Overview
overview
10Static
static
3143e14de3a...c5.exe
windows10-2004-x64
1022c5bd0a3e...19.exe
windows10-2004-x64
10291dafd231...e9.exe
windows10-2004-x64
102e0a9b6a39...9b.exe
windows10-2004-x64
10499d652934...48.exe
windows7-x64
1499d652934...48.exe
windows10-2004-x64
14b8eb94185...c3.exe
windows10-2004-x64
104d09936a4a...bf.exe
windows10-2004-x64
104fbcb0a2f4...73.exe
windows10-2004-x64
1053ecffef24...36.exe
windows10-2004-x64
1059a57474eb...06.exe
windows10-2004-x64
1061f1416a77...2b.exe
windows10-2004-x64
106aec183a58...31.exe
windows10-2004-x64
107182994846...ce.exe
windows7-x64
37182994846...ce.exe
windows10-2004-x64
107506757ba8...b0.exe
windows10-2004-x64
1080ada740eb...52.exe
windows10-2004-x64
109e8418826f...52.exe
windows10-2004-x64
10a898d72b49...84.exe
windows10-2004-x64
10e6baad5a7e...5c.exe
windows10-2004-x64
10ea3dd01036...9e.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 15:28
Static task
static1
Behavioral task
behavioral1
Sample
143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
22c5bd0a3e3c03e512f45c0ebd81b9cf7695279360a1c40cec90cf3efea5f219.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
291dafd2314b673e9b81ee6bd583911db702f910a342dc716c49ce5922bcefe9.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
499d652934b65eebaaa2d82a49a8810d8dbc1d3feb82c20d3193b41d1d599648.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
499d652934b65eebaaa2d82a49a8810d8dbc1d3feb82c20d3193b41d1d599648.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
4b8eb941853bd390287dbcbe8dae61e1b226baa6661172eff6766605a0047ec3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
4fbcb0a2f45aaeb44239e2e00233d34f6efb6c46aa551acf21567602c1b83573.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
53ecffef24ddea22780ff63e0224bd9c1bf9d8533760949fff138bd5c432ce36.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
59a57474ebe62f572bb724c334e3f51070b9605bdb8a26ca62aa328af1683a06.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
6aec183a583bea0012704d51b860a5d4dc2eaa2d5a1b16c1b991a8fb1cc86e31.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe
Resource
win7-20240221-en
Behavioral task
behavioral15
Sample
71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
7506757ba820d7ae28d178498db7124eb1c6e346d4700098f7492a46d5e851b0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
9e8418826f07274a00f90b02756f693711350696a60867c9adff98b6c0268e52.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
a898d72b49cc00c36f48fd52d4f754e3c8b758780323239ea18208abf91a9b84.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
e6baad5a7e5385bc92311bc785faeabed25354b22d90f6422ffc65d07a913c5c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
ea3dd01036351608cfd1a08d2d7331439b7acea2492116d550411f5e93529f9e.exe
Resource
win10v2004-20240508-en
General
-
Target
4b8eb941853bd390287dbcbe8dae61e1b226baa6661172eff6766605a0047ec3.exe
-
Size
1.2MB
-
MD5
71be01bb024a89a23ca18aa6a77d160b
-
SHA1
4d11090dcfa1809209f5ead33ff2359628985a5f
-
SHA256
4b8eb941853bd390287dbcbe8dae61e1b226baa6661172eff6766605a0047ec3
-
SHA512
47a8989ec3f915a900af0c9413dc51d16a706a20e219c34f9425472a21d70711599ee0d9c3990f2463a1050867afd6f4a483be27169124b8ae0c5b7589ae8668
-
SSDEEP
24576:9yzGzXUUN6D6ScsWIPYUSsXqzlIQBo+/RpyPQqhNFGIO/:YQXUUN6D6CwvsXsWKoIRsxhNw
Malware Config
Extracted
redline
lamp
77.91.68.56:19071
-
auth_value
ee1df63bcdbe3de70f52810d94eaff7d
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral7/memory/2876-41-0x0000000000570000-0x00000000005AE000-memory.dmp healer behavioral7/files/0x000700000002342c-46.dat healer behavioral7/memory/3720-48-0x0000000000D90000-0x0000000000D9A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a6370349.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a6370349.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a6370349.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a6370349.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b8770774.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b8770774.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b8770774.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a6370349.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b8770774.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b8770774.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b8770774.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a6370349.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral7/memory/5488-54-0x00000000005A0000-0x000000000062C000-memory.dmp family_redline behavioral7/memory/5488-60-0x00000000005A0000-0x000000000062C000-memory.dmp family_redline -
Executes dropped EXE 7 IoCs
pid Process 2860 v9405994.exe 4496 v6384948.exe 3460 v1040822.exe 4324 v1586501.exe 2876 a6370349.exe 3720 b8770774.exe 5488 c6121207.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a6370349.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a6370349.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b8770774.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v6384948.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v1040822.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v1586501.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4b8eb941853bd390287dbcbe8dae61e1b226baa6661172eff6766605a0047ec3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v9405994.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2876 a6370349.exe 2876 a6370349.exe 3720 b8770774.exe 3720 b8770774.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2876 a6370349.exe Token: SeDebugPrivilege 3720 b8770774.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1920 wrote to memory of 2860 1920 4b8eb941853bd390287dbcbe8dae61e1b226baa6661172eff6766605a0047ec3.exe 82 PID 1920 wrote to memory of 2860 1920 4b8eb941853bd390287dbcbe8dae61e1b226baa6661172eff6766605a0047ec3.exe 82 PID 1920 wrote to memory of 2860 1920 4b8eb941853bd390287dbcbe8dae61e1b226baa6661172eff6766605a0047ec3.exe 82 PID 2860 wrote to memory of 4496 2860 v9405994.exe 83 PID 2860 wrote to memory of 4496 2860 v9405994.exe 83 PID 2860 wrote to memory of 4496 2860 v9405994.exe 83 PID 4496 wrote to memory of 3460 4496 v6384948.exe 84 PID 4496 wrote to memory of 3460 4496 v6384948.exe 84 PID 4496 wrote to memory of 3460 4496 v6384948.exe 84 PID 3460 wrote to memory of 4324 3460 v1040822.exe 85 PID 3460 wrote to memory of 4324 3460 v1040822.exe 85 PID 3460 wrote to memory of 4324 3460 v1040822.exe 85 PID 4324 wrote to memory of 2876 4324 v1586501.exe 86 PID 4324 wrote to memory of 2876 4324 v1586501.exe 86 PID 4324 wrote to memory of 2876 4324 v1586501.exe 86 PID 4324 wrote to memory of 3720 4324 v1586501.exe 97 PID 4324 wrote to memory of 3720 4324 v1586501.exe 97 PID 3460 wrote to memory of 5488 3460 v1040822.exe 98 PID 3460 wrote to memory of 5488 3460 v1040822.exe 98 PID 3460 wrote to memory of 5488 3460 v1040822.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b8eb941853bd390287dbcbe8dae61e1b226baa6661172eff6766605a0047ec3.exe"C:\Users\Admin\AppData\Local\Temp\4b8eb941853bd390287dbcbe8dae61e1b226baa6661172eff6766605a0047ec3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9405994.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9405994.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6384948.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6384948.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1040822.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1040822.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1586501.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1586501.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6370349.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6370349.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8770774.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8770774.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3720
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6121207.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6121207.exe5⤵
- Executes dropped EXE
PID:5488
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
1.0MB
MD5aef04ccd0641dc9a63df41e25aa4273e
SHA1c3b0d2a04a795babc21c810ad46f5217dca34137
SHA2560abea631e220741b291754699d5545449a059ca4d2d0559fdc465c92f045b2eb
SHA5120942a1dfb0901b7a214be0ebb577de1b590189e5d7d5830e577acd4c7455181283a771db7dfce93eab98b67c2cd53bdb2eaf5a645c9e4aee5dcdcca39b382804
-
Filesize
907KB
MD544c832fc392e51418fc15c39ab3de1e7
SHA1fbc66040168e7f66f4d4398bfa975cac696cb388
SHA2560a78c5e4410205c3c84531e625507722c41af9a104962a80e3ed6058b5199dd9
SHA512c6b12e389eca96a1775e558ab4d448f72a2a22721fc3518fd321e97e6a7798db0201257d91770bd452ae84b2cfc6ccce08445c1ade5bf149448f7dcb4d4e86df
-
Filesize
724KB
MD57b46cc038ef86adcd4c68aca30e827ab
SHA1de3f3ea3efee57d4cd7adbef9967dc70d9e374cb
SHA256c9cd1e8b266848f88a108ecc30abbce1812e7d05412f6795394141ec3e103d8e
SHA5126fc5f1db66030c616c695402a1df40185fee44aca2cacd6bd76a02046d65f228df5cf38981230e0352fb52e515b877cf2a76efec70f33e63331fb344ddbc7240
-
Filesize
492KB
MD55adb87d97c20867c329ebfc6df1c490e
SHA11bf2dabf26f4358ba354f223cc103a76445b0eb4
SHA25677f6716e92a77c63bc2d9249a0b3caf1f47fd9131f6b8e0159545e40fe8bb38c
SHA5122c2f0e2884e62a133a570ef440f3addf1d320f22b0ff914827014d2ae4812772e4a29f9dcebb2fe00969f412be3430ed4749ff7ec11022c2f30be064b9723b83
-
Filesize
326KB
MD57ca527243bc8f6db1462a860ec57aac2
SHA130737b8e360dc4eddd7492f9a1a86cf10bf405ad
SHA256189417b41216990025f5be820a972769f9a333878ad2256a9f014d546954851a
SHA512396f444648527207fdef07281fd1b3d98e84180d1687c3270e2927b792d566c130df5c345cfbc29236d3e093ff6847ac979401c1b8d67e29e2ff96591c79f5a9
-
Filesize
295KB
MD569738532f97ce2ea62f220d38452732f
SHA1213a12ed7882f306067521c38c63d5557e0f070a
SHA256e66db8d1b573b77c498d1e8c93eaaa52ca975b34d81da8a0d9702484a8edabfa
SHA5129dc45f205ec73471c02ff7f021f6bedfc825c8674fef572dfadecf503993b53f07d12ea1f51cf38dd930d5a3a9415e04ff2e9b317865b1c7ab25cad682848578
-
Filesize
11KB
MD5eed9c4f01f76dfcb47c381e467c156b6
SHA1ae4d42d1975f4ac968aa781243efdf580c58d58e
SHA256ac26f5d95655a7e285a64813dff4ebba5fb9fdbe8bc3268c9c0d0b452b502b61
SHA512273de9dcccadab14684fe2e959d25f9833a639fb41942f6ecf5304de50fab8215183197feeb03f7f4bb09031fc19aaac13b5dad66096ce1f3d81a74bf0cbec06