d9de467bc3347aa7933369f668863b3f3ca2fce3d524c889e7995c
-
Filesize
206KB
MD50284c2d99e9fecdc6c834c877b235320
SHA1a2e341c5b572fcb8315a2cfd8a287a9e42f66f7b
SHA25621963649619f64bf19221f89c85478e5c576b9bf9cf109e3bc3a5b644b02a98e
SHA512e8d6fdc9352e4f8325d05b00e7ef740066ed22dcef9980e7225b7a215a82035a70548b8ed9d9de467bc3347aa7933369f668863b3f3ca2fce3d524c889e7995c
-
Filesize
13KB
MD53398b9973116cc2e6a4ced31e2ea092b
SHA109cc697a432974eb154df12857281578d44cbbdc
SHA256c31389c0ac6517e0f84de7ebd4aefc39c388eab419bed2afd6bd006718315048
SHA51236909b3b6c59eb515ea752b34eec3d34969a88c009ef0c43b32af7eda3523c8cb808ab188f951ef868615f7bca0529067155065a2ebd8cae0dcdb725333c4518
-
Filesize
13KB
MD53398b9973116cc2e6a4ced31e2ea092b
SHA109cc697a432974eb154df12857281578d44cbbdc
SHA256c31389c0ac6517e0f84de7ebd4aefc39c388eab419bed2afd6bd006718315048
SHA51236909b3b6c59eb515ea752b34eec3d34969a88c009ef0c43b32af7eda3523c8cb808ab188f951ef868615f7bca0529067155065a2ebd8cae0dcdb725333c4518
-
Filesize
174KB
MD537922bfe8cad629c818e82e5030b5526
SHA1e3253479794f11adb660374e700afdebdd4bee6b
SHA2569be913ce6755090fa7d68ec28068c45ac82f578905c0c2fbafd55f1586e54745
SHA51267ecaaacb0bba96060eeacc3fe4fbb5590e247d7a7b3114d154f78003ff736a319cb708354589feb08b2dfda25b7cac4f8c622ae185a0df34aa028cf0578e364
-
Filesize
174KB
MD537922bfe8cad629c818e82e5030b5526
SHA1e3253479794f11adb660374e700afdebdd4bee6b
SHA2569be913ce6755090fa7d68ec28068c45ac82f578905c0c2fbafd55f1586e54745
SHA51267ecaaacb0bba96060eeacc3fe4fbb5590e247d7a7b3114d154f78003ff736a319cb708354589feb08b2dfda25b7cac4f8c622ae185a0df34aa028cf0578e364