Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2023 17:12
Static task
static1
Behavioral task
behavioral1
Sample
695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823.exe
Resource
win10v2004-20230915-en
General
-
Target
695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823.exe
-
Size
1.3MB
-
MD5
d0dd87f1a7fcd9dbd3a316e1a690167f
-
SHA1
bf77f42ccfe9594ece99a40599b600db759e0766
-
SHA256
695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823
-
SHA512
6f13aa9870e76f2be012fa0a38153d9ccd1f73602463655859a1ef3979b3b65a3350bfdea4e838be7bf03672f6903ed34cbd5960ba342058ee35ff9020b06072
-
SSDEEP
24576:N095JjMnm2djVtOrArfiglVDsI20jRgnfTrQ:N09smKjXKIVDsl06fTrQ
Malware Config
Extracted
redline
black
77.91.124.82:19071
-
auth_value
c5887216cebc5a219113738140bc3047
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral2/memory/3516-33-0x0000000000400000-0x000000000040A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 5112 x8471280.exe 2264 x5354756.exe 3816 x1538119.exe 3296 g3933662.exe 1644 h2959324.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x8471280.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x5354756.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x1538119.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4736 set thread context of 1604 4736 695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823.exe 91 PID 3296 set thread context of 3516 3296 g3933662.exe 96 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3516 AppLaunch.exe 3516 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3516 AppLaunch.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 4736 wrote to memory of 1604 4736 695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823.exe 91 PID 4736 wrote to memory of 1604 4736 695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823.exe 91 PID 4736 wrote to memory of 1604 4736 695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823.exe 91 PID 4736 wrote to memory of 1604 4736 695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823.exe 91 PID 4736 wrote to memory of 1604 4736 695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823.exe 91 PID 4736 wrote to memory of 1604 4736 695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823.exe 91 PID 4736 wrote to memory of 1604 4736 695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823.exe 91 PID 4736 wrote to memory of 1604 4736 695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823.exe 91 PID 4736 wrote to memory of 1604 4736 695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823.exe 91 PID 4736 wrote to memory of 1604 4736 695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823.exe 91 PID 1604 wrote to memory of 5112 1604 AppLaunch.exe 92 PID 1604 wrote to memory of 5112 1604 AppLaunch.exe 92 PID 1604 wrote to memory of 5112 1604 AppLaunch.exe 92 PID 5112 wrote to memory of 2264 5112 x8471280.exe 93 PID 5112 wrote to memory of 2264 5112 x8471280.exe 93 PID 5112 wrote to memory of 2264 5112 x8471280.exe 93 PID 2264 wrote to memory of 3816 2264 x5354756.exe 94 PID 2264 wrote to memory of 3816 2264 x5354756.exe 94 PID 2264 wrote to memory of 3816 2264 x5354756.exe 94 PID 3816 wrote to memory of 3296 3816 x1538119.exe 95 PID 3816 wrote to memory of 3296 3816 x1538119.exe 95 PID 3816 wrote to memory of 3296 3816 x1538119.exe 95 PID 3296 wrote to memory of 3516 3296 g3933662.exe 96 PID 3296 wrote to memory of 3516 3296 g3933662.exe 96 PID 3296 wrote to memory of 3516 3296 g3933662.exe 96 PID 3296 wrote to memory of 3516 3296 g3933662.exe 96 PID 3296 wrote to memory of 3516 3296 g3933662.exe 96 PID 3296 wrote to memory of 3516 3296 g3933662.exe 96 PID 3296 wrote to memory of 3516 3296 g3933662.exe 96 PID 3296 wrote to memory of 3516 3296 g3933662.exe 96 PID 3816 wrote to memory of 1644 3816 x1538119.exe 98 PID 3816 wrote to memory of 1644 3816 x1538119.exe 98 PID 3816 wrote to memory of 1644 3816 x1538119.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823.exe"C:\Users\Admin\AppData\Local\Temp\695fbc126a2a6a1b3543628e5ca7335d409ec10d19a38e1152e8486b20dfc823.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8471280.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8471280.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5354756.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5354756.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1538119.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1538119.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3933662.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3933662.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2959324.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2959324.exe6⤵
- Executes dropped EXE
PID:1644
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
767KB
MD56bb04ebd1f238d9f3de21e8514e29849
SHA1949b27abed974db347a48b3c0685453d72cd56cb
SHA2563e49fe1be803556e0bd8467859df590118c682bc7fac9d0efe1df5c37d864920
SHA5123d47c8a5179ec685da7d136733e6337c5ca0c9cd2a8c43291e839877cde470213f46461b5c797f4f47c2ea3c3d7af590a5c721b5b6fefebb4b628db4f284bd7e
-
Filesize
767KB
MD56bb04ebd1f238d9f3de21e8514e29849
SHA1949b27abed974db347a48b3c0685453d72cd56cb
SHA2563e49fe1be803556e0bd8467859df590118c682bc7fac9d0efe1df5c37d864920
SHA5123d47c8a5179ec685da7d136733e6337c5ca0c9cd2a8c43291e839877cde470213f46461b5c797f4f47c2ea3c3d7af590a5c721b5b6fefebb4b628db4f284bd7e
-
Filesize
492KB
MD5b18dbfd9418c7ad4f5abc02b6b6dbb0b
SHA14d5d2c2a76a2235bb65d50217f113e34b0c5f7c2
SHA25670732f96273df0c4fc9b8614f19b10ca231968dceb28d378b3149f29031d3455
SHA5122abdfbb3a10474f39765f7c4754714874845e78cbb9a2d4f666aadbc0fc74621d9e27495944e525a828de3cba3074693e5bf741ff70af1e05e31d3d0bdfb762a
-
Filesize
492KB
MD5b18dbfd9418c7ad4f5abc02b6b6dbb0b
SHA14d5d2c2a76a2235bb65d50217f113e34b0c5f7c2
SHA25670732f96273df0c4fc9b8614f19b10ca231968dceb28d378b3149f29031d3455
SHA5122abdfbb3a10474f39765f7c4754714874845e78cbb9a2d4f666aadbc0fc74621d9e27495944e525a828de3cba3074693e5bf741ff70af1e05e31d3d0bdfb762a
-
Filesize
326KB
MD57bb693af38105685ff4351c9da2511d0
SHA1c53319a611f8b0340d8a5c5ac9b70b72cb38afde
SHA25673b8cd3245ac887ae5fa58cbcaa9249149ee4b83f1b239c12de26285d2b25182
SHA512d5442cda8dba523c033db279ea96164f459873999dc6a93a718de139c323b7a58e7c3766ecf9c7ba6bfd92e685f2e638acd4c9f84941aacbb63765b5cd49cdd5
-
Filesize
326KB
MD57bb693af38105685ff4351c9da2511d0
SHA1c53319a611f8b0340d8a5c5ac9b70b72cb38afde
SHA25673b8cd3245ac887ae5fa58cbcaa9249149ee4b83f1b239c12de26285d2b25182
SHA512d5442cda8dba523c033db279ea96164f459873999dc6a93a718de139c323b7a58e7c3766ecf9c7ba6bfd92e685f2e638acd4c9f84941aacbb63765b5cd49cdd5
-
Filesize
242KB
MD52411c69af1fcfc0e3e3b54c0c48886bf
SHA15ff340978dc9a08d099649073d3e73e5b89bb9d1
SHA256b08ce1fffba9d5f6f61e5269dfa01b61237cf61234ad26d9c29aa3b471b65ba8
SHA51224466931ad6bd9e4b4b4d5901f750746a6c50e048667a8171d9943a8126c23ea971008c448dd5417c21350ae05181889e4f26e9a6b1fec47264df85dd2a7147f
-
Filesize
242KB
MD52411c69af1fcfc0e3e3b54c0c48886bf
SHA15ff340978dc9a08d099649073d3e73e5b89bb9d1
SHA256b08ce1fffba9d5f6f61e5269dfa01b61237cf61234ad26d9c29aa3b471b65ba8
SHA51224466931ad6bd9e4b4b4d5901f750746a6c50e048667a8171d9943a8126c23ea971008c448dd5417c21350ae05181889e4f26e9a6b1fec47264df85dd2a7147f
-
Filesize
174KB
MD5e1f844f615cf5be9ea04cf80c051efff
SHA1ee651a891d8e9ba3edfd12780a0823f1e8f0a9ca
SHA2569c93d09d0a0f13e5464092d022a8af86fa3520dd42f07cc36d14420b1e8ca2cf
SHA5129fd83f05cbbdc76203d244adf546f26d9bf864df81da899f5713e7a9ffa82e204672eaf9b41f94ac5c886aab91026a8b3dbfbff54b0b734f9f6897929e705f12
-
Filesize
174KB
MD5e1f844f615cf5be9ea04cf80c051efff
SHA1ee651a891d8e9ba3edfd12780a0823f1e8f0a9ca
SHA2569c93d09d0a0f13e5464092d022a8af86fa3520dd42f07cc36d14420b1e8ca2cf
SHA5129fd83f05cbbdc76203d244adf546f26d9bf864df81da899f5713e7a9ffa82e204672eaf9b41f94ac5c886aab91026a8b3dbfbff54b0b734f9f6897929e705f12