Overview
overview
10Static
static
3143e14de3a...c5.exe
windows10-2004-x64
1022c5bd0a3e...19.exe
windows10-2004-x64
10291dafd231...e9.exe
windows10-2004-x64
102e0a9b6a39...9b.exe
windows10-2004-x64
10499d652934...48.exe
windows7-x64
1499d652934...48.exe
windows10-2004-x64
14b8eb94185...c3.exe
windows10-2004-x64
104d09936a4a...bf.exe
windows10-2004-x64
104fbcb0a2f4...73.exe
windows10-2004-x64
1053ecffef24...36.exe
windows10-2004-x64
1059a57474eb...06.exe
windows10-2004-x64
1061f1416a77...2b.exe
windows10-2004-x64
106aec183a58...31.exe
windows10-2004-x64
107182994846...ce.exe
windows7-x64
37182994846...ce.exe
windows10-2004-x64
107506757ba8...b0.exe
windows10-2004-x64
1080ada740eb...52.exe
windows10-2004-x64
109e8418826f...52.exe
windows10-2004-x64
10a898d72b49...84.exe
windows10-2004-x64
10e6baad5a7e...5c.exe
windows10-2004-x64
10ea3dd01036...9e.exe
windows10-2004-x64
10Analysis
-
max time kernel
143s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 15:28
Static task
static1
Behavioral task
behavioral1
Sample
143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
22c5bd0a3e3c03e512f45c0ebd81b9cf7695279360a1c40cec90cf3efea5f219.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
291dafd2314b673e9b81ee6bd583911db702f910a342dc716c49ce5922bcefe9.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
499d652934b65eebaaa2d82a49a8810d8dbc1d3feb82c20d3193b41d1d599648.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
499d652934b65eebaaa2d82a49a8810d8dbc1d3feb82c20d3193b41d1d599648.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
4b8eb941853bd390287dbcbe8dae61e1b226baa6661172eff6766605a0047ec3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
4fbcb0a2f45aaeb44239e2e00233d34f6efb6c46aa551acf21567602c1b83573.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
53ecffef24ddea22780ff63e0224bd9c1bf9d8533760949fff138bd5c432ce36.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
59a57474ebe62f572bb724c334e3f51070b9605bdb8a26ca62aa328af1683a06.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
6aec183a583bea0012704d51b860a5d4dc2eaa2d5a1b16c1b991a8fb1cc86e31.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe
Resource
win7-20240221-en
Behavioral task
behavioral15
Sample
71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
7506757ba820d7ae28d178498db7124eb1c6e346d4700098f7492a46d5e851b0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
9e8418826f07274a00f90b02756f693711350696a60867c9adff98b6c0268e52.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
a898d72b49cc00c36f48fd52d4f754e3c8b758780323239ea18208abf91a9b84.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
e6baad5a7e5385bc92311bc785faeabed25354b22d90f6422ffc65d07a913c5c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
ea3dd01036351608cfd1a08d2d7331439b7acea2492116d550411f5e93529f9e.exe
Resource
win10v2004-20240508-en
General
-
Target
4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe
-
Size
1.2MB
-
MD5
2ff65e9ca8a0b92b2f9ead3ba8dd7ed2
-
SHA1
bc118c8a4ba9391e5bc4315eef3d0dd83afaebfd
-
SHA256
4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf
-
SHA512
4fd459726173efd0412638d81884d4636b385098696b6dee1b403b809a3eb79c2202394ca4ca5e8f3f1630e83e02af723a78931c58242cf161abe1974b32137a
-
SSDEEP
24576:YyZkbJInDZr4+HhuBykcdH3B3laSprA5MBkWUhLfYTemxmdza8xPjo:fZkbSDZTHc9cdH3aSBA5I4FduaPj
Malware Config
Extracted
redline
lamp
77.91.68.56:19071
-
auth_value
ee1df63bcdbe3de70f52810d94eaff7d
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral8/memory/4180-41-0x00000000005A0000-0x00000000005DE000-memory.dmp healer behavioral8/files/0x0007000000023292-46.dat healer behavioral8/memory/3992-48-0x00000000002D0000-0x00000000002DA000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b3677044.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b3677044.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b3677044.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a5137020.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a5137020.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a5137020.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a5137020.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a5137020.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a5137020.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b3677044.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b3677044.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b3677044.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral8/memory/4468-53-0x0000000000740000-0x00000000007CC000-memory.dmp family_redline behavioral8/memory/4468-60-0x0000000000740000-0x00000000007CC000-memory.dmp family_redline -
Executes dropped EXE 7 IoCs
pid Process 464 v1426625.exe 908 v4288450.exe 1800 v0931522.exe 2128 v0829334.exe 4180 a5137020.exe 3992 b3677044.exe 4468 c1783125.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a5137020.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a5137020.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b3677044.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1426625.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v4288450.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v0931522.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v0829334.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4180 a5137020.exe 4180 a5137020.exe 3992 b3677044.exe 3992 b3677044.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4180 a5137020.exe Token: SeDebugPrivilege 3992 b3677044.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1444 wrote to memory of 464 1444 4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe 91 PID 1444 wrote to memory of 464 1444 4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe 91 PID 1444 wrote to memory of 464 1444 4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe 91 PID 464 wrote to memory of 908 464 v1426625.exe 92 PID 464 wrote to memory of 908 464 v1426625.exe 92 PID 464 wrote to memory of 908 464 v1426625.exe 92 PID 908 wrote to memory of 1800 908 v4288450.exe 93 PID 908 wrote to memory of 1800 908 v4288450.exe 93 PID 908 wrote to memory of 1800 908 v4288450.exe 93 PID 1800 wrote to memory of 2128 1800 v0931522.exe 94 PID 1800 wrote to memory of 2128 1800 v0931522.exe 94 PID 1800 wrote to memory of 2128 1800 v0931522.exe 94 PID 2128 wrote to memory of 4180 2128 v0829334.exe 95 PID 2128 wrote to memory of 4180 2128 v0829334.exe 95 PID 2128 wrote to memory of 4180 2128 v0829334.exe 95 PID 2128 wrote to memory of 3992 2128 v0829334.exe 101 PID 2128 wrote to memory of 3992 2128 v0829334.exe 101 PID 1800 wrote to memory of 4468 1800 v0931522.exe 102 PID 1800 wrote to memory of 4468 1800 v0931522.exe 102 PID 1800 wrote to memory of 4468 1800 v0931522.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe"C:\Users\Admin\AppData\Local\Temp\4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4180
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1783125.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1783125.exe5⤵
- Executes dropped EXE
PID:4468
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵PID:4036
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
1.0MB
MD50ffebb1f8e07e9e177551ddfe1e5deb3
SHA1126013412bc3d49f5c8e3beafe9cfd92fdf59c65
SHA256cd6bdea7c7a6c6ade538cf5d4567881d67e82dd72d473179cb47986367bae628
SHA5121a23a319a9d8c4f025ede357e008d6ee0a656f88e7efa0901a46eef7b6c56248dad5a4b251f82b3d7c1aa73562ff5fa00e5ae2f9262554232badebe4dc71918a
-
Filesize
909KB
MD505b31cc1f873f663da8a3673ee1c1e70
SHA1da64bfd433ce785b9d26fb0f6fe4883d9d790b09
SHA2562a5782027e95953e6a505c58e691fc2324135b202c38c437ad4dc8ced47a2feb
SHA512d902b06aebe522c883f782dd299f57d3d1925ab3e4955b8ce6882e53523bd63b9d3f35b8c0f0c6ad8aea0a5e9f9e3ad01fd2bc2096dbe62196ce38bb0f6f40d8
-
Filesize
725KB
MD550f2ebe7886d7ecf35f81f720ac270ed
SHA159f616bc7d655575d54e58c256de026dd0c82c6e
SHA256e127f2e8fb3406e6ce6497ebf04e41c01b95f4a7c2d3c89ecc5fe462dfa62ffd
SHA512d685afabb0bb488b1d6d0c3d69b0175593658f5920d25841086759be73ed79ee426883485013fa5b6f5398372c36145c559404ac7892e559d75846fbaf5adf44
-
Filesize
492KB
MD51bc0f3239045d44d169496f3b247f881
SHA11884266973607585ec1b134f6009c17e54f3b18f
SHA2568d09dd356bd29f5d38121849999e828d955e116d03542444d0b4f40073596e7f
SHA512dc3a2358d4d2613bb82c60362c409590a8699d53625efd9fd8b853f5e19afed07c798cf66b59d38bd526a80559bc4cc486b23b0f40f3fb120bd61a67946f87a9
-
Filesize
325KB
MD5c045adc356c9935a873d1cd91cd54989
SHA106b1b8c34e396a09a69a425af0f8b00671a4f953
SHA256bb2374a0251dd291e217e7c74eac6881cc229a2778ba0047f54e014bebc75a62
SHA512bcab8a6331c4ceb7beeff395fc6d3b8d0ae7e1ae3ea0c45692870aad586563ed8313d24b02d45c69cb0496f7115f6580422637edcb4c188575960819e86f54f0
-
Filesize
295KB
MD5c43930fbf73244831a96682aba907e8c
SHA144db4ec9c11a04d56d2bfab7f993abf37a23e6fe
SHA2569beeaf6651baa5e2597a933df6eee18cf168ba41865e18001185613e0949bba3
SHA5126cb91d5c9317f693a04eec12cddef55760619ed65944df60986b009eb1c782833d121788d4352519e6391bed2a06f0f602b1f4a753623c7ac92dd0440dd307af
-
Filesize
11KB
MD5f77d78af12b9628421ed4e1dfb7deb13
SHA19b6fa06af3564e2fe4724d8b5ebfdfd2a7ec0fd5
SHA25610d806abe4d088bbb95c43a04c91f68a10888bd256de9c9a58c4c7642a9572ab
SHA5126c01f44fdb412a58a19ddb4caf73a502a5aae10aecb959a67142ab267ef6732a7e5e6346c1a5ce5aa52823ae5b50372c083e4e59f650c835a38c75d334303e00