Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
27/08/2023, 00:46
Static task
static1
Behavioral task
behavioral1
Sample
e4e2093fa231ea941fd1ea1959bc090565576fe04c856ab803a1cab2726d3d13.exe
Resource
win10v2004-20230703-en
General
-
Target
e4e2093fa231ea941fd1ea1959bc090565576fe04c856ab803a1cab2726d3d13.exe
-
Size
829KB
-
MD5
bff3027ab899adac09150fc37049d99b
-
SHA1
f09b927c6f8d525f8428ee87a271c878ec03d424
-
SHA256
e4e2093fa231ea941fd1ea1959bc090565576fe04c856ab803a1cab2726d3d13
-
SHA512
25ed8c6183ab9b7d2d3b3c484c338a6bb4c5fc5388673960ae36c57b265a7b143455c17cee0243eda605160c45c75e99051fc4d7e1d9248f439460565ebd0390
-
SSDEEP
24576:ryHtAiOUNH9KkWy9H/sVUjclnqreevmvpDraP:eNAzUJE6sKjcqre0yD
Malware Config
Extracted
redline
nrava
77.91.124.82:19071
-
auth_value
43fe50e9ee6afb85588e03ac9676e2f7
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x0007000000023295-33.dat healer behavioral1/files/0x0007000000023295-34.dat healer behavioral1/memory/4492-35-0x0000000000A70000-0x0000000000A7A000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a1536986.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a1536986.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a1536986.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a1536986.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a1536986.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a1536986.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x0006000000023293-43.dat family_redline behavioral1/files/0x0006000000023293-44.dat family_redline behavioral1/memory/5116-45-0x0000000000110000-0x0000000000140000-memory.dmp family_redline -
Executes dropped EXE 7 IoCs
pid Process 4020 v2690461.exe 3404 v2754445.exe 3308 v2353412.exe 4044 v4515141.exe 4492 a1536986.exe 3056 b5079198.exe 5116 c5869073.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a1536986.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e4e2093fa231ea941fd1ea1959bc090565576fe04c856ab803a1cab2726d3d13.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v2690461.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v2754445.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v2353412.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v4515141.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4492 a1536986.exe 4492 a1536986.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4492 a1536986.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 852 wrote to memory of 4020 852 e4e2093fa231ea941fd1ea1959bc090565576fe04c856ab803a1cab2726d3d13.exe 81 PID 852 wrote to memory of 4020 852 e4e2093fa231ea941fd1ea1959bc090565576fe04c856ab803a1cab2726d3d13.exe 81 PID 852 wrote to memory of 4020 852 e4e2093fa231ea941fd1ea1959bc090565576fe04c856ab803a1cab2726d3d13.exe 81 PID 4020 wrote to memory of 3404 4020 v2690461.exe 82 PID 4020 wrote to memory of 3404 4020 v2690461.exe 82 PID 4020 wrote to memory of 3404 4020 v2690461.exe 82 PID 3404 wrote to memory of 3308 3404 v2754445.exe 83 PID 3404 wrote to memory of 3308 3404 v2754445.exe 83 PID 3404 wrote to memory of 3308 3404 v2754445.exe 83 PID 3308 wrote to memory of 4044 3308 v2353412.exe 84 PID 3308 wrote to memory of 4044 3308 v2353412.exe 84 PID 3308 wrote to memory of 4044 3308 v2353412.exe 84 PID 4044 wrote to memory of 4492 4044 v4515141.exe 85 PID 4044 wrote to memory of 4492 4044 v4515141.exe 85 PID 4044 wrote to memory of 3056 4044 v4515141.exe 91 PID 4044 wrote to memory of 3056 4044 v4515141.exe 91 PID 4044 wrote to memory of 3056 4044 v4515141.exe 91 PID 3308 wrote to memory of 5116 3308 v2353412.exe 92 PID 3308 wrote to memory of 5116 3308 v2353412.exe 92 PID 3308 wrote to memory of 5116 3308 v2353412.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4e2093fa231ea941fd1ea1959bc090565576fe04c856ab803a1cab2726d3d13.exe"C:\Users\Admin\AppData\Local\Temp\e4e2093fa231ea941fd1ea1959bc090565576fe04c856ab803a1cab2726d3d13.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2690461.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2690461.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2754445.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2754445.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2353412.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2353412.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4515141.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4515141.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1536986.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1536986.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5079198.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5079198.exe6⤵
- Executes dropped EXE
PID:3056
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5869073.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5869073.exe5⤵
- Executes dropped EXE
PID:5116
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
723KB
MD558f2d79dfd5340ac394a14664dc9fcab
SHA194e0f50b557f251537bf08e26c8316726f1fe3cc
SHA256c2f701f81bc43ea469c2c585ef0fe6f1101b1809224c59af3fcaf1a5f931f058
SHA512eba47d92f535931fc194cfe80d7fa1bec60f8309da4e1031f392f48f833c7f88345086f73f936d3cc2f6605bcf6b8a6e08031db5f2931a69049caddfaf252df7
-
Filesize
723KB
MD558f2d79dfd5340ac394a14664dc9fcab
SHA194e0f50b557f251537bf08e26c8316726f1fe3cc
SHA256c2f701f81bc43ea469c2c585ef0fe6f1101b1809224c59af3fcaf1a5f931f058
SHA512eba47d92f535931fc194cfe80d7fa1bec60f8309da4e1031f392f48f833c7f88345086f73f936d3cc2f6605bcf6b8a6e08031db5f2931a69049caddfaf252df7
-
Filesize
497KB
MD56d1c325e0a4ce83c09d3229433e99374
SHA10cb20c9161e0453b152fa3c7767506802727a3ac
SHA256e37ba54c5fe4f190d6fac14256439875b2429ae3f2ee7f0c68b38896ec502ada
SHA5128fcf58c1d9cfe71a11064743d601aa59e625de0b6705bde0c60392bc9d4990dd37de79f5a8282f6058367e5f342b74a8bd384341a8457ba2085c7299f4b08bf9
-
Filesize
497KB
MD56d1c325e0a4ce83c09d3229433e99374
SHA10cb20c9161e0453b152fa3c7767506802727a3ac
SHA256e37ba54c5fe4f190d6fac14256439875b2429ae3f2ee7f0c68b38896ec502ada
SHA5128fcf58c1d9cfe71a11064743d601aa59e625de0b6705bde0c60392bc9d4990dd37de79f5a8282f6058367e5f342b74a8bd384341a8457ba2085c7299f4b08bf9
-
Filesize
373KB
MD5f58c6e9d9598ae0d9e89fa3a711139a1
SHA1e225c44a459d5ebb0a6d32fe700c23a28d0e26ad
SHA2565f38aa1e966c0364188084e130596dac6d2f0d3286f3cdea932dfdb2be8f6325
SHA512ea1997f19ab6b06e8b7f9ec2154d1ad70136c2878bda0c728acbc65cd64dc0a3946356d4543d6871b2a569b704babf177af817dacf0cb94db8af80ea15c56924
-
Filesize
373KB
MD5f58c6e9d9598ae0d9e89fa3a711139a1
SHA1e225c44a459d5ebb0a6d32fe700c23a28d0e26ad
SHA2565f38aa1e966c0364188084e130596dac6d2f0d3286f3cdea932dfdb2be8f6325
SHA512ea1997f19ab6b06e8b7f9ec2154d1ad70136c2878bda0c728acbc65cd64dc0a3946356d4543d6871b2a569b704babf177af817dacf0cb94db8af80ea15c56924
-
Filesize
173KB
MD5732f5d6186afc03e5d23d68fc5300317
SHA1662145dcc54880a51c8228547b66cc5d40e6f8b2
SHA256d6e72422ccc6ac4c3f6632899e799519e5f9a19f4b0a03b443aa6b8097284f74
SHA5121a838219f697d3e4da7237a2c361d73d01bc9381c4e3071ff1a0d0acbefb9b2213a10f5b78b17d1bea98d9de996ae934589cdbc6590587a5caf3f0bdeba65d6e
-
Filesize
173KB
MD5732f5d6186afc03e5d23d68fc5300317
SHA1662145dcc54880a51c8228547b66cc5d40e6f8b2
SHA256d6e72422ccc6ac4c3f6632899e799519e5f9a19f4b0a03b443aa6b8097284f74
SHA5121a838219f697d3e4da7237a2c361d73d01bc9381c4e3071ff1a0d0acbefb9b2213a10f5b78b17d1bea98d9de996ae934589cdbc6590587a5caf3f0bdeba65d6e
-
Filesize
217KB
MD5e05fe4cab2f50095e5f4721657db23bd
SHA1e6fcc2436fbb4ef53f2bc4c1cfdc5e18aa6fea5c
SHA256465717473f00930c0b1fe1bda9e4ef9ef77f9c53949c1050d2d07884d6caac5a
SHA51216c3f7e039bccbb47fce9f7176d7c976e64efd3568d4207da22276712259eb1d6669478280fba587e88242305f962b46f5ac10cde714cc0e4ca37c641d169967
-
Filesize
217KB
MD5e05fe4cab2f50095e5f4721657db23bd
SHA1e6fcc2436fbb4ef53f2bc4c1cfdc5e18aa6fea5c
SHA256465717473f00930c0b1fe1bda9e4ef9ef77f9c53949c1050d2d07884d6caac5a
SHA51216c3f7e039bccbb47fce9f7176d7c976e64efd3568d4207da22276712259eb1d6669478280fba587e88242305f962b46f5ac10cde714cc0e4ca37c641d169967
-
Filesize
15KB
MD58e5709c069a18f80714e7e2bfbc6ad07
SHA1135c67e1dd2551ccd53818f49a0cbcaa4a535218
SHA25610f2929a8732e31baec5f5c14f3694750ed98a10c6a8f340aa0b70441920073c
SHA51217b18222edff73c46ccb96ca5020a75e047780c732b774b5bbb2de70b9e1ca16c0a1503c52dcae6253a1c80ab0820d96973149dddfee01e1bef757c011dee2a6
-
Filesize
15KB
MD58e5709c069a18f80714e7e2bfbc6ad07
SHA1135c67e1dd2551ccd53818f49a0cbcaa4a535218
SHA25610f2929a8732e31baec5f5c14f3694750ed98a10c6a8f340aa0b70441920073c
SHA51217b18222edff73c46ccb96ca5020a75e047780c732b774b5bbb2de70b9e1ca16c0a1503c52dcae6253a1c80ab0820d96973149dddfee01e1bef757c011dee2a6
-
Filesize
140KB
MD585acccb3018b81c09d4bc010626836a8
SHA177968cb4762844ce51c4e66c1347f65f02730edc
SHA256ef7a683e80ff5df73e839e2228e53240e97f5d620ca6fd07bdf44d35779ca6a8
SHA5121bc457dadd55116102f21d0daab560d3858f9c709cfd5df53e8a6d9fd9063f0bc9ac216b4529aa25d759f512f2b684f2c67e976bbbde0e3534c77b740ddc0c10
-
Filesize
140KB
MD585acccb3018b81c09d4bc010626836a8
SHA177968cb4762844ce51c4e66c1347f65f02730edc
SHA256ef7a683e80ff5df73e839e2228e53240e97f5d620ca6fd07bdf44d35779ca6a8
SHA5121bc457dadd55116102f21d0daab560d3858f9c709cfd5df53e8a6d9fd9063f0bc9ac216b4529aa25d759f512f2b684f2c67e976bbbde0e3534c77b740ddc0c10