Overview
overview
10Static
static
300dc3a43dd...78.exe
windows10-2004-x64
10061669c83b...c0.exe
windows10-2004-x64
100cc30df7f6...35.exe
windows10-2004-x64
101b26ae68f4...45.exe
windows10-2004-x64
103b9256f691...90.exe
windows7-x64
33b9256f691...90.exe
windows10-2004-x64
103ddd80ba69...8c.exe
windows7-x64
33ddd80ba69...8c.exe
windows10-2004-x64
103ff55c48fd...c7.exe
windows10-2004-x64
1050be51fdd5...4b.exe
windows10-2004-x64
10565e580e21...f4.exe
windows7-x64
1565e580e21...f4.exe
windows10-2004-x64
15f157bb7f5...80.exe
windows10-2004-x64
106c066f3c43...19.exe
windows10-2004-x64
108355a17b5f...ac.exe
windows10-2004-x64
109a3f5d3f84...b2.exe
windows10-2004-x64
10ae66f2f071...07.exe
windows10-2004-x64
10b0fef95ff5...7c.exe
windows10-2004-x64
10b11b1b57a3...06.exe
windows10-2004-x64
10cd9de412cd...04.exe
windows7-x64
10cd9de412cd...04.exe
windows10-2004-x64
10db84115968...f3.exe
windows10-2004-x64
10dce60a71ca...cc.exe
windows10-2004-x64
f5bf417643...17.exe
windows7-x64
3f5bf417643...17.exe
windows10-2004-x64
10Analysis
-
max time kernel
138s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 15:13
Static task
static1
Behavioral task
behavioral1
Sample
00dc3a43dda255a61bd370ebbf0fc0431112da3c176a205489b4a2113c396878.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
061669c83be149e85a977dfd41981b6115bf335e8f5bf4a2c696247dbf3999c0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
1b26ae68f4d9a6a0bfd1a8c92489c6dcdb1a4e6ca483442c2b307329cdfb9345.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
3ddd80ba692516ca1977cdf6eb25ad59de7b9e87f447a412e2468a77ad1bbd8c.exe
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
3ddd80ba692516ca1977cdf6eb25ad59de7b9e87f447a412e2468a77ad1bbd8c.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
3ff55c48fddf370349ae0853c3e33d313791cbfb7239e43b70ad977035a132c7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
50be51fdd59dbf4ac078600bca6c8481f0e5baf0010085e6e0ce8d763e87da4b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
565e580e2113d8503456c9416021bb7200f7fedadd8020c6d19340c32be7e1f4.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
565e580e2113d8503456c9416021bb7200f7fedadd8020c6d19340c32be7e1f4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
5f157bb7f5af6f00c288774953e6950cbcecbf52dfbf7a910b167c511b237980.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
8355a17b5fec607c779bf1f01bc6596fc82dd876042977ec7aba895db3f1faac.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
9a3f5d3f84858840f8bdd8879b66a6c1ccb772e507f7f09dfe1c5a88e2d33db2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
b0fef95ff5abebcb9510c61f55646bd6731822877d3e350e98dcbd957727547c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
b11b1b57a3bb5f7ea58bd5b191ab3813432fcc41e7f4e321fa61b848d8c86606.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
cd9de412cda28c677351594338bc352dbcafb8652328624f624263b71bac3604.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
cd9de412cda28c677351594338bc352dbcafb8652328624f624263b71bac3604.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral22
Sample
db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
dce60a71ca88a61a579b58be67a969e9f1f6620feaff4c7102883b680d0162cc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral24
Sample
f5bf4176434a177447cba0b0c44a2aa84c6964ac958276a5f3d28429824e6a17.exe
Resource
win7-20231129-en
General
-
Target
6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119.exe
-
Size
1.5MB
-
MD5
b6bd0fe9e2f14162d22a601e59a1740b
-
SHA1
5a60ae626817e3638caca0fc80ad9a8200357e52
-
SHA256
6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119
-
SHA512
af2f072c83766dc801720af1f3a94dca12035b46b3a038a4df7afecfb85021020f25b2f4827bcba7d6109176631730e0527772b37946564a40d6dc9ea92ae8d0
-
SSDEEP
24576:GygAJsoOr2n6P8VRrbjJJ+XODPh25hMojCFMQsEtJoFs/dboavD3ZCzY2:VgABQ+6kpcoh2MntHdbJvD3ZCz
Malware Config
Extracted
redline
masha
77.91.68.48:19071
-
auth_value
55b9b39a0dae383196a4b8d79e5bb805
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral14/memory/4668-28-0x0000000000510000-0x000000000051A000-memory.dmp healer behavioral14/files/0x000700000002324f-35.dat healer behavioral14/memory/4428-37-0x0000000000CE0000-0x0000000000CEA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b6245387.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a8123398.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a8123398.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a8123398.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b6245387.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b6245387.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b6245387.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b6245387.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a8123398.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a8123398.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a8123398.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b6245387.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral14/memory/556-42-0x0000000000450000-0x0000000000480000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 2028 v3594017.exe 1780 v6910325.exe 3904 v7180197.exe 4668 a8123398.exe 4428 b6245387.exe 556 c2489469.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a8123398.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a8123398.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b6245387.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3594017.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v6910325.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v7180197.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4668 a8123398.exe 4668 a8123398.exe 4428 b6245387.exe 4428 b6245387.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4668 a8123398.exe Token: SeDebugPrivilege 4428 b6245387.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2024 wrote to memory of 2028 2024 6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119.exe 92 PID 2024 wrote to memory of 2028 2024 6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119.exe 92 PID 2024 wrote to memory of 2028 2024 6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119.exe 92 PID 2028 wrote to memory of 1780 2028 v3594017.exe 93 PID 2028 wrote to memory of 1780 2028 v3594017.exe 93 PID 2028 wrote to memory of 1780 2028 v3594017.exe 93 PID 1780 wrote to memory of 3904 1780 v6910325.exe 94 PID 1780 wrote to memory of 3904 1780 v6910325.exe 94 PID 1780 wrote to memory of 3904 1780 v6910325.exe 94 PID 3904 wrote to memory of 4668 3904 v7180197.exe 95 PID 3904 wrote to memory of 4668 3904 v7180197.exe 95 PID 3904 wrote to memory of 4668 3904 v7180197.exe 95 PID 3904 wrote to memory of 4428 3904 v7180197.exe 101 PID 3904 wrote to memory of 4428 3904 v7180197.exe 101 PID 1780 wrote to memory of 556 1780 v6910325.exe 103 PID 1780 wrote to memory of 556 1780 v6910325.exe 103 PID 1780 wrote to memory of 556 1780 v6910325.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119.exe"C:\Users\Admin\AppData\Local\Temp\6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3594017.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3594017.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6910325.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6910325.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7180197.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7180197.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8123398.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8123398.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6245387.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6245387.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2489469.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2489469.exe4⤵
- Executes dropped EXE
PID:556
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵PID:4736
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
1.4MB
MD56dcf605b283d99f56267f2b456b144b0
SHA107c2968c300b767ea952dfa70766de0f5e0a01e4
SHA256338a566494a7bec1e3b1a3402a6411cdce4f6b9a43f91cf635b6e623e841b0b2
SHA51219db68dbdb0a91825cecd2cc95dff3c4b6ea4e7bda9bd5133a8659889278e2050e52a19c7b2e3c92f3141ed5c0f01218b274b84b34750fb8f184dd1018d7f6ff
-
Filesize
1.2MB
MD54b8bec8c7d90c10a6c3a4206cd0daacd
SHA13ee5c267c9f1941a77df3fe9f7496ee317c9b946
SHA2565bbd2b8698ae1d319de29643dedf3409bb9dd36465d0819a5ee0f8d2bc699dc3
SHA51221541e4b32b87567499a5630950c46d3cdb93daa1cd56bfff2fb510b3df2d1483973a183a4a7cdbd5f966f5af043999eb70b5fc41d47e6af2e743884062ffe74
-
Filesize
692KB
MD5e6cd29bf585e04ccee606ec312366e6e
SHA16ce37e0bce59a8902615918436a0e9f8771aedab
SHA2560c52bae0af3af62e8abfeb1f39bef2518d59a00d62e3b0f8a3617f1b934192bf
SHA51202258ada9982d2553c99abd3d8ecf5322aadfaceaa09373bd77029a43f743a55992206cc9d16394a112ef989a24bd96ba50cbaa0ec9557f207f8d42207c60100
-
Filesize
620KB
MD5b16e4a16f725f2433e720ce4e53b11c3
SHA1d0ce61897edd0987c07973f8528843657059e1c7
SHA2565cd250f298fde835d29a5626f9f04885e6ab5d2038524b54c17418a7803aa4ed
SHA512805c1a61ca8023438f695bf72c69cf6e7eca12f0378ad7cf429607481da678c53eaea9bf0849505e493e83fbcab61abc240320f9d10d0633eb9c046a63e0fc03
-
Filesize
530KB
MD5168857576903636965cac80e95ea7283
SHA196d8cac6e77c26e6eb0f998486ab5fa944dcefd6
SHA256929f8a773b6bd8b411cc67be1d2d091486dc07b342b953778f3bb11296e04013
SHA51261af83f8484c30e950c940eba5cb112f3981ad408c8133d50a321e1239b16ebb0e031b8d683437386baf925734a103a76b904cdf1a8bff0090a144199df07ab4
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91