Analysis
-
max time kernel
290s -
max time network
303s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
19-09-2023 06:53
Static task
static1
Behavioral task
behavioral1
Sample
x7688341.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
x7688341.exe
Resource
win10-20230915-en
General
-
Target
x7688341.exe
-
Size
321KB
-
MD5
6f9fab527e0ccdc98d58ac716181b3c6
-
SHA1
851541e69cd89d0ebba22b0a2fdd63f40e6d723b
-
SHA256
93b183e0975c989bfbe8b579ce5d6e41ea957f4568a83e3ed264b4fc94f2f60b
-
SHA512
eb084cfb876b129a21a40eef6b3aec4ab7ea6bff8f960f8bf205aa1889c5be8ba9b34e301046c94b16e01a0542408be2114229dea1a316ef7f2d5a74ab5acce7
-
SSDEEP
6144:K1y+bnr+gp0yN90QEDkYflZhNry2xFCC1YamoCKJUU+EAwWoR6d028bC:TMrwy90eYfvrN0CIeJ7+FxvW2AC
Malware Config
Extracted
redline
black
77.91.124.82:19071
-
auth_value
c5887216cebc5a219113738140bc3047
Signatures
-
Detects Healer an antivirus disabler dropper 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2008-17-0x0000000000400000-0x000000000040A000-memory.dmp healer behavioral1/memory/2008-19-0x0000000000400000-0x000000000040A000-memory.dmp healer behavioral1/memory/2008-22-0x0000000000400000-0x000000000040A000-memory.dmp healer behavioral1/memory/2008-24-0x0000000000400000-0x000000000040A000-memory.dmp healer behavioral1/memory/2008-26-0x0000000000400000-0x000000000040A000-memory.dmp healer -
Processes:
AppLaunch.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 2 IoCs
Processes:
g2204807.exeh0745430.exepid process 1696 g2204807.exe 2080 h0745430.exe -
Loads dropped DLL 5 IoCs
Processes:
x7688341.exeg2204807.exeh0745430.exepid process 2092 x7688341.exe 2092 x7688341.exe 1696 g2204807.exe 2092 x7688341.exe 2080 h0745430.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
x7688341.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" x7688341.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
g2204807.exedescription pid process target process PID 1696 set thread context of 2008 1696 g2204807.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 2008 AppLaunch.exe 2008 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 2008 AppLaunch.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
x7688341.exeg2204807.exedescription pid process target process PID 2092 wrote to memory of 1696 2092 x7688341.exe g2204807.exe PID 2092 wrote to memory of 1696 2092 x7688341.exe g2204807.exe PID 2092 wrote to memory of 1696 2092 x7688341.exe g2204807.exe PID 2092 wrote to memory of 1696 2092 x7688341.exe g2204807.exe PID 2092 wrote to memory of 1696 2092 x7688341.exe g2204807.exe PID 2092 wrote to memory of 1696 2092 x7688341.exe g2204807.exe PID 2092 wrote to memory of 1696 2092 x7688341.exe g2204807.exe PID 1696 wrote to memory of 2008 1696 g2204807.exe AppLaunch.exe PID 1696 wrote to memory of 2008 1696 g2204807.exe AppLaunch.exe PID 1696 wrote to memory of 2008 1696 g2204807.exe AppLaunch.exe PID 1696 wrote to memory of 2008 1696 g2204807.exe AppLaunch.exe PID 1696 wrote to memory of 2008 1696 g2204807.exe AppLaunch.exe PID 1696 wrote to memory of 2008 1696 g2204807.exe AppLaunch.exe PID 1696 wrote to memory of 2008 1696 g2204807.exe AppLaunch.exe PID 1696 wrote to memory of 2008 1696 g2204807.exe AppLaunch.exe PID 1696 wrote to memory of 2008 1696 g2204807.exe AppLaunch.exe PID 1696 wrote to memory of 2008 1696 g2204807.exe AppLaunch.exe PID 1696 wrote to memory of 2008 1696 g2204807.exe AppLaunch.exe PID 1696 wrote to memory of 2008 1696 g2204807.exe AppLaunch.exe PID 2092 wrote to memory of 2080 2092 x7688341.exe h0745430.exe PID 2092 wrote to memory of 2080 2092 x7688341.exe h0745430.exe PID 2092 wrote to memory of 2080 2092 x7688341.exe h0745430.exe PID 2092 wrote to memory of 2080 2092 x7688341.exe h0745430.exe PID 2092 wrote to memory of 2080 2092 x7688341.exe h0745430.exe PID 2092 wrote to memory of 2080 2092 x7688341.exe h0745430.exe PID 2092 wrote to memory of 2080 2092 x7688341.exe h0745430.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\x7688341.exe"C:\Users\Admin\AppData\Local\Temp\x7688341.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g2204807.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g2204807.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h0745430.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h0745430.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD5bd7db8b543d1b8d37a380bace855e6f1
SHA16bb4a5230f3038cfc4414e36175e399df0123568
SHA25685c512fbf6bdc46b301a7fca81c9d0b9c420ba21078befeec31d6061b7c1590b
SHA512bd3d7ddfdefbb677e43fcc87b00f265c9a0cade8aa2f39d40eedb272586e2291c28d085035a3053a214ffb0102c1d6cbd1aa7606fb5c744c6aff3a54f3c6d63f
-
Filesize
236KB
MD5bd7db8b543d1b8d37a380bace855e6f1
SHA16bb4a5230f3038cfc4414e36175e399df0123568
SHA25685c512fbf6bdc46b301a7fca81c9d0b9c420ba21078befeec31d6061b7c1590b
SHA512bd3d7ddfdefbb677e43fcc87b00f265c9a0cade8aa2f39d40eedb272586e2291c28d085035a3053a214ffb0102c1d6cbd1aa7606fb5c744c6aff3a54f3c6d63f
-
Filesize
236KB
MD5bd7db8b543d1b8d37a380bace855e6f1
SHA16bb4a5230f3038cfc4414e36175e399df0123568
SHA25685c512fbf6bdc46b301a7fca81c9d0b9c420ba21078befeec31d6061b7c1590b
SHA512bd3d7ddfdefbb677e43fcc87b00f265c9a0cade8aa2f39d40eedb272586e2291c28d085035a3053a214ffb0102c1d6cbd1aa7606fb5c744c6aff3a54f3c6d63f
-
Filesize
174KB
MD5b0b411456035583fa1873d9e27c80b3f
SHA1b8a0d5d8022911b28ae6caeb0470e1c2f3a8ddc0
SHA256b66a9b7940002fda2d1a3ef446c4732574d7fecf46b05211ec74c4e1b3c6a7db
SHA512e166c14008f836a73bae5be0f49e5f257b73c96878283aad034194d3cfa92783fb9ac478ff86bb6c0fd3f088200c59fdc38b1c6953229737e4f5f555141411ea
-
Filesize
174KB
MD5b0b411456035583fa1873d9e27c80b3f
SHA1b8a0d5d8022911b28ae6caeb0470e1c2f3a8ddc0
SHA256b66a9b7940002fda2d1a3ef446c4732574d7fecf46b05211ec74c4e1b3c6a7db
SHA512e166c14008f836a73bae5be0f49e5f257b73c96878283aad034194d3cfa92783fb9ac478ff86bb6c0fd3f088200c59fdc38b1c6953229737e4f5f555141411ea
-
Filesize
236KB
MD5bd7db8b543d1b8d37a380bace855e6f1
SHA16bb4a5230f3038cfc4414e36175e399df0123568
SHA25685c512fbf6bdc46b301a7fca81c9d0b9c420ba21078befeec31d6061b7c1590b
SHA512bd3d7ddfdefbb677e43fcc87b00f265c9a0cade8aa2f39d40eedb272586e2291c28d085035a3053a214ffb0102c1d6cbd1aa7606fb5c744c6aff3a54f3c6d63f
-
Filesize
236KB
MD5bd7db8b543d1b8d37a380bace855e6f1
SHA16bb4a5230f3038cfc4414e36175e399df0123568
SHA25685c512fbf6bdc46b301a7fca81c9d0b9c420ba21078befeec31d6061b7c1590b
SHA512bd3d7ddfdefbb677e43fcc87b00f265c9a0cade8aa2f39d40eedb272586e2291c28d085035a3053a214ffb0102c1d6cbd1aa7606fb5c744c6aff3a54f3c6d63f
-
Filesize
236KB
MD5bd7db8b543d1b8d37a380bace855e6f1
SHA16bb4a5230f3038cfc4414e36175e399df0123568
SHA25685c512fbf6bdc46b301a7fca81c9d0b9c420ba21078befeec31d6061b7c1590b
SHA512bd3d7ddfdefbb677e43fcc87b00f265c9a0cade8aa2f39d40eedb272586e2291c28d085035a3053a214ffb0102c1d6cbd1aa7606fb5c744c6aff3a54f3c6d63f
-
Filesize
174KB
MD5b0b411456035583fa1873d9e27c80b3f
SHA1b8a0d5d8022911b28ae6caeb0470e1c2f3a8ddc0
SHA256b66a9b7940002fda2d1a3ef446c4732574d7fecf46b05211ec74c4e1b3c6a7db
SHA512e166c14008f836a73bae5be0f49e5f257b73c96878283aad034194d3cfa92783fb9ac478ff86bb6c0fd3f088200c59fdc38b1c6953229737e4f5f555141411ea
-
Filesize
174KB
MD5b0b411456035583fa1873d9e27c80b3f
SHA1b8a0d5d8022911b28ae6caeb0470e1c2f3a8ddc0
SHA256b66a9b7940002fda2d1a3ef446c4732574d7fecf46b05211ec74c4e1b3c6a7db
SHA512e166c14008f836a73bae5be0f49e5f257b73c96878283aad034194d3cfa92783fb9ac478ff86bb6c0fd3f088200c59fdc38b1c6953229737e4f5f555141411ea