Analysis
-
max time kernel
294s -
max time network
307s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
19-09-2023 06:51
Static task
static1
Behavioral task
behavioral1
Sample
x6161540.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
x6161540.exe
Resource
win10-20230915-en
General
-
Target
x6161540.exe
-
Size
487KB
-
MD5
1990265e89bd2fdc7e857cdef4fad2ce
-
SHA1
3ba988dc7d323f9cdf6745b7e46326e763923507
-
SHA256
8449031e10e7cd77dd596d4c3c923d1e099662892a6777491d29a540f130485a
-
SHA512
0fed439071296196ee6abc47f24062ba9e1afd1410fbca41fc17d6bad1f71ff9fdc459369d11f7cb92b4d75deae39ad8774fc5522c81157c26f98ae1a0b26f33
-
SSDEEP
12288:1MrPy90ZIBqJnrVpTQw/a3uXjyJFwIMp:+yCIuV1yeXmPwz
Malware Config
Extracted
redline
black
77.91.124.82:19071
-
auth_value
c5887216cebc5a219113738140bc3047
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4424-14-0x0000000000400000-0x000000000040A000-memory.dmp healer -
Processes:
AppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
Processes:
x9391797.exeg6373050.exeh7041528.exepid process 2516 x9391797.exe 3060 g6373050.exe 2960 h7041528.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
x6161540.exex9391797.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" x6161540.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x9391797.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
g6373050.exedescription pid process target process PID 3060 set thread context of 4424 3060 g6373050.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 4424 AppLaunch.exe 4424 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 4424 AppLaunch.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
x6161540.exex9391797.exeg6373050.exedescription pid process target process PID 4908 wrote to memory of 2516 4908 x6161540.exe x9391797.exe PID 4908 wrote to memory of 2516 4908 x6161540.exe x9391797.exe PID 4908 wrote to memory of 2516 4908 x6161540.exe x9391797.exe PID 2516 wrote to memory of 3060 2516 x9391797.exe g6373050.exe PID 2516 wrote to memory of 3060 2516 x9391797.exe g6373050.exe PID 2516 wrote to memory of 3060 2516 x9391797.exe g6373050.exe PID 3060 wrote to memory of 5092 3060 g6373050.exe AppLaunch.exe PID 3060 wrote to memory of 5092 3060 g6373050.exe AppLaunch.exe PID 3060 wrote to memory of 5092 3060 g6373050.exe AppLaunch.exe PID 3060 wrote to memory of 4424 3060 g6373050.exe AppLaunch.exe PID 3060 wrote to memory of 4424 3060 g6373050.exe AppLaunch.exe PID 3060 wrote to memory of 4424 3060 g6373050.exe AppLaunch.exe PID 3060 wrote to memory of 4424 3060 g6373050.exe AppLaunch.exe PID 3060 wrote to memory of 4424 3060 g6373050.exe AppLaunch.exe PID 3060 wrote to memory of 4424 3060 g6373050.exe AppLaunch.exe PID 3060 wrote to memory of 4424 3060 g6373050.exe AppLaunch.exe PID 3060 wrote to memory of 4424 3060 g6373050.exe AppLaunch.exe PID 2516 wrote to memory of 2960 2516 x9391797.exe h7041528.exe PID 2516 wrote to memory of 2960 2516 x9391797.exe h7041528.exe PID 2516 wrote to memory of 2960 2516 x9391797.exe h7041528.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\x6161540.exe"C:\Users\Admin\AppData\Local\Temp\x6161540.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9391797.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9391797.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6373050.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6373050.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:5092
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7041528.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7041528.exe3⤵
- Executes dropped EXE
PID:2960
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
321KB
MD5dba7de05cbeabdc859adfc5b6498a558
SHA1653ebef6f9214b020def4354caa166457dcb8bcb
SHA2563f021e6c4a954aa68bfc5acf5a86dad05b1dd124b742ff26392f7cb71edad49c
SHA512dd716f1414c6bbb0a5dadbc3c6e5596f3b25282711c7ecafc6799a9a3c057d01e1aad924ca5348423449e24386c0e22a15321d739e27ae9bee17bcada8d22c5c
-
Filesize
321KB
MD5dba7de05cbeabdc859adfc5b6498a558
SHA1653ebef6f9214b020def4354caa166457dcb8bcb
SHA2563f021e6c4a954aa68bfc5acf5a86dad05b1dd124b742ff26392f7cb71edad49c
SHA512dd716f1414c6bbb0a5dadbc3c6e5596f3b25282711c7ecafc6799a9a3c057d01e1aad924ca5348423449e24386c0e22a15321d739e27ae9bee17bcada8d22c5c
-
Filesize
236KB
MD59dc867c2adacdd76b2324bc47467f83c
SHA1f3decfe079b8dc76d536de7ca9aeec2c0da18d72
SHA2565158a232d953ba32ce82499cdc54e8d7fd113b3672c9b9d82ee5df3f842eb410
SHA5120b7c0c7514e7468cf89e6492608ab2e24054c94ebc77fe571dba7c9aa612f82c3d5d0c3c62f1e9acbfd01229568b83847dd9ff331f618b7bb8cb89d3437aacff
-
Filesize
236KB
MD59dc867c2adacdd76b2324bc47467f83c
SHA1f3decfe079b8dc76d536de7ca9aeec2c0da18d72
SHA2565158a232d953ba32ce82499cdc54e8d7fd113b3672c9b9d82ee5df3f842eb410
SHA5120b7c0c7514e7468cf89e6492608ab2e24054c94ebc77fe571dba7c9aa612f82c3d5d0c3c62f1e9acbfd01229568b83847dd9ff331f618b7bb8cb89d3437aacff
-
Filesize
174KB
MD517061663123df86496cfa24e531b4127
SHA1446ad405b223ce6e9197ec7ef814516d9d99caa8
SHA256da7d0eb65df4abc42e450a6419eb96af0f77816f0c0cdf3c943cd98f8d6867cd
SHA512b52254ceef131d9d7b8ab5d9f7e0737870575d82f3479fb90f8a19654c8070c431e9be06c6f9df46db01c1b1e4e607458feb93300f43056b872f937723e489e4
-
Filesize
174KB
MD517061663123df86496cfa24e531b4127
SHA1446ad405b223ce6e9197ec7ef814516d9d99caa8
SHA256da7d0eb65df4abc42e450a6419eb96af0f77816f0c0cdf3c943cd98f8d6867cd
SHA512b52254ceef131d9d7b8ab5d9f7e0737870575d82f3479fb90f8a19654c8070c431e9be06c6f9df46db01c1b1e4e607458feb93300f43056b872f937723e489e4