Overview
overview
10Static
static
327efa43e16...c1.exe
windows10-2004-x64
102fd7c050fb...83.exe
windows10-2004-x64
1031714e287a...59.exe
windows10-2004-x64
104663b4277c...a5.exe
windows10-2004-x64
104ef1a0149d...77.exe
windows10-2004-x64
1055de348478...bf.exe
windows10-2004-x64
1062e08aa290...71.exe
windows10-2004-x64
107c2b1a4696...86.exe
windows10-2004-x64
109712f3ca55...1a.exe
windows10-2004-x64
10a2578cb8fe...19.exe
windows10-2004-x64
10a2e15ecbc2...3e.exe
windows10-2004-x64
10bc1039ea1a...c2.exe
windows10-2004-x64
10c7a4524e38...ae.exe
windows10-2004-x64
10f47fb04ed8...65.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 11:02
Static task
static1
Behavioral task
behavioral1
Sample
27efa43e160a77456643b18b13206f1f8a13410ef51729dbe8fa2997f36694c1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
2fd7c050fbac5e1af2ffeb7fa80c3d86adca912aa0593a6fcf0ada9f513ba783.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
31714e287ace88f54febd6e8f4714a27d61ad35bc95ab8b019334acebd9cd459.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
4663b4277cecac818e54c11c72e9cf1ad537fe10a266e09ebb9f0026ab9a96a5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
4ef1a0149daef80693bc6f0b8f8337399c8687c08ca4792d24e3bdaab9bf6f77.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
55de348478f00c0877bff6a44118e1b412443ef85c1e45f12245fb8483acb6bf.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
62e08aa2909617f096cde8be4d834830bdad6f0907e76c051970413bb9a81571.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
7c2b1a4696daa48a0b33a675af61f83d79ca86e3128c3e721bb51e375d18c386.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
9712f3ca55a69dc82a720b41eeb39aa2d2482719c764715d774a1d1d1d11ea1a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
a2578cb8fe72f0748c7fe615457b7d6aaf54e7985f27f459156f659d0937f119.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
a2e15ecbc2385dacd7bc1a3a58a295213fdccc9cc1f85d38c2a7ab13a599f33e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
bc1039ea1a02cf1e898c7cea2600cac8f44dbf43b2b49c31da3024ffd998a7c2.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
c7a4524e38a070acf6ba7d4865de5125063cd4a021a47872adb720277271f3ae.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
f47fb04ed8077b20b9ca93eddc8ce4a4f05ca4367177fba67c1d87d2831d1865.exe
Resource
win10v2004-20240426-en
General
-
Target
9712f3ca55a69dc82a720b41eeb39aa2d2482719c764715d774a1d1d1d11ea1a.exe
-
Size
389KB
-
MD5
8db815190d477d5ff3320f63ee0322af
-
SHA1
f20c18ef6555549e9d467d3e63258dd51d561b7c
-
SHA256
9712f3ca55a69dc82a720b41eeb39aa2d2482719c764715d774a1d1d1d11ea1a
-
SHA512
69b513a14c430ab26e06de529b07ab58624fb813c25e2b26db3e62db5255f537765c61c9fb0fcc8413ba3b0bc41d0ec3a593656012f8b4eeb63e398fee3057d8
-
SSDEEP
6144:Kuy+bnr+Hp0yN90QEXnPQvYkWsjZNoBnY6y8byR+cuVsv33+RRSlwlBEfXSm:SMrry90VnPiyY0yR+5Kvn+R8JCm
Malware Config
Extracted
redline
nasa
77.91.68.68:19071
-
auth_value
6da71218d8a9738ea3a9a78b5677589b
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral9/files/0x0008000000023436-13.dat healer behavioral9/memory/3612-15-0x0000000000EE0000-0x0000000000EEA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" p9256657.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" p9256657.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" p9256657.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" p9256657.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" p9256657.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection p9256657.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral9/files/0x0007000000023437-18.dat family_redline behavioral9/memory/3276-20-0x0000000000F20000-0x0000000000F50000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
pid Process 4856 z7654585.exe 3612 p9256657.exe 3276 r8354031.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" p9256657.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z7654585.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9712f3ca55a69dc82a720b41eeb39aa2d2482719c764715d774a1d1d1d11ea1a.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3612 p9256657.exe 3612 p9256657.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3612 p9256657.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1504 wrote to memory of 4856 1504 9712f3ca55a69dc82a720b41eeb39aa2d2482719c764715d774a1d1d1d11ea1a.exe 83 PID 1504 wrote to memory of 4856 1504 9712f3ca55a69dc82a720b41eeb39aa2d2482719c764715d774a1d1d1d11ea1a.exe 83 PID 1504 wrote to memory of 4856 1504 9712f3ca55a69dc82a720b41eeb39aa2d2482719c764715d774a1d1d1d11ea1a.exe 83 PID 4856 wrote to memory of 3612 4856 z7654585.exe 84 PID 4856 wrote to memory of 3612 4856 z7654585.exe 84 PID 4856 wrote to memory of 3276 4856 z7654585.exe 96 PID 4856 wrote to memory of 3276 4856 z7654585.exe 96 PID 4856 wrote to memory of 3276 4856 z7654585.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\9712f3ca55a69dc82a720b41eeb39aa2d2482719c764715d774a1d1d1d11ea1a.exe"C:\Users\Admin\AppData\Local\Temp\9712f3ca55a69dc82a720b41eeb39aa2d2482719c764715d774a1d1d1d11ea1a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7654585.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7654585.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9256657.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9256657.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8354031.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8354031.exe3⤵
- Executes dropped EXE
PID:3276
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5a27cd89a9b3edaa1a4f0e7f11451238e
SHA1be203c693c3ab8b3e9c28ab33eb541e35c9eacbf
SHA256b7fdb34a5765c492b175737d1d88e9ab2911f9fe7b13a93a3ea4cbe0efd6babf
SHA51298b4bbcf7889f32a4110140e3ad8baf96c4451b3bdf8baa2fad7510d58ece5ac58e7058a8f33e754e9cc7200b041f9c423b6dd91d8bbf27cab0bc5c46e66f44a
-
Filesize
14KB
MD58a11616e213bdee093a33b9f90b961cd
SHA12789b9f6b990f2ee80ccb6d955fdfaf23bbc42e2
SHA256bbf171f9906b63b6fe5f6c4efd4bcb47878c93817276ca9abbf719630eb0b85a
SHA512f47e87696740203efaeb912631b9481059a0e3dff4263605788dc4204a50f15b0d9f46f7fb34438b2e53fcd57fe024bc3dd7634f2a09f6f805448ab6e72668d4
-
Filesize
173KB
MD57db17099ccd4e1be9690412eaacf9a3f
SHA1a9d22067db19d0f7e4bff66597778ff43aa12833
SHA256dd8192ebd57226ded99ea00e4bddda2803fc08cdbfa59245e1c97a1f30bb13c3
SHA512c3b4f0d5a18c0c546d267753687082ff3f5b8da1899549b2948096078e136b36368073fbf796c27f13930c7053f6abf69808024185c5068d9cf3ff4b2ee736a0