Resubmissions
09-04-2024 13:51
240409-q52wsagf78 1009-04-2024 13:51
240409-q5199agf77 1009-04-2024 13:51
240409-q5zfnaca3y 1009-04-2024 13:51
240409-q5y5wsca3x 1002-09-2023 11:46
230902-nxm2jscg99 10Analysis
-
max time kernel
1789s -
max time network
1804s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-04-2024 13:51
Static task
static1
Behavioral task
behavioral1
Sample
8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe
Resource
win11-20240221-en
General
-
Target
8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe
-
Size
820KB
-
MD5
865c99ae19817cac9d40b35202f6f453
-
SHA1
980d4e8229c3d7a6bf02596047a015c32d9210e3
-
SHA256
8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b
-
SHA512
091016e9888850d673d096090ad87563eb721cbcc311ca0fb4f0948f78f6679363795463081ae335b43061a1b1793c36b2bd1a0f7fe797cf6380303b98648458
-
SSDEEP
12288:KMrWy90uxp7VpGrXpmKepnfpz4Ahwpkb7cCUOE1RZyYrB8MB1xZhxH0:Qyhp2pm9FBz4AhwpksCHGYYdd7U
Malware Config
Extracted
redline
sruta
77.91.124.82:19071
-
auth_value
c556edcd49703319eca74247de20c236
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral1/files/0x0005000000019334-51.dat mystic_family -
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0006000000019326-44.dat healer behavioral1/memory/2724-48-0x0000000000110000-0x000000000011A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a7341166.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a7341166.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a7341166.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a7341166.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a7341166.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a7341166.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0006000000018bdb-57.dat family_redline behavioral1/memory/2436-63-0x0000000000EB0000-0x0000000000EE0000-memory.dmp family_redline -
Executes dropped EXE 7 IoCs
pid Process 2932 v1174701.exe 2472 v6302603.exe 2588 v5756523.exe 2568 v5896929.exe 2724 a7341166.exe 2360 b7297316.exe 2436 c3956936.exe -
Loads dropped DLL 13 IoCs
pid Process 1504 8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe 2932 v1174701.exe 2932 v1174701.exe 2472 v6302603.exe 2472 v6302603.exe 2588 v5756523.exe 2588 v5756523.exe 2568 v5896929.exe 2568 v5896929.exe 2568 v5896929.exe 2360 b7297316.exe 2588 v5756523.exe 2436 c3956936.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features a7341166.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a7341166.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v5896929.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1174701.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v6302603.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v5756523.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2724 a7341166.exe 2724 a7341166.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2724 a7341166.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 1504 wrote to memory of 2932 1504 8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe 28 PID 1504 wrote to memory of 2932 1504 8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe 28 PID 1504 wrote to memory of 2932 1504 8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe 28 PID 1504 wrote to memory of 2932 1504 8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe 28 PID 1504 wrote to memory of 2932 1504 8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe 28 PID 1504 wrote to memory of 2932 1504 8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe 28 PID 1504 wrote to memory of 2932 1504 8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe 28 PID 2932 wrote to memory of 2472 2932 v1174701.exe 29 PID 2932 wrote to memory of 2472 2932 v1174701.exe 29 PID 2932 wrote to memory of 2472 2932 v1174701.exe 29 PID 2932 wrote to memory of 2472 2932 v1174701.exe 29 PID 2932 wrote to memory of 2472 2932 v1174701.exe 29 PID 2932 wrote to memory of 2472 2932 v1174701.exe 29 PID 2932 wrote to memory of 2472 2932 v1174701.exe 29 PID 2472 wrote to memory of 2588 2472 v6302603.exe 30 PID 2472 wrote to memory of 2588 2472 v6302603.exe 30 PID 2472 wrote to memory of 2588 2472 v6302603.exe 30 PID 2472 wrote to memory of 2588 2472 v6302603.exe 30 PID 2472 wrote to memory of 2588 2472 v6302603.exe 30 PID 2472 wrote to memory of 2588 2472 v6302603.exe 30 PID 2472 wrote to memory of 2588 2472 v6302603.exe 30 PID 2588 wrote to memory of 2568 2588 v5756523.exe 31 PID 2588 wrote to memory of 2568 2588 v5756523.exe 31 PID 2588 wrote to memory of 2568 2588 v5756523.exe 31 PID 2588 wrote to memory of 2568 2588 v5756523.exe 31 PID 2588 wrote to memory of 2568 2588 v5756523.exe 31 PID 2588 wrote to memory of 2568 2588 v5756523.exe 31 PID 2588 wrote to memory of 2568 2588 v5756523.exe 31 PID 2568 wrote to memory of 2724 2568 v5896929.exe 32 PID 2568 wrote to memory of 2724 2568 v5896929.exe 32 PID 2568 wrote to memory of 2724 2568 v5896929.exe 32 PID 2568 wrote to memory of 2724 2568 v5896929.exe 32 PID 2568 wrote to memory of 2724 2568 v5896929.exe 32 PID 2568 wrote to memory of 2724 2568 v5896929.exe 32 PID 2568 wrote to memory of 2724 2568 v5896929.exe 32 PID 2568 wrote to memory of 2360 2568 v5896929.exe 33 PID 2568 wrote to memory of 2360 2568 v5896929.exe 33 PID 2568 wrote to memory of 2360 2568 v5896929.exe 33 PID 2568 wrote to memory of 2360 2568 v5896929.exe 33 PID 2568 wrote to memory of 2360 2568 v5896929.exe 33 PID 2568 wrote to memory of 2360 2568 v5896929.exe 33 PID 2568 wrote to memory of 2360 2568 v5896929.exe 33 PID 2588 wrote to memory of 2436 2588 v5756523.exe 34 PID 2588 wrote to memory of 2436 2588 v5756523.exe 34 PID 2588 wrote to memory of 2436 2588 v5756523.exe 34 PID 2588 wrote to memory of 2436 2588 v5756523.exe 34 PID 2588 wrote to memory of 2436 2588 v5756523.exe 34 PID 2588 wrote to memory of 2436 2588 v5756523.exe 34 PID 2588 wrote to memory of 2436 2588 v5756523.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe"C:\Users\Admin\AppData\Local\Temp\8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1174701.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1174701.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6302603.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6302603.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5756523.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5756523.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5896929.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5896929.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7341166.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7341166.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7297316.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7297316.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3956936.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3956936.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
723KB
MD54d28a06bc7d389a286f2324caddf1e8c
SHA159af85cf36a459027b9292d8b73aec4f429ea328
SHA256ac7fefffe24659c5db14a2bb4cc432004020acc268884bc518c6a142f0d8f5c2
SHA5120538c7e09c9253b48d2c503e2dc58c55662d28284aad9c485cfd68582cc9eafa84850b28a517b0b3b5a19b67bddd5b69edc54112889fda881da50fb7b310e45c
-
Filesize
497KB
MD51e0e32b87a93e15353432ccc538eab1f
SHA10d3e5f322b3595400fd5587e9e30dee9c01cf6f4
SHA2563b754180b1912716d9cf97762322f660fc3b5a599c41f09287a63ed2db764702
SHA512f8b75ddbb5d5b7956d975e3e8052c62d866b0c07de63c93fbc1f064d27f737de92d2b05f104910f0522c874afb0655770e67b3504dcde641be5b3085ed1446b1
-
Filesize
372KB
MD5cc451ca9b12129e2af20c19f8c0b462d
SHA1657c7c98063b2937e6fb7516f73a31beaeaa8a82
SHA256e464ba3d27af55732f7be815fb3899287c808b69dd5221adbe20f945a78b0455
SHA512159d56c233d25321117a3179d894161ce2bc7b3cb2979c0884e726d2ed89899999c423d83e4f6278f9fea77c621bef2544b02ce54c41d5eba81f4a8ab7604af4
-
Filesize
175KB
MD5b63224b9575d147711fa843872a4b52f
SHA1bcbd067ca7570fa86276639a51f83acb871ba0a9
SHA2566f5abaf57c657b33940a7564e780e4708227921f95ae46ca3c48c8ef9de12932
SHA51297335a1a366b00e5df40dddbb25d91981b69f8fffdf90a55b95fb1bb978ed06ec4ca92334a45dfc276a88f0102e88f7d3c9c246160dd2925576505c24f3ced26
-
Filesize
217KB
MD5a6c0a7109e1a0ea3364630b92deeda95
SHA11fe78c74047f279afca45340c6dfd9fc307b4361
SHA256992d938558305206821d24cf8180ce06ff290309b4c4ef8eab13a6ec3a910c97
SHA51220165dac6c17fbc51ce5b05969b318aaee1cf8dd83ab5133775fc14e404448a2ac633d0dad3ea9421cb8b72dda1f65e798db5610de6d12891217a15bb481a640
-
Filesize
18KB
MD5952034a560be61e4d921f508df8a162b
SHA11b559a970c6b61dbdf0fbd13d38b150e015a5719
SHA256028936f58c1e1504c9481a7c3da88c682e3d860ae96576305100ab0ccb954b70
SHA5123708633775200299ce1da7402f5530afade06012092d986a0989fc2c1f4fa0f6b47f16a3bcdcaefa6b2ccc8ec0df8246a1faf56c688de006883485b5b65897f8
-
Filesize
140KB
MD5605d09ec259bdf6742ec4d801757f71b
SHA1310b4e0464dc29061c9c3257798bad7905e72038
SHA2562766f4e42fec4fdf0a7cfa874d2eb127a18ca9ddedfeaa987e7175df82bd4927
SHA512a581a00b5b3e5f83d19a045a5ce6e1171f2d33a35d30aa655581779cef82017abb61f9d4701d16db7a570ba0b74be1a4e5a5ecbe2d8d7a783ea921ec40160d14