Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
02-05-2024 03:15
Static task
static1
Behavioral task
behavioral1
Sample
c1eb2bf2565fd92a410efaef30a93b2a3a4af9b75abc7ca69e417077b20e9a47.exe
Resource
win10v2004-20240419-en
General
-
Target
c1eb2bf2565fd92a410efaef30a93b2a3a4af9b75abc7ca69e417077b20e9a47.exe
-
Size
1.5MB
-
MD5
991267b92287601ef77a0bbadd747440
-
SHA1
9ff5b9b627c5eae60511f47cde53de339b74e822
-
SHA256
c1eb2bf2565fd92a410efaef30a93b2a3a4af9b75abc7ca69e417077b20e9a47
-
SHA512
23546fe330165a559b53c376b84987979eb4e64fa300925e13d24fc1b1cf9c69785374125fadfe6c55d112e4765263b1d34affaf14d8f0c7355626098af47e5e
-
SSDEEP
24576:kyIedgrARuVqITHTjQ08cKQnm4xU3/bPpBACmormqSwK92JeG1xdB4xyBqkZ05k6:zIeyaQzU10m4xEItq3KPG7pqkZ4
Malware Config
Extracted
redline
max
185.161.248.73:4164
-
auth_value
efb1499709a5d08ed1ddf71cff71211f
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/404-35-0x00000000020E0000-0x00000000020FA000-memory.dmp healer behavioral1/memory/404-37-0x0000000002410000-0x0000000002428000-memory.dmp healer behavioral1/memory/404-38-0x0000000002410000-0x0000000002423000-memory.dmp healer behavioral1/memory/404-65-0x0000000002410000-0x0000000002423000-memory.dmp healer behavioral1/memory/404-63-0x0000000002410000-0x0000000002423000-memory.dmp healer behavioral1/memory/404-61-0x0000000002410000-0x0000000002423000-memory.dmp healer behavioral1/memory/404-59-0x0000000002410000-0x0000000002423000-memory.dmp healer behavioral1/memory/404-57-0x0000000002410000-0x0000000002423000-memory.dmp healer behavioral1/memory/404-55-0x0000000002410000-0x0000000002423000-memory.dmp healer behavioral1/memory/404-51-0x0000000002410000-0x0000000002423000-memory.dmp healer behavioral1/memory/404-49-0x0000000002410000-0x0000000002423000-memory.dmp healer behavioral1/memory/404-47-0x0000000002410000-0x0000000002423000-memory.dmp healer behavioral1/memory/404-45-0x0000000002410000-0x0000000002423000-memory.dmp healer behavioral1/memory/404-43-0x0000000002410000-0x0000000002423000-memory.dmp healer behavioral1/memory/404-41-0x0000000002410000-0x0000000002423000-memory.dmp healer behavioral1/memory/404-39-0x0000000002410000-0x0000000002423000-memory.dmp healer behavioral1/memory/404-53-0x0000000002410000-0x0000000002423000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a00504737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a00504737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a00504737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a00504737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a00504737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a00504737.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b97-68.dat family_redline behavioral1/memory/1908-70-0x0000000000B00000-0x0000000000B30000-memory.dmp family_redline -
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 17 IoCs
resource yara_rule behavioral1/memory/404-35-0x00000000020E0000-0x00000000020FA000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/404-37-0x0000000002410000-0x0000000002428000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/404-38-0x0000000002410000-0x0000000002423000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/404-65-0x0000000002410000-0x0000000002423000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/404-63-0x0000000002410000-0x0000000002423000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/404-61-0x0000000002410000-0x0000000002423000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/404-59-0x0000000002410000-0x0000000002423000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/404-57-0x0000000002410000-0x0000000002423000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/404-55-0x0000000002410000-0x0000000002423000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/404-51-0x0000000002410000-0x0000000002423000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/404-49-0x0000000002410000-0x0000000002423000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/404-47-0x0000000002410000-0x0000000002423000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/404-45-0x0000000002410000-0x0000000002423000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/404-43-0x0000000002410000-0x0000000002423000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/404-41-0x0000000002410000-0x0000000002423000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/404-39-0x0000000002410000-0x0000000002423000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/404-53-0x0000000002410000-0x0000000002423000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender -
Detects executables packed with ConfuserEx Mod 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b97-68.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/1908-70-0x0000000000B00000-0x0000000000B30000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx -
Executes dropped EXE 6 IoCs
pid Process 3924 i66019707.exe 2500 i81183894.exe 4616 i11926982.exe 4532 i55033091.exe 404 a00504737.exe 1908 b71294961.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a00504737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a00504737.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c1eb2bf2565fd92a410efaef30a93b2a3a4af9b75abc7ca69e417077b20e9a47.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i66019707.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i81183894.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i11926982.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i55033091.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3728 sc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 404 a00504737.exe 404 a00504737.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 404 a00504737.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 828 wrote to memory of 3924 828 c1eb2bf2565fd92a410efaef30a93b2a3a4af9b75abc7ca69e417077b20e9a47.exe 83 PID 828 wrote to memory of 3924 828 c1eb2bf2565fd92a410efaef30a93b2a3a4af9b75abc7ca69e417077b20e9a47.exe 83 PID 828 wrote to memory of 3924 828 c1eb2bf2565fd92a410efaef30a93b2a3a4af9b75abc7ca69e417077b20e9a47.exe 83 PID 3924 wrote to memory of 2500 3924 i66019707.exe 86 PID 3924 wrote to memory of 2500 3924 i66019707.exe 86 PID 3924 wrote to memory of 2500 3924 i66019707.exe 86 PID 2500 wrote to memory of 4616 2500 i81183894.exe 87 PID 2500 wrote to memory of 4616 2500 i81183894.exe 87 PID 2500 wrote to memory of 4616 2500 i81183894.exe 87 PID 4616 wrote to memory of 4532 4616 i11926982.exe 89 PID 4616 wrote to memory of 4532 4616 i11926982.exe 89 PID 4616 wrote to memory of 4532 4616 i11926982.exe 89 PID 4532 wrote to memory of 404 4532 i55033091.exe 90 PID 4532 wrote to memory of 404 4532 i55033091.exe 90 PID 4532 wrote to memory of 404 4532 i55033091.exe 90 PID 4532 wrote to memory of 1908 4532 i55033091.exe 98 PID 4532 wrote to memory of 1908 4532 i55033091.exe 98 PID 4532 wrote to memory of 1908 4532 i55033091.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1eb2bf2565fd92a410efaef30a93b2a3a4af9b75abc7ca69e417077b20e9a47.exe"C:\Users\Admin\AppData\Local\Temp\c1eb2bf2565fd92a410efaef30a93b2a3a4af9b75abc7ca69e417077b20e9a47.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i66019707.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i66019707.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i81183894.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i81183894.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i11926982.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i11926982.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i55033091.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i55033091.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00504737.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00504737.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b71294961.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b71294961.exe6⤵
- Executes dropped EXE
PID:1908
-
-
-
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3728
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5b5886c5e09e640eb8e181e4433193e1a
SHA17989a442aab3d7d1d62a9feed21781b3fb8604f1
SHA2567c3cc02e06b7db64d1e36479bca0ece8e977a1862e77ed2a7f639c4d0028b845
SHA5124587d2a6ca65c7944c0424bd0fb036bd92233f370160fa0ac4b1941d8c2aa11cbb85498248132e3d0f4b7a5d6543216f70620b8906b104648d27dd66fe775f91
-
Filesize
1.0MB
MD51ac8f5538b13ba75876342b9b7b58fd9
SHA1313e02ec364e7789e0cacf90541c0cff1c323e45
SHA256e202b98783d5107dd15c9fa61426470d46b065d44aca209cec337be21931d8c9
SHA512e241092e0b6c5373408abe2be6e71a30487c84e4ffe8bcfdb8629a59cc6a346b43f5b330a17dad963390412141c02075a0c3e1df70b42e56ce306ad19ec65616
-
Filesize
570KB
MD5e8e7b4f5a6bd9df0bd0f535b2d3ba670
SHA17168d075514a6a17bfd19aa93408b7edf561c496
SHA2564ec88758ebabd0b71c71ef7bd2a3d0ecddb4ac5f2ef1764e72135a6955b3b9cb
SHA51204578994d7b8060c68921fdfe693b56f77f3aab78fd47546861faa5e9d5637242ce6c254008d1ae74d632e51cc838e021d1572c42e2b004720d06e7ffb33c086
-
Filesize
310KB
MD5407683e36794289c62b018a6c4602bf7
SHA1c898be0332e444882335d1e86f1baeb32ac0f9aa
SHA2566ca0abf9b6078e723c0e60cb30e8ff05e79770f392a9802940c7234761545ef2
SHA512afdda40faf91928789eeeca4d9d0d0bec3b01b8130a2194a01dfd12327dc70fda5b7b3c9edadbf9f95632453e1adf56afa6310b71a8ea3dffea02a682d20a080
-
Filesize
176KB
MD5fdc108c21aef93737ebff6a2433e434a
SHA1d557cf2fe168b5d677cc6125ff033ded6411a85c
SHA2563452dccfc3aaf6e77f5eea713d9de9a27981507723d058303c114992cc90cc5a
SHA5123ab7d45c8ec6629bb70474effa305e2a54afece91df02469a291fda8c80cc8b05d9f5ec5871d20a2f975f6be99e7c495020f34fe70fb956af725a8a66cf10380
-
Filesize
168KB
MD501ec9e12ad11d69c72abfe4f43bd44a4
SHA14484718865f5eaf0cb86a49064dde9a01dd19572
SHA256bd0861c4c8c32a4d7d18597f557d2814eff6c461922ef3e9aae80a528291a098
SHA51231132c60e76a5090d0913a54c172931aa1198db2fa849915facbb8a1317eec988d50b1d67e1c147b03c43df98f3bddf8704de8cd2bd37de7368c920b9cf5f067