Overview
overview
10Static
static
306ca8c24aa...f2.exe
windows10-2004-x64
100a65c97791...d1.exe
windows10-2004-x64
10131675744e...29.exe
windows10-2004-x64
10204413b9cd...ef.exe
windows10-2004-x64
10236732ce45...d5.exe
windows7-x64
3236732ce45...d5.exe
windows10-2004-x64
1023bc83a4a6...94.exe
windows10-2004-x64
103c35dfb6ea...cb.exe
windows10-2004-x64
1042aaf3452f...91.exe
windows10-2004-x64
1042d39578cc...dd.exe
windows10-2004-x64
104f4e29cb12...50.exe
windows10-2004-x64
10566c1670c8...b3.exe
windows7-x64
3566c1670c8...b3.exe
windows10-2004-x64
105b49e20d68...4b.exe
windows10-2004-x64
106a07da5bb1...d3.exe
windows10-2004-x64
106fca9c5ffc...25.exe
windows10-2004-x64
109a7761a218...43.exe
windows7-x64
39a7761a218...43.exe
windows10-2004-x64
109c63b1ba60...a6.exe
windows10-2004-x64
10c4172a7d8d...fa.exe
windows7-x64
3c4172a7d8d...fa.exe
windows10-2004-x64
10c69d581e2c...e2.exe
windows10-2004-x64
10d6c7041aa6...93.exe
windows7-x64
3d6c7041aa6...93.exe
windows10-2004-x64
10d9d3f90c8c...39.exe
windows7-x64
3d9d3f90c8c...39.exe
windows10-2004-x64
10Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 15:11
Static task
static1
Behavioral task
behavioral1
Sample
06ca8c24aac1dfc98dcff3632bd9a2a735d5a57c7e634d8c9100f6446b5423f2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
0a65c977910ca28680d005dc6473013f3db66862b80fc54be76caaa774022bd1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
131675744e12e01eb73fd34a82dd03d2d5ab80bd88b854836a13d0065e536c29.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
204413b9cda0920c938a88543e17b0124930d45599fcfef01c7c4af30f9266ef.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
236732ce453b741f26e2fb94d54ade44d3d1ae332c52f6d420a1dcc1c8d05dd5.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
236732ce453b741f26e2fb94d54ade44d3d1ae332c52f6d420a1dcc1c8d05dd5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
42aaf3452f3dbd3fec800b9307def7e1463e88016e6585d09719f8642ef8f491.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
42d39578cc12683f8a0abd7ba86e5c4ac7851f250280f34750b593a37c4d87dd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
4f4e29cb128488d30d32248cb2cc720bcd2a3a531f5757ba469b1e3291917c50.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
566c1670c8a5f43ec35b831518b15cf388fbddff2c3ba3ffc8167ac1bf0a1fb3.exe
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
566c1670c8a5f43ec35b831518b15cf388fbddff2c3ba3ffc8167ac1bf0a1fb3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
5b49e20d688471002a1cc866e323e32a0e0a2f1e92fd2f057979cd27a850f44b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
6a07da5bb14797863c49fc62e415bb280c201c446e8d5746c3ae106bf92ceed3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
6fca9c5ffc57888f92c438ff3dd7d9247b7f7e696e9a6b1b63c3aa2a801b0625.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
9a7761a218bd7bd89d897848e3eafea1a05f151c3ab44668124ffa35c4d3a743.exe
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
9a7761a218bd7bd89d897848e3eafea1a05f151c3ab44668124ffa35c4d3a743.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
9c63b1ba6018935ad5e5fbb92f79d2bbd6eeb9ee0520ed5cbe7b9e1213eb33a6.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral20
Sample
c4172a7d8d27c8367cd7a3b7b3d410e4678ddfd8748e6bf631c21e8f639c7efa.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
c4172a7d8d27c8367cd7a3b7b3d410e4678ddfd8748e6bf631c21e8f639c7efa.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
c69d581e2c9751820b591c60023bbffd16aa66ad26d0c76b20574cdac2cc7be2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
d6c7041aa6a01fcdc7f6a9f60c8eaf8edcbcc73cb1802bc3623346b3b3219693.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
d6c7041aa6a01fcdc7f6a9f60c8eaf8edcbcc73cb1802bc3623346b3b3219693.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
d9d3f90c8cee71d17c70e5d1c7d465726e06b1c7cb5b617fd47d203403a1e439.exe
Resource
win7-20240508-en
Behavioral task
behavioral26
Sample
d9d3f90c8cee71d17c70e5d1c7d465726e06b1c7cb5b617fd47d203403a1e439.exe
Resource
win10v2004-20240426-en
General
-
Target
23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94.exe
-
Size
307KB
-
MD5
ca2ad17b64a10b961c2b14a7e47a8030
-
SHA1
a339ebb686b832fc87af3c287f67d8ef52e140e8
-
SHA256
23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94
-
SHA512
ad5e5a03336562d58b02f2556eb833fe3c39d2a7c47584379059cc5a584be1efc981cde4c84a350a4bb244502a73fb7bf0bee7b03b4ef002bb6ecc17d3caff04
-
SSDEEP
6144:Kqy+bnr+2p0yN90QEw5F5OYc1u31g4TByUo0b4jut7dJdVRbpDXtOBC:uMrCy90qxc1u31TTEt0cKt/tOA
Malware Config
Extracted
redline
dumud
217.196.96.101:4132
-
auth_value
3e18d4b90418aa3e78d8822e87c62f5c
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral7/memory/3240-8-0x0000000002480000-0x000000000249A000-memory.dmp healer behavioral7/memory/3240-11-0x0000000004980000-0x0000000004998000-memory.dmp healer behavioral7/memory/3240-21-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral7/memory/3240-39-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral7/memory/3240-37-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral7/memory/3240-35-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral7/memory/3240-33-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral7/memory/3240-31-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral7/memory/3240-29-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral7/memory/3240-27-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral7/memory/3240-25-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral7/memory/3240-23-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral7/memory/3240-19-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral7/memory/3240-17-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral7/memory/3240-15-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral7/memory/3240-12-0x0000000004980000-0x0000000004992000-memory.dmp healer behavioral7/memory/3240-13-0x0000000004980000-0x0000000004992000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k3719439.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k3719439.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k3719439.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k3719439.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k3719439.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k3719439.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral7/files/0x00070000000235f6-44.dat family_redline behavioral7/memory/4984-47-0x00000000008D0000-0x0000000000900000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 3240 k3719439.exe 4984 l6925739.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k3719439.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k3719439.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3240 k3719439.exe 3240 k3719439.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3240 k3719439.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 232 wrote to memory of 3240 232 23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94.exe 92 PID 232 wrote to memory of 3240 232 23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94.exe 92 PID 232 wrote to memory of 3240 232 23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94.exe 92 PID 232 wrote to memory of 4984 232 23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94.exe 99 PID 232 wrote to memory of 4984 232 23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94.exe 99 PID 232 wrote to memory of 4984 232 23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94.exe"C:\Users\Admin\AppData\Local\Temp\23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k3719439.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k3719439.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3240
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l6925739.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l6925739.exe2⤵
- Executes dropped EXE
PID:4984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:81⤵PID:392
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD50e2a8712db80505e38c2816483598edf
SHA18ff6735fc1c080fb73825928f2bf9aa409b3758c
SHA256a88a17437aa434a4c8df1657b4ac4c72d5d65247c160b7d2351101a2955ecd0c
SHA5121076c1d65c2bd3be562d57ebe5a00af294242456a80a4149e3ae5ed1816a35abdab48cca90617ccb9839a14020391ed425cedba42f63c75b8488f45485108d91
-
Filesize
168KB
MD59eb1e1ed0fb5f198b60699f1d6f2c4d8
SHA10a93100586a585ffaceecff9c67cf28e703b67d2
SHA2560fce1f4c2a87e2bdccfe4c3112f837d1fdeb91edb113f055787e29000a4a348b
SHA512fe9679472176c5d0648355a230eb9b77a19d565b17cb957a14d96d60df338f039ddbbdc97c611776239e8b5b3e842c85e8ac6b50882feb59917a1bb12496140d