Overview
overview
10Static
static
335c135016a...ef.exe
windows10-2004-x64
103ab23a3036...c6.exe
windows10-2004-x64
103b8cd7306b...71.exe
windows10-2004-x64
103ea65c50a2...63.exe
windows7-x64
33ea65c50a2...63.exe
windows10-2004-x64
1051c9916d6f...bf.exe
windows10-2004-x64
1053cf9b6e16...08.exe
windows10-2004-x64
1064792ffeec...35.exe
windows10-2004-x64
1071d1420ff1...80.exe
windows10-2004-x64
107a08e2a624...2b.exe
windows10-2004-x64
107dbf05d83f...65.exe
windows7-x64
37dbf05d83f...65.exe
windows10-2004-x64
107f80787d38...fd.exe
windows10-2004-x64
109176ff0f1c...21.exe
windows10-2004-x64
10babd836631...1d.exe
windows10-2004-x64
10cbd8058875...48.exe
windows7-x64
3cbd8058875...48.exe
windows10-2004-x64
10d134576ca7...48.exe
windows10-2004-x64
10da09729d57...e8.exe
windows10-2004-x64
10dcfab037f7...a0.exe
windows10-2004-x64
10eca60134d9...3f.exe
windows10-2004-x64
10f16db96028...f1.exe
windows10-2004-x64
10f5957f382e...6a.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 14:29
Static task
static1
Behavioral task
behavioral1
Sample
35c135016a0f649443e821c488d88916ba73f8c81eba1b57cf92cbafb9cd49ef.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
3b8cd7306bcee474040656c20f071e99345caea6d53f3bae9bb55dfbe680b571.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe
Resource
win7-20240508-en
Behavioral task
behavioral5
Sample
3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
51c9916d6f5b5ac66aa9b7e4343b3d5a2fa54d57996f9b7bb0d4b18987afd8bf.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
53cf9b6e163fb85f7a2983777330f4b842b13db5809af32dc4a7847702037208.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
64792ffeeccbab6bb3d100eb7b35cb61c8c90b802e42d83350baf6d1ceefbb35.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
7dbf05d83f893a3fd85e266599155069e13d532333012d62fa0a41a625878965.exe
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
7dbf05d83f893a3fd85e266599155069e13d532333012d62fa0a41a625878965.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
7f80787d38486459a9c104bc8c42dd78c68e0e27411be54897379c415c7c73fd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
9176ff0f1ca08377671891eab2e7fd1bad29e129985b386e1486b543767b2721.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
babd836631e288a3898e6b871ded792269de5c0014085887296a642d03a14d1d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48.exe
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
d134576ca7416e71db7bd5aad43296de284dd20154fd0784d9bf45d27603fc48.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
da09729d570cd93ed61c515d8407a5f4b201aca65e870a52b3082a39645d32e8.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
dcfab037f7269dd60bc810f260b86d7331030c746f879fa94f4b6bf922ae96a0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
eca60134d922b4bca2cb5060841b6d45581f33e04f763a9c118fc9f22e289e3f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
f16db96028a7afeb1141a5506032310d36b0354cd63f796d585fdd9cd3b2c8f1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
f5957f382ef0f17bbf1d83cc0b5d4f133ae56c9c5a3101548b66b2462dbe9b6a.exe
Resource
win10v2004-20240508-en
General
-
Target
f16db96028a7afeb1141a5506032310d36b0354cd63f796d585fdd9cd3b2c8f1.exe
-
Size
920KB
-
MD5
0bba6c5a8b9979a2241f1450ba08acac
-
SHA1
823b3a858ce440a6b30ca707db2a28ef5596fdff
-
SHA256
f16db96028a7afeb1141a5506032310d36b0354cd63f796d585fdd9cd3b2c8f1
-
SHA512
8d23fc817ef2cb576610036221c22b4b7ab5697dad617de7bc6f656619e9764f9f126db0e02a2a79d7a55d2bdcca68477f77660d789d9676d7750aaa0692167c
-
SSDEEP
12288:+Mr9y90+HbQau2ZVqMaLa1SZpRgJf+X+dPWgI8Fitq2UudtD79LEN6nt1S:7ydcoVY8SZp6JfRPHvFujZwN6na
Malware Config
Extracted
redline
lamp
77.91.68.56:19071
-
auth_value
ee1df63bcdbe3de70f52810d94eaff7d
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral22/memory/4416-28-0x0000000000680000-0x00000000006BE000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k3968565.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k3968565.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k3968565.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k3968565.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k3968565.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k3968565.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral22/memory/1324-35-0x0000000002010000-0x000000000209C000-memory.dmp family_redline behavioral22/memory/1324-42-0x0000000002010000-0x000000000209C000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2776 y2293620.exe 3908 y1680674.exe 4416 k3968565.exe 1324 l7023074.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k3968565.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k3968565.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f16db96028a7afeb1141a5506032310d36b0354cd63f796d585fdd9cd3b2c8f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y2293620.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y1680674.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4416 k3968565.exe 4416 k3968565.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4416 k3968565.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3260 wrote to memory of 2776 3260 f16db96028a7afeb1141a5506032310d36b0354cd63f796d585fdd9cd3b2c8f1.exe 83 PID 3260 wrote to memory of 2776 3260 f16db96028a7afeb1141a5506032310d36b0354cd63f796d585fdd9cd3b2c8f1.exe 83 PID 3260 wrote to memory of 2776 3260 f16db96028a7afeb1141a5506032310d36b0354cd63f796d585fdd9cd3b2c8f1.exe 83 PID 2776 wrote to memory of 3908 2776 y2293620.exe 84 PID 2776 wrote to memory of 3908 2776 y2293620.exe 84 PID 2776 wrote to memory of 3908 2776 y2293620.exe 84 PID 3908 wrote to memory of 4416 3908 y1680674.exe 85 PID 3908 wrote to memory of 4416 3908 y1680674.exe 85 PID 3908 wrote to memory of 4416 3908 y1680674.exe 85 PID 3908 wrote to memory of 1324 3908 y1680674.exe 96 PID 3908 wrote to memory of 1324 3908 y1680674.exe 96 PID 3908 wrote to memory of 1324 3908 y1680674.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\f16db96028a7afeb1141a5506032310d36b0354cd63f796d585fdd9cd3b2c8f1.exe"C:\Users\Admin\AppData\Local\Temp\f16db96028a7afeb1141a5506032310d36b0354cd63f796d585fdd9cd3b2c8f1.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2293620.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2293620.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1680674.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1680674.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3968565.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3968565.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7023074.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7023074.exe4⤵
- Executes dropped EXE
PID:1324
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
765KB
MD518e389e79f96cbe2d759c734d3e49e78
SHA150cb298fd91a90ebf2bac3bde37b6d77cca4267d
SHA25648fd34f5c8037fad88d01fc9863612f020fbc15409efca49d40f7e91639d33ff
SHA512ac4e859905944e6b2e868207279aa880aeb6fd0ad2aa962f59f7c89285b7c99be54a35166df5d64174bcea5f718e4e4a277e0d39d568093033d1903dc4610b79
-
Filesize
582KB
MD568067bec765ac70f1c242f4c4046c282
SHA1ff713e405ab12cde47cbaf932cf1cb87e557c956
SHA2562bd9ad30ef9ab2fc56a38f9487a2466f5f4d031f2bbb4d3e44668958433bc79a
SHA512d8d04c652650d26d12caeadbbd2dea80ac31c039f79a415035ad40f4fea08fd2ef07ea01a7b3d03ef8518dc8df8b135bd035a144e9b50d391c1da5e755922016
-
Filesize
294KB
MD58da17d71715c495fb0be1adf72311636
SHA187f0490b70f70fd36e00bb7d2d7ff279119296fd
SHA2565c02f1c047f26359ace7383a60bec2b7f4cc68c8948007e12f8a7757d6b309d2
SHA5123db56898bdee039a7d1fd374852a564e39ea97469a72203e0d3e0c18862a90475f51390c617f05d0a04f9531e0b785e625549caea0f484063029c25ab2c59b93
-
Filesize
491KB
MD501e3487170c4d9d1da491a231157e6fd
SHA112d851baae91313bcae4da1d254cf5a8a8a424a1
SHA256952c7cdd3f35e9c7ff35b78ac3bcf2e3fd6be449a8d017f515b1262c3697fbb6
SHA512f98cd58a23a26f76196bb95849a2d0eb435e10702f5bf1d0d17f8cfbc0eeb94f3be6e1da1780eca081215a87c30f40270ba0ab2b5f9b777910b104e1a29785a9