Overview
overview
10Static
static
301aa1629bc...16.exe
windows10-2004-x64
100f8698fea9...71.exe
windows7-x64
30f8698fea9...71.exe
windows10-2004-x64
1010c3a4b3e3...62.exe
windows10-2004-x64
1012d321d9a6...0f.exe
windows10-2004-x64
101e8cbc4567...96.exe
windows7-x64
31e8cbc4567...96.exe
windows10-2004-x64
1027efa43e16...c1.exe
windows10-2004-x64
102a2e3be04e...f7.exe
windows10-2004-x64
102d2e176ff1...1c.exe
windows10-2004-x64
104ef1a0149d...77.exe
windows10-2004-x64
1051b44e7fef...e7.exe
windows7-x64
351b44e7fef...e7.exe
windows10-2004-x64
1051d640efcf...44.exe
windows10-2004-x64
107073615f2b...d4.exe
windows10-2004-x64
1085963051ec...13.exe
windows10-2004-x64
91764c20cb...1b.exe
windows10-2004-x64
10c7a4524e38...ae.exe
windows10-2004-x64
10cc6d978c1f...21.exe
windows10-2004-x64
10d71ef74d32...a8.exe
windows7-x64
3d71ef74d32...a8.exe
windows10-2004-x64
10de0b656af4...69.exe
windows10-2004-x64
10e5410c580a...b5.exe
windows7-x64
1e5410c580a...b5.exe
windows10-2004-x64
1f47fb04ed8...65.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2024, 14:49
Static task
static1
Behavioral task
behavioral1
Sample
01aa1629bce01d1d882c10d835fa7765f2a247f51bcbf0d46b77b87362877916.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
0f8698fea90dbf665be173be76a450cd2e77e0ffc44993fbed40dba923374671.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
0f8698fea90dbf665be173be76a450cd2e77e0ffc44993fbed40dba923374671.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
10c3a4b3e37a803bd0aa6309c39158c1cdc781b3496a972f062f1fe958597862.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
12d321d9a66bfb909ca6ae3097f6aba39263be25c619d424b1dbefd373b20d0f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
1e8cbc456786daa6da93242154f714f7e224f45514a9556e7a644f39934e3196.exe
Resource
win7-20240419-en
Behavioral task
behavioral7
Sample
1e8cbc456786daa6da93242154f714f7e224f45514a9556e7a644f39934e3196.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
27efa43e160a77456643b18b13206f1f8a13410ef51729dbe8fa2997f36694c1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
2a2e3be04e8391170c3a71e198b45f6e45c085dff086c4e7b09748919fbeaef7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
4ef1a0149daef80693bc6f0b8f8337399c8687c08ca4792d24e3bdaab9bf6f77.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
51b44e7fef51fc7ece012253c1667cd5cb95636d10007d0e2be5e98e7fd405e7.exe
Resource
win7-20240508-en
Behavioral task
behavioral13
Sample
51b44e7fef51fc7ece012253c1667cd5cb95636d10007d0e2be5e98e7fd405e7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
51d640efcf425557c7e898a690d229994ff2fc0610138596398e8cdd60583244.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
7073615f2bb8bdde4bddb204be08de240462e36b437993850d9ebcaa68dc66d4.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
85963051ece1830904f1352feb417a21d0483c9ef3735855d49b257c6278df13.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
91764c20cbe482b1a5b8aa8c305a606675ac822cf3322e1b30d15c022219581b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral18
Sample
c7a4524e38a070acf6ba7d4865de5125063cd4a021a47872adb720277271f3ae.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
cc6d978c1f4f3ff1c9f85ac715299464b6b106c70aeb9adce32b6d355ba45721.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
d71ef74d3278f53c23c7f004992b27f41fcafdbf8bf24ae61339ef1fded7d1a8.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
d71ef74d3278f53c23c7f004992b27f41fcafdbf8bf24ae61339ef1fded7d1a8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
de0b656af41759ffa8477cd8c387f71b8e3cbddbc718028139d53bc1c6b95d69.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
e5410c580a81399010c4afd0cb43116c8c6e79ed10a16ace6ca24b1180f130b5.exe
Resource
win7-20240419-en
Behavioral task
behavioral24
Sample
e5410c580a81399010c4afd0cb43116c8c6e79ed10a16ace6ca24b1180f130b5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
f47fb04ed8077b20b9ca93eddc8ce4a4f05ca4367177fba67c1d87d2831d1865.exe
Resource
win10v2004-20240508-en
General
-
Target
cc6d978c1f4f3ff1c9f85ac715299464b6b106c70aeb9adce32b6d355ba45721.exe
-
Size
309KB
-
MD5
290ff81ba12e0d1d1a636eb5a3de8823
-
SHA1
98ec545dbb97f4b7c55ee3fc91afe85d8e2d60aa
-
SHA256
cc6d978c1f4f3ff1c9f85ac715299464b6b106c70aeb9adce32b6d355ba45721
-
SHA512
f168ae49314180c63bd492aa57a7f74b629f4a4398772ade9e4cc9dbcf3e8f8d228beb23c81a668edc4351c892e32c7c0867f91a77a6a667d7151ddbcec2e6f4
-
SSDEEP
6144:KUy+bnr+sp0yN90QEM5F5OYc1u31g4TByQpv2+YtIpTA:IMrQy906xc1u31TTEQh2HtSA
Malware Config
Extracted
redline
mihan
217.196.96.101:4132
-
auth_value
9a6a8fdae02ed7caa0a49a6ddc6d4520
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral19/memory/4524-8-0x0000000002070000-0x000000000208A000-memory.dmp healer behavioral19/memory/4524-11-0x0000000004980000-0x0000000004998000-memory.dmp healer behavioral19/memory/4524-12-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral19/memory/4524-39-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral19/memory/4524-38-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral19/memory/4524-35-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral19/memory/4524-33-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral19/memory/4524-31-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral19/memory/4524-30-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral19/memory/4524-28-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral19/memory/4524-25-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral19/memory/4524-23-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral19/memory/4524-21-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral19/memory/4524-19-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral19/memory/4524-17-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral19/memory/4524-15-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral19/memory/4524-13-0x0000000004980000-0x0000000004992000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a1587872.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a1587872.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a1587872.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a1587872.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a1587872.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a1587872.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral19/files/0x0007000000023440-45.dat family_redline behavioral19/memory/3320-48-0x0000000000070000-0x00000000000A0000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 4524 a1587872.exe 3320 b9227143.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a1587872.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a1587872.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cc6d978c1f4f3ff1c9f85ac715299464b6b106c70aeb9adce32b6d355ba45721.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4524 a1587872.exe 4524 a1587872.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4524 a1587872.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1820 wrote to memory of 4524 1820 cc6d978c1f4f3ff1c9f85ac715299464b6b106c70aeb9adce32b6d355ba45721.exe 83 PID 1820 wrote to memory of 4524 1820 cc6d978c1f4f3ff1c9f85ac715299464b6b106c70aeb9adce32b6d355ba45721.exe 83 PID 1820 wrote to memory of 4524 1820 cc6d978c1f4f3ff1c9f85ac715299464b6b106c70aeb9adce32b6d355ba45721.exe 83 PID 1820 wrote to memory of 3320 1820 cc6d978c1f4f3ff1c9f85ac715299464b6b106c70aeb9adce32b6d355ba45721.exe 90 PID 1820 wrote to memory of 3320 1820 cc6d978c1f4f3ff1c9f85ac715299464b6b106c70aeb9adce32b6d355ba45721.exe 90 PID 1820 wrote to memory of 3320 1820 cc6d978c1f4f3ff1c9f85ac715299464b6b106c70aeb9adce32b6d355ba45721.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc6d978c1f4f3ff1c9f85ac715299464b6b106c70aeb9adce32b6d355ba45721.exe"C:\Users\Admin\AppData\Local\Temp\cc6d978c1f4f3ff1c9f85ac715299464b6b106c70aeb9adce32b6d355ba45721.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a1587872.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a1587872.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b9227143.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b9227143.exe2⤵
- Executes dropped EXE
PID:3320
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD5dc02f493457d8140b6ed053d863b22ac
SHA123e8d16252858e158ce9c2ad1f4cdd98af7fafdf
SHA256f3b4b311bb327baada40d1816a63b07e3f746c34c0ac2697c2c2ded49f749441
SHA51240140ba8ef1acd512c4386e75197d700e672e7ba9947fca55ec7133c8b60e3dcdf2819e27e02034b144bc018b76d3a11f68fae369b12913936f2f994d28c09f9
-
Filesize
168KB
MD5b7208351dc609734ee4b3c3ccee39446
SHA1d465d144bd92d9ba65519093831fa959e7fcefcc
SHA256e58a43efebb2b72b288207f0988b24dd69e9f9895207564211f5b667c1c7770f
SHA5128d808468ecbc0248d298646513085aa7062742fb422d1a4aba32aa78f8042e3331379581e80bc856f648f7d34a23abbbfac9bddf6d8ee6140ba1888079c5ad69