Overview
overview
10Static
static
31d059ca891...d4.exe
windows10-2004-x64
101d90edda9f...51.exe
windows7-x64
31d90edda9f...51.exe
windows10-2004-x64
101e44c41d8d...91.exe
windows10-2004-x64
101ed736973c...3e.exe
windows10-2004-x64
10559234fc52...e2.exe
windows10-2004-x64
105a4570005d...a4.exe
windows7-x64
35a4570005d...a4.exe
windows10-2004-x64
61f1a776dc...62.exe
windows10-2004-x64
1067045db960...01.exe
windows10-2004-x64
106d684b37ca...5c.exe
windows10-2004-x64
1077cbabe9fe...cf.exe
windows7-x64
377cbabe9fe...cf.exe
windows10-2004-x64
108a73bb4899...c3.exe
windows10-2004-x64
108db3c27c31...88.exe
windows7-x64
38db3c27c31...88.exe
windows10-2004-x64
10b72cfb2517...df.exe
windows10-2004-x64
10c2ef692d84...7e.exe
windows7-x64
3c2ef692d84...7e.exe
windows10-2004-x64
10c39106a352...4e.exe
windows7-x64
10c39106a352...4e.exe
windows10-2004-x64
10ca6d56a637...da.exe
windows10-2004-x64
10db14966ca7...cb.exe
windows7-x64
10db14966ca7...cb.exe
windows10-2004-x64
10e800205bb9...fd.exe
windows7-x64
3e800205bb9...fd.exe
windows10-2004-x64
10f8a2da44f9...41.exe
windows10-2004-x64
10fc8b501a18...d3.exe
windows7-x64
3fc8b501a18...d3.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 12:30
Static task
static1
Behavioral task
behavioral1
Sample
1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe
Resource
win7-20240508-en
Behavioral task
behavioral3
Sample
1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
559234fc528754d07d788aa5eff30aba166a9bab82e9eda45a9737647b0e9fe2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
61f1a776dcd13885a5979397d5b945e89d26cfcfe61e000ac89070e4a45bc562.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe
Resource
win7-20240220-en
Behavioral task
behavioral13
Sample
77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
8a73bb4899be69e1a77d74c46f81ca29b85b5c67b642e09f9735dec87b8b4cc3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
b72cfb25178ac78d0dfae350873df231a1f4266a913f47acc5018b87cae84bdf.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe
Resource
win7-20240220-en
Behavioral task
behavioral19
Sample
c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral20
Sample
c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe
Resource
win7-20240215-en
Behavioral task
behavioral21
Sample
c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb.exe
Resource
win7-20240508-en
Behavioral task
behavioral24
Sample
db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral25
Sample
e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral28
Sample
fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe
Resource
win7-20240221-en
General
-
Target
ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe
-
Size
925KB
-
MD5
182c7282a0ce3f4b3167518c8a2f9d66
-
SHA1
7277f55f22c18008840d4aa0c65721df2129d761
-
SHA256
ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da
-
SHA512
57895e1fe2d89271097e920e8eeaccbeafc861fde18aa85cdac7cf716cebb332fe201e2821512be04a92c965894526c3f7bcb8d3d7b010909cc8318f95ce79a0
-
SSDEEP
24576:UylKFVXmbDRGB2xA30pIMporMtfc/FgIHs8:jEVGFGB2CkpIuPtfees
Malware Config
Extracted
redline
lamp
77.91.68.56:19071
-
auth_value
ee1df63bcdbe3de70f52810d94eaff7d
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral22/memory/3688-28-0x00000000005C0000-0x00000000005FE000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k8000827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k8000827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k8000827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k8000827.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k8000827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k8000827.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral22/memory/1696-36-0x00000000005F0000-0x000000000067C000-memory.dmp family_redline behavioral22/memory/1696-42-0x00000000005F0000-0x000000000067C000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 544 y8792484.exe 2476 y3682092.exe 3688 k8000827.exe 1696 l8276002.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k8000827.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k8000827.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y8792484.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y3682092.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3544 sc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3688 k8000827.exe 3688 k8000827.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3688 k8000827.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3736 wrote to memory of 544 3736 ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe 83 PID 3736 wrote to memory of 544 3736 ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe 83 PID 3736 wrote to memory of 544 3736 ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe 83 PID 544 wrote to memory of 2476 544 y8792484.exe 84 PID 544 wrote to memory of 2476 544 y8792484.exe 84 PID 544 wrote to memory of 2476 544 y8792484.exe 84 PID 2476 wrote to memory of 3688 2476 y3682092.exe 85 PID 2476 wrote to memory of 3688 2476 y3682092.exe 85 PID 2476 wrote to memory of 3688 2476 y3682092.exe 85 PID 2476 wrote to memory of 1696 2476 y3682092.exe 98 PID 2476 wrote to memory of 1696 2476 y3682092.exe 98 PID 2476 wrote to memory of 1696 2476 y3682092.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe"C:\Users\Admin\AppData\Local\Temp\ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8276002.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8276002.exe4⤵
- Executes dropped EXE
PID:1696
-
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3544
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
769KB
MD5e9c35fad007c9abb695cdf32a6ef8350
SHA1d97cc8e389c68e9aff8d28d0691db3da4b56e93d
SHA256a7e240048e51d605d4c92f47e4dae2c31558849be479794c2ee0761e240ef03d
SHA512c6e80f476737b9d56d884438fe2045c3b42ce5e2ebc0833ec786f4c75df10934c67e0b194b79174e6588de14de2d651da5b788553ac3e7a619f3effc110c0ef7
-
Filesize
585KB
MD5eac44c7b9549f1b58cf25c60ee304435
SHA1bf66fe6604311066fd2d8de1743af49c8f902edf
SHA2567adab0943d097033395ba73d8760b3f523fd636a0bb13c8ac0dd37f0a63be91d
SHA512c32120a4fbeb8b9bff77a9d5fb8f324752524fb8edd87387a28780c0e6eb0affad63a26860f682abac7835ddbcee4cdb9b67f2ecb3a22bdc57802509b5af5ade
-
Filesize
295KB
MD582c2b3a4497da45e69dce662504c47f7
SHA1068c99cc9b40709f9967d393edd5a9e56b269015
SHA256cc13fa7cc073a8810513c3fc4bea322132f6c659785cc68a6d11368fe4b11e7d
SHA512b99991a938c78a90830c08285e98a552c5e0f7eb7717c1a2d4f89f4553bc452944b8b0bf91ad3b930fd9b2c21422fad73b975779c8a7e7a6932b6100fc13e55b
-
Filesize
492KB
MD56d30780150b36e2b9c70bcf294a2fba7
SHA160555be1736e34f14a4fb14aa8f1196d982dd29f
SHA256fcf9145080af193ac72b17a81c9a76688e37ebd172c6b47e39a4ecd1aedd17fd
SHA5122dc7a5f53794b4c548861f10fad1f0d79e7485cb2bb4de388f3109f8b82d22d1b87456d2e4f9d19d356180fc8cbebb74d3cd696059bd0c1c60284e45895cc58c