Overview
overview
10Static
static
31668096fbf...95.exe
windows10-2004-x64
102159151861...2d.exe
windows10-2004-x64
1022c5bd0a3e...19.exe
windows10-2004-x64
102a0ae333a9...1a.exe
windows7-x64
32a0ae333a9...1a.exe
windows10-2004-x64
104f86d48b3d...df.exe
windows10-2004-x64
1053ecffef24...36.exe
windows10-2004-x64
1075ccbf328f...af.exe
windows10-2004-x64
1077ba6e9303...c2.exe
windows10-2004-x64
10798aee8abb...5b.exe
windows10-2004-x64
1079eaddd1dc...70.exe
windows10-2004-x64
1080ada740eb...52.exe
windows10-2004-x64
109e3cf610e6...f0.exe
windows7-x64
109e3cf610e6...f0.exe
windows10-2004-x64
10a5bd0160df...49.exe
windows10-2004-x64
10aee53fccee...da.exe
windows10-2004-x64
10af9c5ff480...30.exe
windows7-x64
3af9c5ff480...30.exe
windows10-2004-x64
10bfe644d3bd...29.exe
windows10-2004-x64
10ca9f078739...a4.exe
windows10-2004-x64
10dda511575f...2f.exe
windows10-2004-x64
10ff541e0752...bb.exe
windows10-2004-x64
10Analysis
-
max time kernel
137s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 08:13
Static task
static1
Behavioral task
behavioral1
Sample
1668096fbfea278168a053bdb5fffa557e8bf8afd9b1ea6f4de43adb16c9cd95.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
2159151861e461f2ae831fef44ef4a519defe4741536ef19cc47163f7504ce2d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
22c5bd0a3e3c03e512f45c0ebd81b9cf7695279360a1c40cec90cf3efea5f219.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
2a0ae333a9b72768e8a05e7ebbfe4b15cf581f8c08129c0639aeed58eaf7901a.exe
Resource
win7-20240221-en
Behavioral task
behavioral5
Sample
2a0ae333a9b72768e8a05e7ebbfe4b15cf581f8c08129c0639aeed58eaf7901a.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
4f86d48b3d0bdaa6f4d6e224cb3d78d45d0e5ff02992de35aad4053a747106df.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
53ecffef24ddea22780ff63e0224bd9c1bf9d8533760949fff138bd5c432ce36.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
77ba6e93030c34c0c9c7b7ce05174d89515be6f64d93ad8fd6c5a7efd813f4c2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
798aee8abbe13acdcba7ded2507144abfb3a7bdb36dfad1f88ebd752af5e0c5b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
79eaddd1dc15f0cdf5e503c8eff40a9cabfc9aca470a302c9e868d65a3670c70.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
9e3cf610e66102e164150efe5b2dee630cac04b4e4e29770c91180e956b39df0.exe
Resource
win7-20240419-en
Behavioral task
behavioral14
Sample
9e3cf610e66102e164150efe5b2dee630cac04b4e4e29770c91180e956b39df0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
a5bd0160df71694767fdadc369e0582970a1182d88c7fea774ca4d3bdb503e49.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
aee53fccee33b73dab9491356e6eb50d71b3b380ca589b649b6ec63ff792c3da.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
af9c5ff480fec8f9f7f8c274ed08c18a4e5a894eec2eb3577031e60657b87b30.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
af9c5ff480fec8f9f7f8c274ed08c18a4e5a894eec2eb3577031e60657b87b30.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
bfe644d3bd33f0f28361b0b64f6fba6444cbce7ffc0fb0746a6226305bffb229.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
dda511575fe2d4e8cc7e7dfbf500a529cbd2a5acc24299b8217d603401322c2f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral22
Sample
ff541e0752957750759a393b41c2885b8177a2e7daf8234bf11068c537e215bb.exe
Resource
win10v2004-20240508-en
General
-
Target
80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exe
-
Size
1.0MB
-
MD5
774a173c2d0a5266b73ba5527e606bbe
-
SHA1
13173b00db1bff7e45c00be7327ae24bbb6e2ca6
-
SHA256
80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452
-
SHA512
076a9ad2a5d639f932936bc5d614fe0b2bdbfe162134eecbd706ef3ff979930e3efa7a2561935b445ee3f5e6e837c3e1fea8cd4b280d2f73f412106df05f8639
-
SSDEEP
12288:dMrly90aVXB6zrLW/kRNgMwsBpdTgep1Ez7O92GtV4zCpGr1DUzAWXZnQ2P++3qG:kylXB6XOALgepYO4GcFrQXZnBP+uqSh
Malware Config
Extracted
redline
masha
77.91.68.48:19071
-
auth_value
55b9b39a0dae383196a4b8d79e5bb805
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
Processes:
resource yara_rule behavioral12/memory/4612-34-0x0000000000590000-0x00000000005CE000-memory.dmp healer C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe healer behavioral12/memory/2376-41-0x00000000009D0000-0x00000000009DA000-memory.dmp healer -
Processes:
a3946096.exeb9970516.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a3946096.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a3946096.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a3946096.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a3946096.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a3946096.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b9970516.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b9970516.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a3946096.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b9970516.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b9970516.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b9970516.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b9970516.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral12/memory/868-47-0x00000000005F0000-0x000000000067C000-memory.dmp family_redline behavioral12/memory/868-53-0x00000000005F0000-0x000000000067C000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
Processes:
v8090310.exev9647761.exev8497582.exea3946096.exeb9970516.exec0603818.exepid process 4624 v8090310.exe 3320 v9647761.exe 1740 v8497582.exe 4612 a3946096.exe 2376 b9970516.exe 868 c0603818.exe -
Processes:
a3946096.exeb9970516.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a3946096.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a3946096.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b9970516.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exev8090310.exev9647761.exev8497582.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v8090310.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v9647761.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v8497582.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
a3946096.exeb9970516.exepid process 4612 a3946096.exe 4612 a3946096.exe 2376 b9970516.exe 2376 b9970516.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a3946096.exeb9970516.exedescription pid process Token: SeDebugPrivilege 4612 a3946096.exe Token: SeDebugPrivilege 2376 b9970516.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exev8090310.exev9647761.exev8497582.exedescription pid process target process PID 4256 wrote to memory of 4624 4256 80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exe v8090310.exe PID 4256 wrote to memory of 4624 4256 80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exe v8090310.exe PID 4256 wrote to memory of 4624 4256 80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exe v8090310.exe PID 4624 wrote to memory of 3320 4624 v8090310.exe v9647761.exe PID 4624 wrote to memory of 3320 4624 v8090310.exe v9647761.exe PID 4624 wrote to memory of 3320 4624 v8090310.exe v9647761.exe PID 3320 wrote to memory of 1740 3320 v9647761.exe v8497582.exe PID 3320 wrote to memory of 1740 3320 v9647761.exe v8497582.exe PID 3320 wrote to memory of 1740 3320 v9647761.exe v8497582.exe PID 1740 wrote to memory of 4612 1740 v8497582.exe a3946096.exe PID 1740 wrote to memory of 4612 1740 v8497582.exe a3946096.exe PID 1740 wrote to memory of 4612 1740 v8497582.exe a3946096.exe PID 1740 wrote to memory of 2376 1740 v8497582.exe b9970516.exe PID 1740 wrote to memory of 2376 1740 v8497582.exe b9970516.exe PID 3320 wrote to memory of 868 3320 v9647761.exe c0603818.exe PID 3320 wrote to memory of 868 3320 v9647761.exe c0603818.exe PID 3320 wrote to memory of 868 3320 v9647761.exe c0603818.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exe"C:\Users\Admin\AppData\Local\Temp\80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8090310.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8090310.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9647761.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9647761.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8497582.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8497582.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0603818.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0603818.exe4⤵
- Executes dropped EXE
PID:868
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
905KB
MD538c200369a04519fac5b3dcf4ebff331
SHA1ff91709a4270db05e8dc066f98b4183a934b3dfd
SHA2569a0a6c0da259644cdffc971f307aa355c30e2f3b3b5432a1cc160833657d7cb9
SHA512d4fa2fb01a1971560c29a4a8d3e31924477f17f43befd56cd872b011200937dcf55adf9da65a214fa2f358f5b398ef205303052b7474dde41a06ae48a0199eb7
-
Filesize
722KB
MD5e6bbcdaa2e24195d332b8d33f5c3c735
SHA118e3f00e89839e508ce56af566b8342c0694ca98
SHA2569b0ce5a11bf7d6a365ddf391615dd64ff0bbb20d7233b2e47daf2969ad665c9d
SHA512f2816aa283529403bf734ae4a54b95ac65bcdab49d63f8f7ba8c32f0cdc7f0e8f2db78c7ce991956cc3f4dfd03d3a2e53da5b71437f6465b8e4a5e206892a683
-
Filesize
490KB
MD55970af2c3b0603e1dd319e8842c90b23
SHA161ec8e4179e9e6a897dca4f2000f59f164095a8a
SHA2568bfdcc0c67963381921087eb22dda3b54c37eaf799fdc0dbfc25ea0fd6b987c5
SHA51220279989de39b520f929579aeebf9c2bc1ae90189922611b7fbfc7a682c0b788883350978ef8b616b6a7fac30196ffce35c6910318701e3edba20fb9b91190d7
-
Filesize
324KB
MD5c311fe993ae5852b8d3884a385443b91
SHA1cf3c1b692e6fb7953c200ab5aa9952dc8e898070
SHA25606f50cc8c2530511d29e83c704132b3981d1bd93c70e5c01a79107894ba06ed0
SHA512d62ba67a09721def6306f70e27dcedc236ee7fbcf4fecae2e461adcdc93a96e089129a278cde956edf29d9de2b00975144263fabe56e0a50e0ec91adf21c48c4
-
Filesize
292KB
MD5849938a7566cc3392c8de12b3f58e43f
SHA145f699e0713aa0b80ed12d1ce1e1d46e77b03e98
SHA25636d27a57c260e9e2cda09be256605aa4e0e95ede7c7764951e1d575f6192c706
SHA51286192b5aa19d7b5c0902200f3b849d22749b07dc2ca174a5a5a4a37c0aeafd6088e51a0e7a8335dda498099e74345be08b8c7f63bd1e36c9e07d09867e907e48
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91