Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2023, 09:42
Static task
static1
Behavioral task
behavioral1
Sample
636c1baeefcbcdf9eb90eae5a7f87aa42a10bfeb67b39b55300f164d70196312.exe
Resource
win10v2004-20230703-en
General
-
Target
636c1baeefcbcdf9eb90eae5a7f87aa42a10bfeb67b39b55300f164d70196312.exe
-
Size
564KB
-
MD5
0a35f9f79e11f242b6f7b188cb412889
-
SHA1
0dbefff228a0ae40ef3b48a747cefe0a79f8259d
-
SHA256
636c1baeefcbcdf9eb90eae5a7f87aa42a10bfeb67b39b55300f164d70196312
-
SHA512
a567244f44be5518f068babeedd87fbad34dd99890c83c9ce3d74b3e32fb7880ea93c71d0d74001a7325d83f5aff6709488b861bbd41b430957daba94c7179c1
-
SSDEEP
6144:Kdy+bnr+Pp0yN90QEUls0ZWQ4iXkW8nZNXcPE6Nsaimc58KteAXaLFdQ4/SshAV5:PMrry90KlVqiq6amg4x6shKJ4YWE5l
Malware Config
Extracted
redline
dava
77.91.124.54:19071
-
auth_value
3ce5222c1baaa06681dfe0012ce1de23
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x00080000000231db-152.dat healer behavioral1/files/0x00080000000231db-153.dat healer behavioral1/memory/2116-154-0x0000000000580000-0x000000000058A000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection r5634742.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" r5634742.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" r5634742.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" r5634742.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" r5634742.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" r5634742.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
pid Process 1500 z4894357.exe 2360 z7400639.exe 2116 r5634742.exe 3596 s8920502.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" r5634742.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 636c1baeefcbcdf9eb90eae5a7f87aa42a10bfeb67b39b55300f164d70196312.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z4894357.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z7400639.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2116 r5634742.exe 2116 r5634742.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2116 r5634742.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3508 wrote to memory of 1500 3508 636c1baeefcbcdf9eb90eae5a7f87aa42a10bfeb67b39b55300f164d70196312.exe 81 PID 3508 wrote to memory of 1500 3508 636c1baeefcbcdf9eb90eae5a7f87aa42a10bfeb67b39b55300f164d70196312.exe 81 PID 3508 wrote to memory of 1500 3508 636c1baeefcbcdf9eb90eae5a7f87aa42a10bfeb67b39b55300f164d70196312.exe 81 PID 1500 wrote to memory of 2360 1500 z4894357.exe 82 PID 1500 wrote to memory of 2360 1500 z4894357.exe 82 PID 1500 wrote to memory of 2360 1500 z4894357.exe 82 PID 2360 wrote to memory of 2116 2360 z7400639.exe 83 PID 2360 wrote to memory of 2116 2360 z7400639.exe 83 PID 2360 wrote to memory of 3596 2360 z7400639.exe 92 PID 2360 wrote to memory of 3596 2360 z7400639.exe 92 PID 2360 wrote to memory of 3596 2360 z7400639.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\636c1baeefcbcdf9eb90eae5a7f87aa42a10bfeb67b39b55300f164d70196312.exe"C:\Users\Admin\AppData\Local\Temp\636c1baeefcbcdf9eb90eae5a7f87aa42a10bfeb67b39b55300f164d70196312.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4894357.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4894357.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7400639.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7400639.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r5634742.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r5634742.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s8920502.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s8920502.exe4⤵
- Executes dropped EXE
PID:3596
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
431KB
MD511efa528c0a09577d61cbeccf8207969
SHA1ed7f7aae19195a7b18dc7db56a2846b740b095c3
SHA256d925b3391a6f6f3b7a82dcb99ecf5ae6ec1e545e824024b1526b12644c8ddc0a
SHA512a493de3a054fa9ffa8a76ec29ec6d523ccb7cb30bee9813ab102b4e908b7faccc6dfd21562e3db50dc3e397d7730f77b4846dd5cfdebfcad691776129c33962b
-
Filesize
431KB
MD511efa528c0a09577d61cbeccf8207969
SHA1ed7f7aae19195a7b18dc7db56a2846b740b095c3
SHA256d925b3391a6f6f3b7a82dcb99ecf5ae6ec1e545e824024b1526b12644c8ddc0a
SHA512a493de3a054fa9ffa8a76ec29ec6d523ccb7cb30bee9813ab102b4e908b7faccc6dfd21562e3db50dc3e397d7730f77b4846dd5cfdebfcad691776129c33962b
-
Filesize
206KB
MD5e5529e0b6c75da8b8a72d2b83c425f24
SHA1567e7a2ce9861873aaafef89b8a4345b3e3c1bdf
SHA2562e1c01e207072f56b1cc3f84e451cad1a206834f2f7458eb12206253d9b854f0
SHA5120ae818979d5940158c92e1452fba6dba2eec91f2b38a49b5719fbd1470bf3dd53b830b89f0418f32b23a14aa6ed6b0320247b6dcebe336b8b4773812ac9d67a0
-
Filesize
206KB
MD5e5529e0b6c75da8b8a72d2b83c425f24
SHA1567e7a2ce9861873aaafef89b8a4345b3e3c1bdf
SHA2562e1c01e207072f56b1cc3f84e451cad1a206834f2f7458eb12206253d9b854f0
SHA5120ae818979d5940158c92e1452fba6dba2eec91f2b38a49b5719fbd1470bf3dd53b830b89f0418f32b23a14aa6ed6b0320247b6dcebe336b8b4773812ac9d67a0
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
174KB
MD5d6697deb3ae5b7fb32f56cbe43452459
SHA18e580e96222a22c2b5016be25a034f6e011c5e78
SHA256fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53
SHA512020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1
-
Filesize
174KB
MD5d6697deb3ae5b7fb32f56cbe43452459
SHA18e580e96222a22c2b5016be25a034f6e011c5e78
SHA256fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53
SHA512020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1