Analysis
-
max time kernel
286s -
max time network
300s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
19-09-2023 06:52
Static task
static1
Behavioral task
behavioral1
Sample
x2187432.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
x2187432.exe
Resource
win10-20230915-en
General
-
Target
x2187432.exe
-
Size
767KB
-
MD5
ae57bf787472df63812c94000b30e5e3
-
SHA1
815744b59c8c14100fa17a50be7d010f6b51675d
-
SHA256
ff5bff453148333bc10d200e02ff7d9848690214fc6b56a5ded05c517ec6b58a
-
SHA512
7b046d0348cdd2ffbfbee7ba088a8f91373c80cf9e6b99c11ac2db2ebfd124120c6a589a2746a949038ca61b7f5ae55b8aeb8c365825d0d78218f0fba744d6a9
-
SSDEEP
12288:1Mr/y90ib6+7ZCYjY8zCdkvvahvVnubBoBK4TsfWF3bMUhiBUL5glXYR5KaRZwPg:2y5xdCqg+vOubB+Kfs3QUEBUFg2TRZwY
Malware Config
Extracted
redline
black
77.91.124.82:19071
-
auth_value
c5887216cebc5a219113738140bc3047
Signatures
-
Detects Healer an antivirus disabler dropper 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2596-35-0x0000000000400000-0x000000000040A000-memory.dmp healer behavioral1/memory/2596-36-0x0000000000400000-0x000000000040A000-memory.dmp healer behavioral1/memory/2596-38-0x0000000000400000-0x000000000040A000-memory.dmp healer behavioral1/memory/2596-40-0x0000000000400000-0x000000000040A000-memory.dmp healer behavioral1/memory/2596-42-0x0000000000400000-0x000000000040A000-memory.dmp healer -
Processes:
AppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
Processes:
x0651453.exex8002878.exeg3089245.exeh8345542.exepid process 2532 x0651453.exe 2540 x8002878.exe 2880 g3089245.exe 2960 h8345542.exe -
Loads dropped DLL 9 IoCs
Processes:
x2187432.exex0651453.exex8002878.exeg3089245.exeh8345542.exepid process 2184 x2187432.exe 2532 x0651453.exe 2532 x0651453.exe 2540 x8002878.exe 2540 x8002878.exe 2540 x8002878.exe 2880 g3089245.exe 2540 x8002878.exe 2960 h8345542.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
x2187432.exex0651453.exex8002878.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" x2187432.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x0651453.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x8002878.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
g3089245.exedescription pid process target process PID 2880 set thread context of 2596 2880 g3089245.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 2596 AppLaunch.exe 2596 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 2596 AppLaunch.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
x2187432.exex0651453.exex8002878.exeg3089245.exedescription pid process target process PID 2184 wrote to memory of 2532 2184 x2187432.exe x0651453.exe PID 2184 wrote to memory of 2532 2184 x2187432.exe x0651453.exe PID 2184 wrote to memory of 2532 2184 x2187432.exe x0651453.exe PID 2184 wrote to memory of 2532 2184 x2187432.exe x0651453.exe PID 2184 wrote to memory of 2532 2184 x2187432.exe x0651453.exe PID 2184 wrote to memory of 2532 2184 x2187432.exe x0651453.exe PID 2184 wrote to memory of 2532 2184 x2187432.exe x0651453.exe PID 2532 wrote to memory of 2540 2532 x0651453.exe x8002878.exe PID 2532 wrote to memory of 2540 2532 x0651453.exe x8002878.exe PID 2532 wrote to memory of 2540 2532 x0651453.exe x8002878.exe PID 2532 wrote to memory of 2540 2532 x0651453.exe x8002878.exe PID 2532 wrote to memory of 2540 2532 x0651453.exe x8002878.exe PID 2532 wrote to memory of 2540 2532 x0651453.exe x8002878.exe PID 2532 wrote to memory of 2540 2532 x0651453.exe x8002878.exe PID 2540 wrote to memory of 2880 2540 x8002878.exe g3089245.exe PID 2540 wrote to memory of 2880 2540 x8002878.exe g3089245.exe PID 2540 wrote to memory of 2880 2540 x8002878.exe g3089245.exe PID 2540 wrote to memory of 2880 2540 x8002878.exe g3089245.exe PID 2540 wrote to memory of 2880 2540 x8002878.exe g3089245.exe PID 2540 wrote to memory of 2880 2540 x8002878.exe g3089245.exe PID 2540 wrote to memory of 2880 2540 x8002878.exe g3089245.exe PID 2880 wrote to memory of 2596 2880 g3089245.exe AppLaunch.exe PID 2880 wrote to memory of 2596 2880 g3089245.exe AppLaunch.exe PID 2880 wrote to memory of 2596 2880 g3089245.exe AppLaunch.exe PID 2880 wrote to memory of 2596 2880 g3089245.exe AppLaunch.exe PID 2880 wrote to memory of 2596 2880 g3089245.exe AppLaunch.exe PID 2880 wrote to memory of 2596 2880 g3089245.exe AppLaunch.exe PID 2880 wrote to memory of 2596 2880 g3089245.exe AppLaunch.exe PID 2880 wrote to memory of 2596 2880 g3089245.exe AppLaunch.exe PID 2880 wrote to memory of 2596 2880 g3089245.exe AppLaunch.exe PID 2880 wrote to memory of 2596 2880 g3089245.exe AppLaunch.exe PID 2880 wrote to memory of 2596 2880 g3089245.exe AppLaunch.exe PID 2880 wrote to memory of 2596 2880 g3089245.exe AppLaunch.exe PID 2540 wrote to memory of 2960 2540 x8002878.exe h8345542.exe PID 2540 wrote to memory of 2960 2540 x8002878.exe h8345542.exe PID 2540 wrote to memory of 2960 2540 x8002878.exe h8345542.exe PID 2540 wrote to memory of 2960 2540 x8002878.exe h8345542.exe PID 2540 wrote to memory of 2960 2540 x8002878.exe h8345542.exe PID 2540 wrote to memory of 2960 2540 x8002878.exe h8345542.exe PID 2540 wrote to memory of 2960 2540 x8002878.exe h8345542.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\x2187432.exe"C:\Users\Admin\AppData\Local\Temp\x2187432.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0651453.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0651453.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8002878.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8002878.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3089245.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3089245.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8345542.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8345542.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
492KB
MD58c62495f62de77222ca27558fbf5e0bc
SHA1109f944d602fe8a613193b97715c8432e90cd1b2
SHA2568afd755682fd51de8c541b0e31ab2ee1d6bdde402a7e4d566fe0494dbdb16d3f
SHA5120b1f795298c2a9763240a209033268e0b612f5eee43febb6a093988b40ced4330de1419341028bd84c8b0cc58fc503afc30dfe05025756bcf5839677ae21fda0
-
Filesize
492KB
MD58c62495f62de77222ca27558fbf5e0bc
SHA1109f944d602fe8a613193b97715c8432e90cd1b2
SHA2568afd755682fd51de8c541b0e31ab2ee1d6bdde402a7e4d566fe0494dbdb16d3f
SHA5120b1f795298c2a9763240a209033268e0b612f5eee43febb6a093988b40ced4330de1419341028bd84c8b0cc58fc503afc30dfe05025756bcf5839677ae21fda0
-
Filesize
326KB
MD5d450a74effe247298e76be251e9d20b6
SHA12ec5fbbbd9ea9125beb84d456fac275f9dc42adc
SHA256c22b6ac1147733913380ba7c0f23d9e8802bb8f91b681e416aa5c5a0f942d105
SHA5121d4d264d1e20603a5d9dccac06c5055b5ec2555f3d6d390b4bd066a45ff23ede0ea15df9eec5154ac3601c7f28537b4096d703ea294295973e99fbf2b149d678
-
Filesize
326KB
MD5d450a74effe247298e76be251e9d20b6
SHA12ec5fbbbd9ea9125beb84d456fac275f9dc42adc
SHA256c22b6ac1147733913380ba7c0f23d9e8802bb8f91b681e416aa5c5a0f942d105
SHA5121d4d264d1e20603a5d9dccac06c5055b5ec2555f3d6d390b4bd066a45ff23ede0ea15df9eec5154ac3601c7f28537b4096d703ea294295973e99fbf2b149d678
-
Filesize
242KB
MD5d1139a672dbbf2080d65e428ab2a5e89
SHA1ba26ec755852555edba81f15f9937884666845c5
SHA2562f587191e89b78e30307e3d1c06e7fc8abcda40f2bbea21bb522c5c9dd07a8f6
SHA5125d9b0361549f6cc589dd9de63ed7af83b1a434524ff66cec60d6414d2fe3153f879f7a43d364e71fce933da89617d550d4b3858d48c2f19418f1db74809d52ca
-
Filesize
242KB
MD5d1139a672dbbf2080d65e428ab2a5e89
SHA1ba26ec755852555edba81f15f9937884666845c5
SHA2562f587191e89b78e30307e3d1c06e7fc8abcda40f2bbea21bb522c5c9dd07a8f6
SHA5125d9b0361549f6cc589dd9de63ed7af83b1a434524ff66cec60d6414d2fe3153f879f7a43d364e71fce933da89617d550d4b3858d48c2f19418f1db74809d52ca
-
Filesize
242KB
MD5d1139a672dbbf2080d65e428ab2a5e89
SHA1ba26ec755852555edba81f15f9937884666845c5
SHA2562f587191e89b78e30307e3d1c06e7fc8abcda40f2bbea21bb522c5c9dd07a8f6
SHA5125d9b0361549f6cc589dd9de63ed7af83b1a434524ff66cec60d6414d2fe3153f879f7a43d364e71fce933da89617d550d4b3858d48c2f19418f1db74809d52ca
-
Filesize
174KB
MD524a7f85e7aba85d56e39eabf594afb44
SHA133e1f059adfe93d5bdf2a7880a0193c88a7ad1c4
SHA256179783183da481296e77d35b9a3a73c8247ad2420d49a4e7fd35ae12efadd467
SHA512a19c25638b6209e447bd2ef8eabf7377188f4bf89d12333ca25c17fff91e5b0c52d2e0504df3c465b781d6e0b75776c02752492f8e24e54a0e19385c1f326c67
-
Filesize
174KB
MD524a7f85e7aba85d56e39eabf594afb44
SHA133e1f059adfe93d5bdf2a7880a0193c88a7ad1c4
SHA256179783183da481296e77d35b9a3a73c8247ad2420d49a4e7fd35ae12efadd467
SHA512a19c25638b6209e447bd2ef8eabf7377188f4bf89d12333ca25c17fff91e5b0c52d2e0504df3c465b781d6e0b75776c02752492f8e24e54a0e19385c1f326c67
-
Filesize
492KB
MD58c62495f62de77222ca27558fbf5e0bc
SHA1109f944d602fe8a613193b97715c8432e90cd1b2
SHA2568afd755682fd51de8c541b0e31ab2ee1d6bdde402a7e4d566fe0494dbdb16d3f
SHA5120b1f795298c2a9763240a209033268e0b612f5eee43febb6a093988b40ced4330de1419341028bd84c8b0cc58fc503afc30dfe05025756bcf5839677ae21fda0
-
Filesize
492KB
MD58c62495f62de77222ca27558fbf5e0bc
SHA1109f944d602fe8a613193b97715c8432e90cd1b2
SHA2568afd755682fd51de8c541b0e31ab2ee1d6bdde402a7e4d566fe0494dbdb16d3f
SHA5120b1f795298c2a9763240a209033268e0b612f5eee43febb6a093988b40ced4330de1419341028bd84c8b0cc58fc503afc30dfe05025756bcf5839677ae21fda0
-
Filesize
326KB
MD5d450a74effe247298e76be251e9d20b6
SHA12ec5fbbbd9ea9125beb84d456fac275f9dc42adc
SHA256c22b6ac1147733913380ba7c0f23d9e8802bb8f91b681e416aa5c5a0f942d105
SHA5121d4d264d1e20603a5d9dccac06c5055b5ec2555f3d6d390b4bd066a45ff23ede0ea15df9eec5154ac3601c7f28537b4096d703ea294295973e99fbf2b149d678
-
Filesize
326KB
MD5d450a74effe247298e76be251e9d20b6
SHA12ec5fbbbd9ea9125beb84d456fac275f9dc42adc
SHA256c22b6ac1147733913380ba7c0f23d9e8802bb8f91b681e416aa5c5a0f942d105
SHA5121d4d264d1e20603a5d9dccac06c5055b5ec2555f3d6d390b4bd066a45ff23ede0ea15df9eec5154ac3601c7f28537b4096d703ea294295973e99fbf2b149d678
-
Filesize
242KB
MD5d1139a672dbbf2080d65e428ab2a5e89
SHA1ba26ec755852555edba81f15f9937884666845c5
SHA2562f587191e89b78e30307e3d1c06e7fc8abcda40f2bbea21bb522c5c9dd07a8f6
SHA5125d9b0361549f6cc589dd9de63ed7af83b1a434524ff66cec60d6414d2fe3153f879f7a43d364e71fce933da89617d550d4b3858d48c2f19418f1db74809d52ca
-
Filesize
242KB
MD5d1139a672dbbf2080d65e428ab2a5e89
SHA1ba26ec755852555edba81f15f9937884666845c5
SHA2562f587191e89b78e30307e3d1c06e7fc8abcda40f2bbea21bb522c5c9dd07a8f6
SHA5125d9b0361549f6cc589dd9de63ed7af83b1a434524ff66cec60d6414d2fe3153f879f7a43d364e71fce933da89617d550d4b3858d48c2f19418f1db74809d52ca
-
Filesize
242KB
MD5d1139a672dbbf2080d65e428ab2a5e89
SHA1ba26ec755852555edba81f15f9937884666845c5
SHA2562f587191e89b78e30307e3d1c06e7fc8abcda40f2bbea21bb522c5c9dd07a8f6
SHA5125d9b0361549f6cc589dd9de63ed7af83b1a434524ff66cec60d6414d2fe3153f879f7a43d364e71fce933da89617d550d4b3858d48c2f19418f1db74809d52ca
-
Filesize
174KB
MD524a7f85e7aba85d56e39eabf594afb44
SHA133e1f059adfe93d5bdf2a7880a0193c88a7ad1c4
SHA256179783183da481296e77d35b9a3a73c8247ad2420d49a4e7fd35ae12efadd467
SHA512a19c25638b6209e447bd2ef8eabf7377188f4bf89d12333ca25c17fff91e5b0c52d2e0504df3c465b781d6e0b75776c02752492f8e24e54a0e19385c1f326c67
-
Filesize
174KB
MD524a7f85e7aba85d56e39eabf594afb44
SHA133e1f059adfe93d5bdf2a7880a0193c88a7ad1c4
SHA256179783183da481296e77d35b9a3a73c8247ad2420d49a4e7fd35ae12efadd467
SHA512a19c25638b6209e447bd2ef8eabf7377188f4bf89d12333ca25c17fff91e5b0c52d2e0504df3c465b781d6e0b75776c02752492f8e24e54a0e19385c1f326c67