Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
28/08/2023, 12:26
Static task
static1
Behavioral task
behavioral1
Sample
6a5561b278982a03be09711fe755012aef3cefd04fc5a1d501a34c8dac8b8839.exe
Resource
win10v2004-20230703-en
General
-
Target
6a5561b278982a03be09711fe755012aef3cefd04fc5a1d501a34c8dac8b8839.exe
-
Size
828KB
-
MD5
4f6173c4eabece2880bb330193777340
-
SHA1
8c37da2e48e9d9db4e7807ca090b66601b8be9aa
-
SHA256
6a5561b278982a03be09711fe755012aef3cefd04fc5a1d501a34c8dac8b8839
-
SHA512
c065f8ac1cf5c0fdee2c4ce0433fb111f27b56694f5b6fb6405167bfad1d24547fbffcaf1e29ade3e39f81b1613dc1ea5dec99b7e6291e2327878d71c6264ec2
-
SSDEEP
24576:/yBaeSkYgBrjpsamJTuBn8kO/a+sAwhX:KBaexbSVT48kO/gAw
Malware Config
Extracted
redline
stas
77.91.124.82:19071
-
auth_value
db6d96c4eade05afc28c31d9ad73a73c
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x00070000000231be-33.dat healer behavioral1/files/0x00070000000231be-34.dat healer behavioral1/memory/2980-35-0x0000000000C30000-0x0000000000C3A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a9911182.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a9911182.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a9911182.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a9911182.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a9911182.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a9911182.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 4972 v9643266.exe 3068 v0013958.exe 60 v1743440.exe 3728 v6768733.exe 2980 a9911182.exe 4164 b1779535.exe 3840 c9201930.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a9911182.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v0013958.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v1743440.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v6768733.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6a5561b278982a03be09711fe755012aef3cefd04fc5a1d501a34c8dac8b8839.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v9643266.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2980 a9911182.exe 2980 a9911182.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2980 a9911182.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2740 wrote to memory of 4972 2740 6a5561b278982a03be09711fe755012aef3cefd04fc5a1d501a34c8dac8b8839.exe 81 PID 2740 wrote to memory of 4972 2740 6a5561b278982a03be09711fe755012aef3cefd04fc5a1d501a34c8dac8b8839.exe 81 PID 2740 wrote to memory of 4972 2740 6a5561b278982a03be09711fe755012aef3cefd04fc5a1d501a34c8dac8b8839.exe 81 PID 4972 wrote to memory of 3068 4972 v9643266.exe 82 PID 4972 wrote to memory of 3068 4972 v9643266.exe 82 PID 4972 wrote to memory of 3068 4972 v9643266.exe 82 PID 3068 wrote to memory of 60 3068 v0013958.exe 83 PID 3068 wrote to memory of 60 3068 v0013958.exe 83 PID 3068 wrote to memory of 60 3068 v0013958.exe 83 PID 60 wrote to memory of 3728 60 v1743440.exe 84 PID 60 wrote to memory of 3728 60 v1743440.exe 84 PID 60 wrote to memory of 3728 60 v1743440.exe 84 PID 3728 wrote to memory of 2980 3728 v6768733.exe 85 PID 3728 wrote to memory of 2980 3728 v6768733.exe 85 PID 3728 wrote to memory of 4164 3728 v6768733.exe 93 PID 3728 wrote to memory of 4164 3728 v6768733.exe 93 PID 3728 wrote to memory of 4164 3728 v6768733.exe 93 PID 60 wrote to memory of 3840 60 v1743440.exe 94 PID 60 wrote to memory of 3840 60 v1743440.exe 94 PID 60 wrote to memory of 3840 60 v1743440.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a5561b278982a03be09711fe755012aef3cefd04fc5a1d501a34c8dac8b8839.exe"C:\Users\Admin\AppData\Local\Temp\6a5561b278982a03be09711fe755012aef3cefd04fc5a1d501a34c8dac8b8839.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9643266.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9643266.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0013958.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0013958.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1743440.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1743440.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6768733.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6768733.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9911182.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9911182.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1779535.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1779535.exe6⤵
- Executes dropped EXE
PID:4164
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9201930.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9201930.exe5⤵
- Executes dropped EXE
PID:3840
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
723KB
MD5bdb86b8daaedc1724fb4587ec3d9a72e
SHA10048130b594d6f456b12131251d2acc762a20eea
SHA25649bda02a05128989c164dadcb281e079a5e8d4c3b44091ceac66025dc0111118
SHA5129ec4c661eccdb3be3646cd76a836db8c0eb8f1c0823468bb2b75734fe943b5804c0b946a0404fdb93920e3f2148fb2740da729d260cdd17d384dfbe6bec608bb
-
Filesize
723KB
MD5bdb86b8daaedc1724fb4587ec3d9a72e
SHA10048130b594d6f456b12131251d2acc762a20eea
SHA25649bda02a05128989c164dadcb281e079a5e8d4c3b44091ceac66025dc0111118
SHA5129ec4c661eccdb3be3646cd76a836db8c0eb8f1c0823468bb2b75734fe943b5804c0b946a0404fdb93920e3f2148fb2740da729d260cdd17d384dfbe6bec608bb
-
Filesize
497KB
MD55a9f1568fbf7aacb6539408403134e49
SHA1b4544aa18b65f4a70360d2f1d6a74144915873a5
SHA2560e6dbecb9e2763d76f2a9e1ff9d1d76b2a872b83969cbc5df4a496626ace9c1f
SHA5125f01bea39ded3f17a44561ee6539a5d9d063c1236cd72f66254b8f3daeb15cccf315d90ea429c51bb71be02ebe649b4e9669534f1c2f926386293462546544b7
-
Filesize
497KB
MD55a9f1568fbf7aacb6539408403134e49
SHA1b4544aa18b65f4a70360d2f1d6a74144915873a5
SHA2560e6dbecb9e2763d76f2a9e1ff9d1d76b2a872b83969cbc5df4a496626ace9c1f
SHA5125f01bea39ded3f17a44561ee6539a5d9d063c1236cd72f66254b8f3daeb15cccf315d90ea429c51bb71be02ebe649b4e9669534f1c2f926386293462546544b7
-
Filesize
373KB
MD588c9825e3b7a0ad85bd3c867e87262ee
SHA11316ed1fbb0ea9e3644e939b6300afe7daf5d32f
SHA25638268cfe206cfbede31e91d6a7b89e98c4b515bb3514c7f0ea9f60e4ab9b13a2
SHA51206245823defe2aaeb8fe13f4948350dbfa7e831adc119326351b4558082d27d16ef1013d4015532256393233ec8782257988ab35fd96caf19dce015c93948962
-
Filesize
373KB
MD588c9825e3b7a0ad85bd3c867e87262ee
SHA11316ed1fbb0ea9e3644e939b6300afe7daf5d32f
SHA25638268cfe206cfbede31e91d6a7b89e98c4b515bb3514c7f0ea9f60e4ab9b13a2
SHA51206245823defe2aaeb8fe13f4948350dbfa7e831adc119326351b4558082d27d16ef1013d4015532256393233ec8782257988ab35fd96caf19dce015c93948962
-
Filesize
174KB
MD5df9755ffba1513ac55d2fcf9b679073f
SHA12b9d312ca66bbc66027501274de1662790ca3f61
SHA256d08acf9df35e8b135761054266cd9e31309869d75019ea5adcd27c83d0e7568f
SHA512c7a85355a2b8fbe7277c1786496d69d1b76598b1de32805ed43f34a60619a19d72e7b75bb6d099a2409d7fba5196324b3ef0d94a1d78bcfd6e75000fde902db3
-
Filesize
174KB
MD5df9755ffba1513ac55d2fcf9b679073f
SHA12b9d312ca66bbc66027501274de1662790ca3f61
SHA256d08acf9df35e8b135761054266cd9e31309869d75019ea5adcd27c83d0e7568f
SHA512c7a85355a2b8fbe7277c1786496d69d1b76598b1de32805ed43f34a60619a19d72e7b75bb6d099a2409d7fba5196324b3ef0d94a1d78bcfd6e75000fde902db3
-
Filesize
217KB
MD56e6855e3048ed663c09404dda64cb872
SHA17f4cfd8c66257fb94f4e36fcc199ead3d2331f9a
SHA2567d258a04da431a6354cab503a0a9d55f4ea92f335d2b3579a797100066ffcf12
SHA512d3e4923dc264d86bf19426a1fea5fed8ff64b8a19cecbdad4cc4facb4cdba5ce397cc84ff54a3d69ca5fd6204519ed5e807a3243b45203d0dd5c80b100e8dacb
-
Filesize
217KB
MD56e6855e3048ed663c09404dda64cb872
SHA17f4cfd8c66257fb94f4e36fcc199ead3d2331f9a
SHA2567d258a04da431a6354cab503a0a9d55f4ea92f335d2b3579a797100066ffcf12
SHA512d3e4923dc264d86bf19426a1fea5fed8ff64b8a19cecbdad4cc4facb4cdba5ce397cc84ff54a3d69ca5fd6204519ed5e807a3243b45203d0dd5c80b100e8dacb
-
Filesize
16KB
MD58971c60174b719a25c0b92c8a47e59f8
SHA142b2ecfcd2cacb57aeca81f5520c4e0ef843093f
SHA256f90f8a469088df2b720e283bf8156131f731e2f8db13d18a2d89c8cd03c7ba34
SHA512e43fa3a265dcdba8c15a6f8e3459a8be4ff2be23188bc2d182d5409032d23e666a71bef19d8dacd56e732449f31e2c4da839a88ea3a750deb8032370ac5fe6cb
-
Filesize
16KB
MD58971c60174b719a25c0b92c8a47e59f8
SHA142b2ecfcd2cacb57aeca81f5520c4e0ef843093f
SHA256f90f8a469088df2b720e283bf8156131f731e2f8db13d18a2d89c8cd03c7ba34
SHA512e43fa3a265dcdba8c15a6f8e3459a8be4ff2be23188bc2d182d5409032d23e666a71bef19d8dacd56e732449f31e2c4da839a88ea3a750deb8032370ac5fe6cb
-
Filesize
141KB
MD5fa45e130582c49b172c556cf7639e451
SHA1174ad9b3ea41b6a2edda25e043419785ce21a9b8
SHA2561d6b538032c0d3f2bf99f72d6dab68dbc794223529373faf24362c66c7e84aa0
SHA512c39a36498f50a5e7e0231a873bb71ce6e4a6ea8c8e283caa0dc07ad438f3dfeb971f13336f8f516ccaac1283fa79480524f7da9b83e1a5d28bef9434144e8879
-
Filesize
141KB
MD5fa45e130582c49b172c556cf7639e451
SHA1174ad9b3ea41b6a2edda25e043419785ce21a9b8
SHA2561d6b538032c0d3f2bf99f72d6dab68dbc794223529373faf24362c66c7e84aa0
SHA512c39a36498f50a5e7e0231a873bb71ce6e4a6ea8c8e283caa0dc07ad438f3dfeb971f13336f8f516ccaac1283fa79480524f7da9b83e1a5d28bef9434144e8879