Overview
overview
10Static
static
319408d20ed...1b.exe
windows7-x64
319408d20ed...1b.exe
windows10-2004-x64
10209f361ec5...19.exe
windows7-x64
3209f361ec5...19.exe
windows10-2004-x64
102260e01650...fc.exe
windows10-2004-x64
1024b96bca46...df.exe
windows10-2004-x64
102a4e0bfefe...ad.exe
windows10-2004-x64
1030b28fbbc6...6a.exe
windows10-2004-x64
1045405e3261...66.exe
windows10-2004-x64
1055ab9707d2...50.exe
windows10-2004-x64
106568836094...3d.exe
windows10-2004-x64
1072a27ce3ad...a5.exe
windows10-2004-x64
109be0387d86...b9.exe
windows10-2004-x64
109d44150fdc...7d.exe
windows10-2004-x64
6b2402bf5ca...fa.exe
windows10-2004-x64
10c6bd926d58...44.exe
windows10-2004-x64
10cd321830f5...bc.exe
windows10-2004-x64
10cfcca94dd6...6e.exe
windows10-2004-x64
10dfa156ac28...ff.exe
windows10-2004-x64
10f1ae7fab47...cc.exe
windows10-2004-x64
10f25337a343...56.exe
windows10-2004-x64
10f5d16598bf...16.exe
windows7-x64
10f5d16598bf...16.exe
windows10-2004-x64
10Analysis
-
max time kernel
126s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 17:57
Static task
static1
Behavioral task
behavioral1
Sample
19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
2a4e0bfefe7b6b2a94d46c408fe05d1682392c66666138b8b0c32e028bf15aad.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
30b28fbbc6f9f8aa27776aa07f15f77a8fe9829ca5ded9e75d26ca377674a46a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
45405e326148ce7f80326893b92fe8efe62819ee5465fdc13767a76472e21566.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
55ab9707d2ed04fd65eb47b64da270cf7fa47cedb721831c5dd0567bda7cc950.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
6568836094de3a32f9c325ced189bb981eb0cf8f4492e1b8b901ef52879c063d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
72a27ce3ad4f2daa863374d24914b9bdd41f5b34e08b440b9988fd847de7a3a5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
9d44150fdc90939c6efc8d7882f0d89238b77267f40bd7b9e9fdff66d41f587d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
b2402bf5ca4c67871f6519e689231078532c147c35500668d062dec52e27e9fa.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
c6bd926d58aa119662ccfb970124884439404950b8aa818378fa47a61a658a44.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
cfcca94dd6bef9e4222fd6347d090711d60251b7718a2a4955753cd95d8e9a6e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
f1ae7fab47b54b57b64fe4b0569d28421b914cc77c243cf2d59a0645d15e8ecc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
f25337a343c26cdecd99eb7f095938fd24fb233463a8af3fa69acc5201eed956.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral22
Sample
f5d16598bff76b7aeece243b4478a48e666bbf1a2adb20f2684cefe2f7d06616.exe
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
f5d16598bff76b7aeece243b4478a48e666bbf1a2adb20f2684cefe2f7d06616.exe
Resource
win10v2004-20240508-en
General
-
Target
cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc.exe
-
Size
1.6MB
-
MD5
aed3e716f608104e2440f5a872c969de
-
SHA1
07bd20370b5dfebd101d421c64d040163aab20fc
-
SHA256
cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc
-
SHA512
80b1c179f57468ff121a0909e7e6940af32122e2086754329463c9c1877ea6e2cd4cfd0eccfe3f31b830a5d51fec6ceaacbd9e6c8eb6254cd734b0c4cdf00b5b
-
SSDEEP
24576:fyl8gNcSnpEaZYaoMZ7R9DkPAjuhhqT5zoCVQcx/e1jTfIHBx8sEwZZl7:qHDVq0NZkPmKh8zoCVQt1/Inxz
Malware Config
Extracted
redline
masha
77.91.68.48:19071
-
auth_value
55b9b39a0dae383196a4b8d79e5bb805
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral17/memory/3408-28-0x0000000000650000-0x000000000065A000-memory.dmp healer behavioral17/files/0x000700000002356b-35.dat healer behavioral17/memory/3252-37-0x0000000000800000-0x000000000080A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a0591490.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a0591490.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a0591490.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b8807328.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b8807328.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b8807328.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b8807328.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a0591490.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a0591490.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a0591490.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b8807328.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b8807328.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral17/memory/4524-42-0x0000000000490000-0x00000000004C0000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 4084 v4450258.exe 2028 v2382910.exe 2448 v3119867.exe 3408 a0591490.exe 3252 b8807328.exe 4524 c2338553.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a0591490.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a0591490.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b8807328.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v2382910.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v3119867.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v4450258.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3408 a0591490.exe 3408 a0591490.exe 3252 b8807328.exe 3252 b8807328.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3408 a0591490.exe Token: SeDebugPrivilege 3252 b8807328.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2012 wrote to memory of 4084 2012 cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc.exe 90 PID 2012 wrote to memory of 4084 2012 cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc.exe 90 PID 2012 wrote to memory of 4084 2012 cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc.exe 90 PID 4084 wrote to memory of 2028 4084 v4450258.exe 92 PID 4084 wrote to memory of 2028 4084 v4450258.exe 92 PID 4084 wrote to memory of 2028 4084 v4450258.exe 92 PID 2028 wrote to memory of 2448 2028 v2382910.exe 93 PID 2028 wrote to memory of 2448 2028 v2382910.exe 93 PID 2028 wrote to memory of 2448 2028 v2382910.exe 93 PID 2448 wrote to memory of 3408 2448 v3119867.exe 95 PID 2448 wrote to memory of 3408 2448 v3119867.exe 95 PID 2448 wrote to memory of 3408 2448 v3119867.exe 95 PID 2448 wrote to memory of 3252 2448 v3119867.exe 100 PID 2448 wrote to memory of 3252 2448 v3119867.exe 100 PID 2028 wrote to memory of 4524 2028 v2382910.exe 101 PID 2028 wrote to memory of 4524 2028 v2382910.exe 101 PID 2028 wrote to memory of 4524 2028 v2382910.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc.exe"C:\Users\Admin\AppData\Local\Temp\cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4450258.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4450258.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2382910.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2382910.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3119867.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3119867.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0591490.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0591490.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3408
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8807328.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8807328.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3252
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2338553.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2338553.exe4⤵
- Executes dropped EXE
PID:4524
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4440,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:81⤵PID:3068
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
1.4MB
MD5a9c8938bb80e4535f4d00f93ca4db050
SHA19875588d3102cb2a50eb5fdc0e517af9676fe769
SHA256faae488d0f36be21caea7908d89e1171fa6292ebc7f06b387835cc1b0e83cc0d
SHA5122a75bbe5717850c7a11ccfd5cecf84bddf982a3512a70909b0d9daf4abe7b217498cc5f147dec1b1b81d2e2d1f7ce54e54eb1fcc15071f3c4f375a0b98ab4d19
-
Filesize
1.3MB
MD59dd971f5c28bd239ce88e6b50cf70234
SHA1c4ef5f8668e15371d14fa93c8b18dc4d578d0d3b
SHA2561f615508a598246fd500720118f9a85603048c8ba6c60484094605ba69ec1ef8
SHA51257330a0c7b4a1b0539f153c4cfc9a159767352f36748de8c9dcafa3adce2652ee758c7d78c1728f6edda2c4c38b04167c1191e54f65c8005e37109b4d1da36dd
-
Filesize
729KB
MD5640ce7325e5663516b121c5eeeb02dbc
SHA1ac6ba514c9442b43450415b22d6b6fb686485cf7
SHA256589e5e37639cfd78e6b7d7bb05bd072742932309195073812a7104cd9e715fc8
SHA5121fa81a601b38f278b163c6ba04fe20d49c6f258ffbd8a4598553b209a83f0433d868f83f1f47876f2c1edef0b431334ebb8dfbcfb8bad3a3db9ee3f6161e87ed
-
Filesize
640KB
MD5a23e8566807ee3a468dabd71af03d831
SHA1bdb3d103a6108ba80f05bc73666e74816eb605f8
SHA2568091ea19390957b3e708748238daa02d95f3e2b42abc9d29d7e88172bb344604
SHA512aacfadc599c4e0a1ac54664a30fa6ba165df087b97e6225fe561439d465678fa731dc9712a3e1b30c0d79ecff8a2b8007e11f1653867498472125a4c88b4e827
-
Filesize
568KB
MD55cef2c3efcc75856638d10e09a8aaa08
SHA16a91293684bb915d84b394e7a58d92b6c9671c96
SHA256b9d62aff6a5001903f6c1dce538cade7460b8efa1670a18002bd2b758944bd0b
SHA512b20bef185f44d28fcc5e5adfa11991dcb05fae4856e2fc8e1204626e904fb8a90d604377b59a2c9210a3cb632ab08bbbfa04cbaa7fbf958f0735ff9ebd54b0c2
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91