Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2023, 04:27
Static task
static1
Behavioral task
behavioral1
Sample
5255b26add346dffb7f4e0c7007ae0807d12950101464e4524d89c8cb5e6a210.exe
Resource
win10v2004-20230915-en
General
-
Target
5255b26add346dffb7f4e0c7007ae0807d12950101464e4524d89c8cb5e6a210.exe
-
Size
1.1MB
-
MD5
51dcdcd85ebeeecc5604fcf4ea862c08
-
SHA1
f18ced960defd288a54d75761c968fae9e89c602
-
SHA256
5255b26add346dffb7f4e0c7007ae0807d12950101464e4524d89c8cb5e6a210
-
SHA512
2eb686b90de6c8980de8403a4cf0b73809f855261958bb8fe0ab99ed774ac65d1841589738fc384bf06312ee7cc13f9f1adabe6af83eb12ad0900cd143e8c1f4
-
SSDEEP
24576:5y4e5/PflTsk3p7zE+sz0W8A4QBlVbo4U4Dd+Nkt6DUmQpEJNYf:s4KPflTsJ70W8CBlVu4Zt6DSpEJ
Malware Config
Extracted
redline
buben
77.91.124.82:19071
-
auth_value
c62fa04aa45f5b78f62d2c21fcbefdec
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral1/memory/1612-28-0x0000000000400000-0x000000000040A000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 5096 x3065453.exe 4380 x0740758.exe 4436 x3325313.exe 1172 g4952973.exe 2080 h0308900.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5255b26add346dffb7f4e0c7007ae0807d12950101464e4524d89c8cb5e6a210.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x3065453.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x0740758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x3325313.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1172 set thread context of 1612 1172 g4952973.exe 88 -
Program crash 1 IoCs
pid pid_target Process procid_target 3300 1172 WerFault.exe 86 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1612 AppLaunch.exe 1612 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1612 AppLaunch.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4832 wrote to memory of 5096 4832 5255b26add346dffb7f4e0c7007ae0807d12950101464e4524d89c8cb5e6a210.exe 83 PID 4832 wrote to memory of 5096 4832 5255b26add346dffb7f4e0c7007ae0807d12950101464e4524d89c8cb5e6a210.exe 83 PID 4832 wrote to memory of 5096 4832 5255b26add346dffb7f4e0c7007ae0807d12950101464e4524d89c8cb5e6a210.exe 83 PID 5096 wrote to memory of 4380 5096 x3065453.exe 84 PID 5096 wrote to memory of 4380 5096 x3065453.exe 84 PID 5096 wrote to memory of 4380 5096 x3065453.exe 84 PID 4380 wrote to memory of 4436 4380 x0740758.exe 85 PID 4380 wrote to memory of 4436 4380 x0740758.exe 85 PID 4380 wrote to memory of 4436 4380 x0740758.exe 85 PID 4436 wrote to memory of 1172 4436 x3325313.exe 86 PID 4436 wrote to memory of 1172 4436 x3325313.exe 86 PID 4436 wrote to memory of 1172 4436 x3325313.exe 86 PID 1172 wrote to memory of 1612 1172 g4952973.exe 88 PID 1172 wrote to memory of 1612 1172 g4952973.exe 88 PID 1172 wrote to memory of 1612 1172 g4952973.exe 88 PID 1172 wrote to memory of 1612 1172 g4952973.exe 88 PID 1172 wrote to memory of 1612 1172 g4952973.exe 88 PID 1172 wrote to memory of 1612 1172 g4952973.exe 88 PID 1172 wrote to memory of 1612 1172 g4952973.exe 88 PID 1172 wrote to memory of 1612 1172 g4952973.exe 88 PID 4436 wrote to memory of 2080 4436 x3325313.exe 92 PID 4436 wrote to memory of 2080 4436 x3325313.exe 92 PID 4436 wrote to memory of 2080 4436 x3325313.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\5255b26add346dffb7f4e0c7007ae0807d12950101464e4524d89c8cb5e6a210.exe"C:\Users\Admin\AppData\Local\Temp\5255b26add346dffb7f4e0c7007ae0807d12950101464e4524d89c8cb5e6a210.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3065453.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3065453.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0740758.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0740758.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3325313.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3325313.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4952973.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4952973.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 5566⤵
- Program crash
PID:3300
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0308900.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0308900.exe5⤵
- Executes dropped EXE
PID:2080
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1172 -ip 11721⤵PID:4084
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD51cab562f55428189af15aafd9d663b4a
SHA121a31704cbe735bf65472ff2f38fd8f4e7c62e76
SHA2562293d4b6cb74c31f986a47dcec32979202d7049d4e0278dfe9381522d4f0da63
SHA5124d0ab0999726ea5af45b1e25e39fdfad11acb027fe50c0d897cf5917b0c1f27e6ae850f919a2ae9154d8f65cfef48df8d9d4d424990671a3bcb20200d9e2299d
-
Filesize
1.0MB
MD51cab562f55428189af15aafd9d663b4a
SHA121a31704cbe735bf65472ff2f38fd8f4e7c62e76
SHA2562293d4b6cb74c31f986a47dcec32979202d7049d4e0278dfe9381522d4f0da63
SHA5124d0ab0999726ea5af45b1e25e39fdfad11acb027fe50c0d897cf5917b0c1f27e6ae850f919a2ae9154d8f65cfef48df8d9d4d424990671a3bcb20200d9e2299d
-
Filesize
652KB
MD53ff2f75c549c702e35282ceae7122a8c
SHA118debde29b6852e16fd5a25763dc6c23f0966be1
SHA256400a090876a119d27a472d5a9688abfb16855c81904e8cca4ad171301a3dd8e1
SHA5121f677f85e25a66906e6c20a071d8a910e32df8ff2816be544b85b32c9ba4df1b4f3d9c5c46f9b03f82f6b55bd48a2a58e9ea346ecb19207006a1254f86a9ae84
-
Filesize
652KB
MD53ff2f75c549c702e35282ceae7122a8c
SHA118debde29b6852e16fd5a25763dc6c23f0966be1
SHA256400a090876a119d27a472d5a9688abfb16855c81904e8cca4ad171301a3dd8e1
SHA5121f677f85e25a66906e6c20a071d8a910e32df8ff2816be544b85b32c9ba4df1b4f3d9c5c46f9b03f82f6b55bd48a2a58e9ea346ecb19207006a1254f86a9ae84
-
Filesize
467KB
MD5d79cae984d98091d6716cce4ca9d8842
SHA1151690482fa84da23cccfef6fdc4241cc275d6af
SHA2562ebf50572caaeef8f4ba2ce86832f25b93d509cbb155ef6a023c6d2a2898a539
SHA512414e376876eec733a742f4c3a7079605ff10fb65a9c73282e2f1e4c3aa316311a21227c18460d7fe193684aca73a5b1bbd9ec6881ea6dc25c68d78b81edffbfe
-
Filesize
467KB
MD5d79cae984d98091d6716cce4ca9d8842
SHA1151690482fa84da23cccfef6fdc4241cc275d6af
SHA2562ebf50572caaeef8f4ba2ce86832f25b93d509cbb155ef6a023c6d2a2898a539
SHA512414e376876eec733a742f4c3a7079605ff10fb65a9c73282e2f1e4c3aa316311a21227c18460d7fe193684aca73a5b1bbd9ec6881ea6dc25c68d78b81edffbfe
-
Filesize
899KB
MD57dccc0b9e27dd2da37d426513ec0443b
SHA183ffc5b13d599341425ebf8850c357c2285145b8
SHA256bae060fa54dae6cc5d76a0c5dc600cd60c333f0130f62858b17b024bcef71f04
SHA512ed65652196a3561a45eeec58658c1985442d1c682f6a913f6f4eb34b2844ada60c94b21ea7dee4898ca3a26e74f6059c506db146625512626ed608d368cbdb5a
-
Filesize
899KB
MD57dccc0b9e27dd2da37d426513ec0443b
SHA183ffc5b13d599341425ebf8850c357c2285145b8
SHA256bae060fa54dae6cc5d76a0c5dc600cd60c333f0130f62858b17b024bcef71f04
SHA512ed65652196a3561a45eeec58658c1985442d1c682f6a913f6f4eb34b2844ada60c94b21ea7dee4898ca3a26e74f6059c506db146625512626ed608d368cbdb5a
-
Filesize
174KB
MD56a74ebf0f4aea35966e84ad9192d28b8
SHA153c8e8040d4d89332edf4030744d4a3c5e5df1ea
SHA2562ba6a600fe55e17ddb66455425892268ef2fba232207a431abe3c3ec680965ee
SHA512f270d28838e352e609e04be37f54898da54c0e75f43942768aee6d7145fd062938b2da9cdd7e06f9a55d1069a7240d94d2dbb29fe729f548cde9ddef6533b5f1
-
Filesize
174KB
MD56a74ebf0f4aea35966e84ad9192d28b8
SHA153c8e8040d4d89332edf4030744d4a3c5e5df1ea
SHA2562ba6a600fe55e17ddb66455425892268ef2fba232207a431abe3c3ec680965ee
SHA512f270d28838e352e609e04be37f54898da54c0e75f43942768aee6d7145fd062938b2da9cdd7e06f9a55d1069a7240d94d2dbb29fe729f548cde9ddef6533b5f1