Overview
overview
10Static
static
30f6ce02639...df.exe
windows10-2004-x64
1017dbf09aca...d0.exe
windows7-x64
317dbf09aca...d0.exe
windows10-2004-x64
101b624e343d...55.exe
windows10-2004-x64
102faa75c50b...6d.exe
windows7-x64
32faa75c50b...6d.exe
windows10-2004-x64
104be1f370e8...6b.exe
windows7-x64
34be1f370e8...6b.exe
windows10-2004-x64
10576cad65a8...60.exe
windows10-2004-x64
106aa8d5d0d6...df.exe
windows10-2004-x64
106eeb3d69d9...69.exe
windows7-x64
36eeb3d69d9...69.exe
windows10-2004-x64
1077b8709187...06.exe
windows7-x64
377b8709187...06.exe
windows10-2004-x64
107f4e227924...bb.exe
windows7-x64
37f4e227924...bb.exe
windows10-2004-x64
108a870280a0...35.exe
windows7-x64
38a870280a0...35.exe
windows10-2004-x64
108db6f54494...1f.exe
windows10-2004-x64
10b21367ffaa...ef.exe
windows10-2004-x64
10b62068be50...da.exe
windows10-2004-x64
10be5114d10d...f3.exe
windows10-2004-x64
10d191282ff4...7a.exe
windows10-2004-x64
10de9167b772...91.exe
windows10-2004-x64
10f6dc0b4c65...d6.exe
windows10-2004-x64
10f85eca1ce9...65.exe
windows7-x64
3f85eca1ce9...65.exe
windows10-2004-x64
10f8dfa98c4e...be.exe
windows10-2004-x64
10Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 14:50
Static task
static1
Behavioral task
behavioral1
Sample
0f6ce02639d4d4caede8c3432a529ff995f9d50cbfec335bbe9dc19b8f5c9ddf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
17dbf09aca5536c41f48cdee19e90cc995aeb0b0973ec6bca572f03b1ead46d0.exe
Resource
win7-20240508-en
Behavioral task
behavioral3
Sample
17dbf09aca5536c41f48cdee19e90cc995aeb0b0973ec6bca572f03b1ead46d0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
1b624e343d222ec9333b85d3af29b913b42ba3196fcb192f618e87ec4afa8855.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
2faa75c50b323133e8cbf507e6a3a4846097090d2e2c1a5afb174f798ee42a6d.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
2faa75c50b323133e8cbf507e6a3a4846097090d2e2c1a5afb174f798ee42a6d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
4be1f370e880d06da141a2c9957de478c40592a3abf6312aa8c2ef401a37d36b.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
4be1f370e880d06da141a2c9957de478c40592a3abf6312aa8c2ef401a37d36b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
576cad65a899197ae35e757e578a7c10c29e57c266d1fa4931c6f98f3d2e3a60.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
6eeb3d69d9979df74b9c482de2344395f5470b94f07494b4a4dd74fb5d286069.exe
Resource
win7-20240419-en
Behavioral task
behavioral12
Sample
6eeb3d69d9979df74b9c482de2344395f5470b94f07494b4a4dd74fb5d286069.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
77b8709187b6802be16e005b1139331349304c04ecd4e741e8609229f0134806.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
77b8709187b6802be16e005b1139331349304c04ecd4e741e8609229f0134806.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
7f4e22792482af87ecb52079082a4c33f24544a6b37c4e5da40ac1ac7f9ca3bb.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
7f4e22792482af87ecb52079082a4c33f24544a6b37c4e5da40ac1ac7f9ca3bb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
8a870280a0dc165cadf46427c4e47c56d3fa42aa2cf823a54358bf48f5102435.exe
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
8a870280a0dc165cadf46427c4e47c56d3fa42aa2cf823a54358bf48f5102435.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
8db6f544940545b4e7f0eef92bc68e65f5e9efd3707f33b7e5594777d56ed71f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
b21367ffaa0009b30055944fc1052857ec46336d5bfe2efd3dab109667a56fef.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
be5114d10db820426670fbbb41db92b8671a5f55a0b396e2d54b44606067a6f3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
d191282ff466919a5feb6c8682f696332eded6dd8747d336fe16593c6ea96f7a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral24
Sample
de9167b7720db28dc71aba69c32792f2bcfef4425545478b6b641677be8a0391.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral25
Sample
f6dc0b4c65662a9753e54800489b07d9f5a6a4c896a61d93f3a1a3e28d5bc9d6.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral26
Sample
f85eca1ce903e035e1355a0ec74636f6d825aeaf8efa5c98472b6acad6536365.exe
Resource
win7-20240221-en
Behavioral task
behavioral27
Sample
f85eca1ce903e035e1355a0ec74636f6d825aeaf8efa5c98472b6acad6536365.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral28
Sample
f8dfa98c4e38deff7955c243f9db7b01692e43c0997eca9e5e141cc565cf05be.exe
Resource
win10v2004-20240426-en
General
-
Target
b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da.exe
-
Size
922KB
-
MD5
d86f13a3db074ef7115f9b305cdf356d
-
SHA1
d0f7e04a160f577a0fc1f2855d4b2a75705f6a15
-
SHA256
b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da
-
SHA512
95d1cf4a6a8fc9aa0fcb81bacd78051ef8d06a27bca3e27053283006d9052e6a6329fb0cb5625c6cd9298760d379d043ae18dfbf9c55be002a23f8b7a33107b6
-
SSDEEP
24576:ayCGAwe+RYdJNjQiVFX9ZD9I21pB3C8MMdMxeoG:hCUe+R4JNUilZDH/3MkMxF
Malware Config
Extracted
redline
lamp
77.91.68.56:19071
-
auth_value
ee1df63bcdbe3de70f52810d94eaff7d
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral21/memory/3308-28-0x00000000004D0000-0x000000000050E000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k9636493.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k9636493.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k9636493.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k9636493.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k9636493.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k9636493.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral21/memory/1800-35-0x0000000001FA0000-0x000000000202C000-memory.dmp family_redline behavioral21/memory/1800-42-0x0000000001FA0000-0x000000000202C000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2516 y9692635.exe 512 y3323169.exe 3308 k9636493.exe 1800 l2428945.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k9636493.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k9636493.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y3323169.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y9692635.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3308 k9636493.exe 3308 k9636493.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3308 k9636493.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1668 wrote to memory of 2516 1668 b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da.exe 80 PID 1668 wrote to memory of 2516 1668 b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da.exe 80 PID 1668 wrote to memory of 2516 1668 b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da.exe 80 PID 2516 wrote to memory of 512 2516 y9692635.exe 81 PID 2516 wrote to memory of 512 2516 y9692635.exe 81 PID 2516 wrote to memory of 512 2516 y9692635.exe 81 PID 512 wrote to memory of 3308 512 y3323169.exe 82 PID 512 wrote to memory of 3308 512 y3323169.exe 82 PID 512 wrote to memory of 3308 512 y3323169.exe 82 PID 512 wrote to memory of 1800 512 y3323169.exe 84 PID 512 wrote to memory of 1800 512 y3323169.exe 84 PID 512 wrote to memory of 1800 512 y3323169.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da.exe"C:\Users\Admin\AppData\Local\Temp\b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9692635.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9692635.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3323169.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3323169.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9636493.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9636493.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2428945.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2428945.exe4⤵
- Executes dropped EXE
PID:1800
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
767KB
MD51281cd1a4b74c86c1c542e2ba8a056c0
SHA19f8c5844c9dd0d4351eae1d558fbb16616b9f65b
SHA2567a27e308a04b0e6f412b5846d1b183a6f7edfefb553e7e406991f2d3a73da460
SHA512b205061159f7b7b1b89f0b15677b03a0eb8e95bb359ed89a52ab1187f537c90bff2d7bfd4c591eccb811928b00ce2e1c60303308cf605d3cc1df448158d3e24a
-
Filesize
583KB
MD5b1595834e5c33b6fd26cca820121d750
SHA16c8fe5e94b414f7c9504a7ebd9e7e8ebaf555caa
SHA2568452b1d7e654498a2b5d6fa12d32246c2f593c6a1ceb56f080c1657122e13f42
SHA5124cbab776321bc8366f3476312d1762f53475c7afeda8e84e80af0ca70a8e655896bec85bf26f44272aaec9b2f82c680904986c266e567ba182de2b70643e1218
-
Filesize
295KB
MD529bc6053fb6e105a20025dfea11d0395
SHA189dfc239626bf5c21418e484ac5ddad9822c78cf
SHA2561893857d3db2b3406063281bc8bfa14df8ab57b4211721f7e75d2224088716f9
SHA5127d50bc98cfa13c41b51cd47e21c9ed2d1da58f2960212f694b03c645be8351c4409657f2b8ab6f85a97f814e9ff1bb6555abdc80342c26b8ea1b9e18378304e2
-
Filesize
492KB
MD567775affc2dfa05c6ed2f9130a99a130
SHA1456681dbe191a1e743aa3bebbc4020896a18574a
SHA256d3d80e1e81d98f242f792fadd7be21beae90d3c9e6c5ca3ed86cbf3cd5fd7cc2
SHA512b94d2038935a53d572bb7bdac21bb357e4f4642ec0ea4ebbda6a3cb6fc2abb44ff67e02de2dda22420b4ab9ccc37cd041dad54fdd2ff44c67cc431c77ae279de