Analysis
-
max time kernel
134s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
12-09-2023 11:00
Static task
static1
Behavioral task
behavioral1
Sample
e78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4.exe
Resource
win10-20230703-en
General
-
Target
e78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4.exe
-
Size
768KB
-
MD5
c2d280d5dd66c8a297f2e19713ea6a90
-
SHA1
0d4d56a897012f7b28a476a7b839bf7f3d386c76
-
SHA256
e78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4
-
SHA512
7d8cec302af3e79d9d348bff17d79f92bc0e101da10c55784f2300a676286ff946bb8eeb5ebf481cb20e765e719bc31cf9957189cd5569c5f7e737ce6f12040d
-
SSDEEP
12288:QMr5y90zM4qBXurPsrbi67bRbx7sD/Hd4cCMUKrcprko/VSXJTZrTIKZqF9Fmj:5yQmZuraLbRRsDl4cd1i3UK9e
Malware Config
Extracted
redline
lada
77.91.124.82:19071
-
auth_value
252f78fed0684205b098417688fa33e2
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1660-21-0x0000000000400000-0x000000000040A000-memory.dmp healer -
Processes:
AppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
Processes:
x0690730.exex3340577.exeg1458779.exei7563383.exepid process 2392 x0690730.exe 4992 x3340577.exe 4596 g1458779.exe 2692 i7563383.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
x0690730.exex3340577.exee78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x0690730.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x3340577.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
g1458779.exedescription pid process target process PID 4596 set thread context of 1660 4596 g1458779.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 1660 AppLaunch.exe 1660 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 1660 AppLaunch.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
e78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4.exex0690730.exex3340577.exeg1458779.exedescription pid process target process PID 2540 wrote to memory of 2392 2540 e78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4.exe x0690730.exe PID 2540 wrote to memory of 2392 2540 e78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4.exe x0690730.exe PID 2540 wrote to memory of 2392 2540 e78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4.exe x0690730.exe PID 2392 wrote to memory of 4992 2392 x0690730.exe x3340577.exe PID 2392 wrote to memory of 4992 2392 x0690730.exe x3340577.exe PID 2392 wrote to memory of 4992 2392 x0690730.exe x3340577.exe PID 4992 wrote to memory of 4596 4992 x3340577.exe g1458779.exe PID 4992 wrote to memory of 4596 4992 x3340577.exe g1458779.exe PID 4992 wrote to memory of 4596 4992 x3340577.exe g1458779.exe PID 4596 wrote to memory of 4580 4596 g1458779.exe AppLaunch.exe PID 4596 wrote to memory of 4580 4596 g1458779.exe AppLaunch.exe PID 4596 wrote to memory of 4580 4596 g1458779.exe AppLaunch.exe PID 4596 wrote to memory of 4504 4596 g1458779.exe AppLaunch.exe PID 4596 wrote to memory of 4504 4596 g1458779.exe AppLaunch.exe PID 4596 wrote to memory of 4504 4596 g1458779.exe AppLaunch.exe PID 4596 wrote to memory of 1660 4596 g1458779.exe AppLaunch.exe PID 4596 wrote to memory of 1660 4596 g1458779.exe AppLaunch.exe PID 4596 wrote to memory of 1660 4596 g1458779.exe AppLaunch.exe PID 4596 wrote to memory of 1660 4596 g1458779.exe AppLaunch.exe PID 4596 wrote to memory of 1660 4596 g1458779.exe AppLaunch.exe PID 4596 wrote to memory of 1660 4596 g1458779.exe AppLaunch.exe PID 4596 wrote to memory of 1660 4596 g1458779.exe AppLaunch.exe PID 4596 wrote to memory of 1660 4596 g1458779.exe AppLaunch.exe PID 4992 wrote to memory of 2692 4992 x3340577.exe i7563383.exe PID 4992 wrote to memory of 2692 4992 x3340577.exe i7563383.exe PID 4992 wrote to memory of 2692 4992 x3340577.exe i7563383.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4.exe"C:\Users\Admin\AppData\Local\Temp\e78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0690730.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0690730.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3340577.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3340577.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1458779.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1458779.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:4580
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:4504
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i7563383.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i7563383.exe4⤵
- Executes dropped EXE
PID:2692
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0690730.exeFilesize
493KB
MD528044eb09256d65b26dc56bc5a40c3ff
SHA1c3b63f305abbbedb228c413418414f25f4bc67e2
SHA256cbb4b904fb6dc11f6f9dff5ab5a4dbd9357b11526ab1bd64e87f578bd1bf2fe8
SHA512a8e8421b1b361a85cd67a5fb04fa7ba48c1a68f0e9a40b48c6e0245c8e882c7f9a88a1affc592b8e54fb8c24ba152868c04d20bb55ff522b6eb48c0be084060c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0690730.exeFilesize
493KB
MD528044eb09256d65b26dc56bc5a40c3ff
SHA1c3b63f305abbbedb228c413418414f25f4bc67e2
SHA256cbb4b904fb6dc11f6f9dff5ab5a4dbd9357b11526ab1bd64e87f578bd1bf2fe8
SHA512a8e8421b1b361a85cd67a5fb04fa7ba48c1a68f0e9a40b48c6e0245c8e882c7f9a88a1affc592b8e54fb8c24ba152868c04d20bb55ff522b6eb48c0be084060c
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3340577.exeFilesize
326KB
MD57990235218844006c7f6675cbcac83da
SHA107c91d56b42ce20b3e2403894a1ffd17c64eca8c
SHA25615d2116ebbf443acfa0b1622ac23772fed279a3a0aa2984eebbd97ab2c869b96
SHA512792ced857f1e96341792fd00b649bfda898511b409fbb0ea17867bf6fb8f3547070ffe43e8ee8ae4589d0c32fd642cad98b1f84c67984b7b72f75c8e8a76be4f
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3340577.exeFilesize
326KB
MD57990235218844006c7f6675cbcac83da
SHA107c91d56b42ce20b3e2403894a1ffd17c64eca8c
SHA25615d2116ebbf443acfa0b1622ac23772fed279a3a0aa2984eebbd97ab2c869b96
SHA512792ced857f1e96341792fd00b649bfda898511b409fbb0ea17867bf6fb8f3547070ffe43e8ee8ae4589d0c32fd642cad98b1f84c67984b7b72f75c8e8a76be4f
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1458779.exeFilesize
257KB
MD55fab31239c00f290ac6ab75bf0131527
SHA16675a53cc7b5305b2c75a570d54467616aec3c53
SHA256ca6713e5e0f9071e5475253cc24dc5f70e966f420ab55013fdf29f8f4b9ef8d6
SHA512b8cce9e8de20795ecaa6748d14c5f3b1f2c301350d60edf7e3161c00888aa0894e1f7dfaf4e9f13ff2bd04d6415c61ae3762c562ea73a5568c1c42f4616276a1
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1458779.exeFilesize
257KB
MD55fab31239c00f290ac6ab75bf0131527
SHA16675a53cc7b5305b2c75a570d54467616aec3c53
SHA256ca6713e5e0f9071e5475253cc24dc5f70e966f420ab55013fdf29f8f4b9ef8d6
SHA512b8cce9e8de20795ecaa6748d14c5f3b1f2c301350d60edf7e3161c00888aa0894e1f7dfaf4e9f13ff2bd04d6415c61ae3762c562ea73a5568c1c42f4616276a1
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i7563383.exeFilesize
174KB
MD5be50086808ba8062ab4a40437400ce02
SHA1b55cdabd44a283fca48b8e783d6462720aa9cfa5
SHA2561a3b278c7bde33759508496ba39902d461ade3f4432c73bdd4b68fd9da92b0c6
SHA512be9be777031db307fb6c1e9b057449f2e16d695eb758d5cf72e9d614e0b5fa5f62af5954b846091c66d88b8a439163892cd187768b279d8a15608c7d2ff4358d
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i7563383.exeFilesize
174KB
MD5be50086808ba8062ab4a40437400ce02
SHA1b55cdabd44a283fca48b8e783d6462720aa9cfa5
SHA2561a3b278c7bde33759508496ba39902d461ade3f4432c73bdd4b68fd9da92b0c6
SHA512be9be777031db307fb6c1e9b057449f2e16d695eb758d5cf72e9d614e0b5fa5f62af5954b846091c66d88b8a439163892cd187768b279d8a15608c7d2ff4358d
-
memory/1660-30-0x00000000736C0000-0x0000000073DAE000-memory.dmpFilesize
6.9MB
-
memory/1660-21-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1660-60-0x00000000736C0000-0x0000000073DAE000-memory.dmpFilesize
6.9MB
-
memory/2692-29-0x00000000008C0000-0x00000000008F0000-memory.dmpFilesize
192KB
-
memory/2692-31-0x0000000002A10000-0x0000000002A16000-memory.dmpFilesize
24KB
-
memory/2692-32-0x000000000AB80000-0x000000000B186000-memory.dmpFilesize
6.0MB
-
memory/2692-33-0x000000000A6D0000-0x000000000A7DA000-memory.dmpFilesize
1.0MB
-
memory/2692-34-0x000000000A600000-0x000000000A612000-memory.dmpFilesize
72KB
-
memory/2692-35-0x000000000A660000-0x000000000A69E000-memory.dmpFilesize
248KB
-
memory/2692-40-0x000000000A7E0000-0x000000000A82B000-memory.dmpFilesize
300KB
-
memory/2692-45-0x00000000736C0000-0x0000000073DAE000-memory.dmpFilesize
6.9MB
-
memory/2692-28-0x00000000736C0000-0x0000000073DAE000-memory.dmpFilesize
6.9MB