Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
16/08/2023, 03:54
Static task
static1
Behavioral task
behavioral1
Sample
54ead869ce9ba38af86619bfe4ca3d8ee02f5db7090224ae0035ed534811c897.exe
Resource
win10v2004-20230703-en
General
-
Target
54ead869ce9ba38af86619bfe4ca3d8ee02f5db7090224ae0035ed534811c897.exe
-
Size
505KB
-
MD5
23a107a1fe6ee986f4721ec19f136399
-
SHA1
a00ed93e9bd11a00a6061b8429df24f8df4f61e1
-
SHA256
54ead869ce9ba38af86619bfe4ca3d8ee02f5db7090224ae0035ed534811c897
-
SHA512
f660d8e17f2a24f990a6c18ce89435ec2fd8572b9b21abdc04f6c6d1a8e88b7f1d185c89be5b8ffb875c7f6cbfa8a406d367e9767d48bc59d71561b3d8dac0f2
-
SSDEEP
12288:XMrIy90P5Uwb3usu2e1fhAXMQIdfDCILlLAs1EVh9uv:fy8fb3QMMu9S
Malware Config
Extracted
redline
dava
77.91.124.54:19071
-
auth_value
3ce5222c1baaa06681dfe0012ce1de23
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x0007000000023238-155.dat healer behavioral1/files/0x0007000000023238-156.dat healer behavioral1/memory/5056-157-0x0000000000810000-0x000000000081A000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection h8498691.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" h8498691.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" h8498691.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" h8498691.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" h8498691.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" h8498691.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 4808 x4665754.exe 3068 x1984678.exe 4120 g9953098.exe 5056 h8498691.exe 3736 i7767952.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" h8498691.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 54ead869ce9ba38af86619bfe4ca3d8ee02f5db7090224ae0035ed534811c897.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x4665754.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x1984678.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5056 h8498691.exe 5056 h8498691.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5056 h8498691.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 624 wrote to memory of 4808 624 54ead869ce9ba38af86619bfe4ca3d8ee02f5db7090224ae0035ed534811c897.exe 82 PID 624 wrote to memory of 4808 624 54ead869ce9ba38af86619bfe4ca3d8ee02f5db7090224ae0035ed534811c897.exe 82 PID 624 wrote to memory of 4808 624 54ead869ce9ba38af86619bfe4ca3d8ee02f5db7090224ae0035ed534811c897.exe 82 PID 4808 wrote to memory of 3068 4808 x4665754.exe 83 PID 4808 wrote to memory of 3068 4808 x4665754.exe 83 PID 4808 wrote to memory of 3068 4808 x4665754.exe 83 PID 3068 wrote to memory of 4120 3068 x1984678.exe 84 PID 3068 wrote to memory of 4120 3068 x1984678.exe 84 PID 3068 wrote to memory of 4120 3068 x1984678.exe 84 PID 3068 wrote to memory of 5056 3068 x1984678.exe 85 PID 3068 wrote to memory of 5056 3068 x1984678.exe 85 PID 4808 wrote to memory of 3736 4808 x4665754.exe 94 PID 4808 wrote to memory of 3736 4808 x4665754.exe 94 PID 4808 wrote to memory of 3736 4808 x4665754.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\54ead869ce9ba38af86619bfe4ca3d8ee02f5db7090224ae0035ed534811c897.exe"C:\Users\Admin\AppData\Local\Temp\54ead869ce9ba38af86619bfe4ca3d8ee02f5db7090224ae0035ed534811c897.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4665754.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4665754.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1984678.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1984678.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9953098.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9953098.exe4⤵
- Executes dropped EXE
PID:4120
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8498691.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8498691.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i7767952.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i7767952.exe3⤵
- Executes dropped EXE
PID:3736
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
373KB
MD5869720a2907804ac96b822ca24efd884
SHA1c8afb6e2d7f83707b6cd8e43340db1545dbd335a
SHA2566ab23c38c247092969ca551966cec0fad89da72d527492255b78ee2a32bfc4ab
SHA5123b2fc685816222383a908700add336f471b2dad8f7c3d65f589efa9247bc6572b58ec4203fc7ea391e94f1c6984672d3f907586a5cbfd36c18408d0308d2ae26
-
Filesize
373KB
MD5869720a2907804ac96b822ca24efd884
SHA1c8afb6e2d7f83707b6cd8e43340db1545dbd335a
SHA2566ab23c38c247092969ca551966cec0fad89da72d527492255b78ee2a32bfc4ab
SHA5123b2fc685816222383a908700add336f471b2dad8f7c3d65f589efa9247bc6572b58ec4203fc7ea391e94f1c6984672d3f907586a5cbfd36c18408d0308d2ae26
-
Filesize
174KB
MD5b79d3ce500e9637fc3e1335b5b5c989f
SHA113cd54295a333afeee0de52a21a71a590fd975d8
SHA2563d991b6baa21fb4046423b397860c06e1b9cb6af2108ef6208e0615163856229
SHA512f1a2ff015b942587aceba5e33b5521cde843d01f38ec28d7246db0d22ec4f8e824e907b47fce0aa8f885cd02c0eeb722813d7773f40bae18ea9c27307b1d1ff7
-
Filesize
174KB
MD5b79d3ce500e9637fc3e1335b5b5c989f
SHA113cd54295a333afeee0de52a21a71a590fd975d8
SHA2563d991b6baa21fb4046423b397860c06e1b9cb6af2108ef6208e0615163856229
SHA512f1a2ff015b942587aceba5e33b5521cde843d01f38ec28d7246db0d22ec4f8e824e907b47fce0aa8f885cd02c0eeb722813d7773f40bae18ea9c27307b1d1ff7
-
Filesize
216KB
MD5a773977f28dd289638bdda8176821d6e
SHA1aa38de144248cc21825abfb3616ba93b841176d2
SHA2566cb7da828502a497679466d22687e37ed44c45687f9796d9912b353b77c44782
SHA512666ffcec427f91721ae21b834e4c11f532583fdd912f6b576872d15d36e70fe636a523ac04fbc467ecb02cbbdd8bf1ad03dcb326ae29254dcdfcc1bdf7413dcf
-
Filesize
216KB
MD5a773977f28dd289638bdda8176821d6e
SHA1aa38de144248cc21825abfb3616ba93b841176d2
SHA2566cb7da828502a497679466d22687e37ed44c45687f9796d9912b353b77c44782
SHA512666ffcec427f91721ae21b834e4c11f532583fdd912f6b576872d15d36e70fe636a523ac04fbc467ecb02cbbdd8bf1ad03dcb326ae29254dcdfcc1bdf7413dcf
-
Filesize
140KB
MD546f215514d38705332b16b516228162d
SHA1bbd96986d09536c7c40a28db347fc736fb56fb6a
SHA2561d681aa43c72770eb6fc74e573f17778ba71fb602d5c0e9c7b17e6b904baefc5
SHA512b68ad2a0b194f18f542f00b3f99d18782e50b1e39f559fd1a3e6adee1decd1ed2dfdaff1b161d5dd246967917165e7ec3c5ddf44e651ab27c0613dfcd04884ad
-
Filesize
140KB
MD546f215514d38705332b16b516228162d
SHA1bbd96986d09536c7c40a28db347fc736fb56fb6a
SHA2561d681aa43c72770eb6fc74e573f17778ba71fb602d5c0e9c7b17e6b904baefc5
SHA512b68ad2a0b194f18f542f00b3f99d18782e50b1e39f559fd1a3e6adee1decd1ed2dfdaff1b161d5dd246967917165e7ec3c5ddf44e651ab27c0613dfcd04884ad
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91