Overview
overview
10Static
static
330b55fc29e...75.exe
windows10-2004-x64
104f6b8faa68...86.exe
windows10-2004-x64
1068c37c8307...6a.exe
windows10-2004-x64
10699bfc597d...1d.exe
windows10-2004-x64
10844b5b7693...ab.exe
windows10-2004-x64
1086a6beb680...62.exe
windows10-2004-x64
109cf3d2bf3c...cb.exe
windows10-2004-x64
10ca9f078739...a4.exe
windows10-2004-x64
10d0ab8687e3...e2.exe
windows10-2004-x64
10fb468a211d...c3.exe
windows10-2004-x64
10Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 10:51 UTC
Static task
static1
Behavioral task
behavioral1
Sample
30b55fc29eb4d6ba84b1f82bbfa69faa222f2bc6d243a759a624fbb454475275.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
4f6b8faa6814b26627c6c8eac0bc9c5237229efaec31a93ac5634db12970f986.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
699bfc597d56fb4ed7153a5a4fe2851361b9e27b9b8c3109277f0c5a54afbe1d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
844b5b76938e178a82f8c18d5600f389ee4da147c66b379dbc5cb8587d11e5ab.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
9cf3d2bf3c4df3cc22948e45de303aec0f5ffce78a74c453774be0f6f060f6cb.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
d0ab8687e34a8f0343980bddd26689960bc998ce3537a995751d70b47f6b24e2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
fb468a211d9a74c5355215200cc2031ec364c8d8a99456c4a189cfea35cb72c3.exe
Resource
win10v2004-20240426-en
General
-
Target
4f6b8faa6814b26627c6c8eac0bc9c5237229efaec31a93ac5634db12970f986.exe
-
Size
921KB
-
MD5
806e422c72778033c5ab84a122ee219d
-
SHA1
2a82b3feba5337f550d857fdd39290c1edbeaaff
-
SHA256
4f6b8faa6814b26627c6c8eac0bc9c5237229efaec31a93ac5634db12970f986
-
SHA512
ac7a914896275cd09d64faee9eb7259f370f58845dd50b5ddfcd139296e57aedf457eec534d6498c0a0b67266a1c9b07c222bba27d65aee1304dba7a16b880eb
-
SSDEEP
24576:lyxIBM9mCnbl4MASk1HCUvk9gY6gmZw76pr:AxASDx7HzHy
Malware Config
Extracted
redline
lamp
77.91.68.56:19071
-
auth_value
ee1df63bcdbe3de70f52810d94eaff7d
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral2/memory/720-28-0x00000000006D0000-0x000000000070E000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k0381995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k0381995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k0381995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k0381995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k0381995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k0381995.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/memory/2724-35-0x0000000002000000-0x000000000208C000-memory.dmp family_redline behavioral2/memory/2724-42-0x0000000002000000-0x000000000208C000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4844 y3648461.exe 4204 y8860082.exe 720 k0381995.exe 2724 l4476781.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k0381995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k0381995.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4f6b8faa6814b26627c6c8eac0bc9c5237229efaec31a93ac5634db12970f986.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y3648461.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y8860082.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 720 k0381995.exe 720 k0381995.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 720 k0381995.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2020 wrote to memory of 4844 2020 4f6b8faa6814b26627c6c8eac0bc9c5237229efaec31a93ac5634db12970f986.exe 79 PID 2020 wrote to memory of 4844 2020 4f6b8faa6814b26627c6c8eac0bc9c5237229efaec31a93ac5634db12970f986.exe 79 PID 2020 wrote to memory of 4844 2020 4f6b8faa6814b26627c6c8eac0bc9c5237229efaec31a93ac5634db12970f986.exe 79 PID 4844 wrote to memory of 4204 4844 y3648461.exe 80 PID 4844 wrote to memory of 4204 4844 y3648461.exe 80 PID 4844 wrote to memory of 4204 4844 y3648461.exe 80 PID 4204 wrote to memory of 720 4204 y8860082.exe 81 PID 4204 wrote to memory of 720 4204 y8860082.exe 81 PID 4204 wrote to memory of 720 4204 y8860082.exe 81 PID 4204 wrote to memory of 2724 4204 y8860082.exe 83 PID 4204 wrote to memory of 2724 4204 y8860082.exe 83 PID 4204 wrote to memory of 2724 4204 y8860082.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f6b8faa6814b26627c6c8eac0bc9c5237229efaec31a93ac5634db12970f986.exe"C:\Users\Admin\AppData\Local\Temp\4f6b8faa6814b26627c6c8eac0bc9c5237229efaec31a93ac5634db12970f986.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3648461.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3648461.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8860082.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8860082.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0381995.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0381995.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:720
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4476781.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4476781.exe4⤵
- Executes dropped EXE
PID:2724
-
-
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request25.14.97.104.in-addr.arpaIN PTRResponse25.14.97.104.in-addr.arpaIN PTRa104-97-14-25deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request77.190.18.2.in-addr.arpaIN PTRResponse77.190.18.2.in-addr.arpaIN PTRa2-18-190-77deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
208 B 4
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
25.14.97.104.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
77.190.18.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
766KB
MD5318a8eb67e8bcaee3b89dc081807d46b
SHA1f78a8e23612e270f6b6d3307f41bb920a7fc192e
SHA256ab1b9e632564fb3c2826cd638e3277d9bdf07dddc041266d361a6d4cc95015f6
SHA512661fea1e8059173d551c6b538f46220e6d8f911f53977df24f55be72d5d25346b360e1acdfeb101f2e861acd4011ecd752e809279c7664fd082198aebb935c97
-
Filesize
582KB
MD52677f8194fefee3ab023a4d84fe7f80f
SHA140d025e65fbb8f2e14b8e26c961cd8c1fec08105
SHA256f1cf4820bb2702cf7511d9a2d90c3fe80b263088ac476a3595a7eaa049212f88
SHA512ad3daa1d49f8378c9ebae85817748f539fd19af5a95baa4033726edf12ec8ea7a103a673c736d68e5ae102143e33dd29d1405fef35a790bed9d95ee9bb07ff92
-
Filesize
295KB
MD561311f348b60fae73c1dec88ddb812b8
SHA1e584bec72429d0f2aac1b5d351a03f6dedf9146d
SHA2565e01d277979e902ec4bae4561368f84e9d5d1cc3cf340ca5ed832ae63e97052b
SHA51282464d99004b7f9f8db0cca14c31dd18a40c1db4c2eba889bf9937fe6278f3d7798ec068a2f66b375518dc479edc68201003ea6bc944480b9c1cb85416b73eb0
-
Filesize
491KB
MD5f958d6d636e5b3fb2432867cfe738c1d
SHA1aa869b349e1cb254c21a4a0f73ae8ea0a1a0a4e6
SHA25627ee8475b77ceb67b815e186029dd46601683d36f1fed7e2c9d8228eda8efcdd
SHA512fae9b3392255b0d7be0d75cfcab8b97ff1278f79c811fc349483ba56592989d2a30788d2cb01873afc79adf28069fc684b797818f46090d1d8c3d3875ebc5bf9