Overview
overview
10Static
static
306f1b755da...d3.exe
windows10-2004-x64
1014b33a31c1...19.exe
windows10-2004-x64
1016f3c19a7f...1a.exe
windows10-2004-x64
10192ce44be6...d3.exe
windows10-2004-x64
10208bd49be4...cf.exe
windows10-2004-x64
102ae8e0e720...19.exe
windows10-2004-x64
102b74e820a6...32.exe
windows10-2004-x64
10396631ba37...a0.exe
windows10-2004-x64
10777259b2de...25.exe
windows10-2004-x64
107f06170b1d...e6.exe
windows10-2004-x64
1080f9db3963...66.exe
windows10-2004-x64
108d2837f05f...42.exe
windows10-2004-x64
109a7ee6b801...e4.exe
windows10-2004-x64
109c8e4ed081...a3.exe
windows10-2004-x64
10a68c5e94f5...52.exe
windows10-2004-x64
10aaed2c62a2...28.exe
windows10-2004-x64
10e097574588...fe.exe
windows10-2004-x64
10e256d9f4b9...eb.exe
windows10-2004-x64
10f02caa1867...71.exe
windows10-2004-x64
10f7447a8c0b...af.exe
windows10-2004-x64
10Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 10:02
Static task
static1
Behavioral task
behavioral1
Sample
06f1b755da951fcf461e1c619e531208a68c60a692e3a2869f7207254aaea1d3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
192ce44be6557d6d98a2de008c00df07b0f5063ea96bbd2751389b1f82c5f6d3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
208bd49be44846fa019a8a4b21da09b934676de6c05e6688624fa6608f3917cf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
2ae8e0e7200682b017c2fa4be81c84b2547e0238ade702b5112641b6b336bc19.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
2b74e820a68dd1debb652cc1750992f001f4f19c4e98e9c2bbce0139f6c42f32.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
396631ba370acc38e6f62756cecd042fc99d8150beb80483127f81430d279ca0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
777259b2de1e73f2f79c2edbd0a7a6b94de34bca7c3376f8e9aae8a4e44be025.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral10
Sample
7f06170b1d7c15c8654c820aed9d163b0f686b8b747df4651e3c2d91e1e1bee6.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
80f9db396349ffd316d40f58b12121eb8671e0af591fa231cd1037ed80d55c66.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
9c8e4ed08188524a9beb39dfd35cc3c50ed0a6344464afcdff53746ddccee6a3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
aaed2c62a2146133d41a2c878d138f90f6fd57a1173b0784f6516128378b0e28.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
e256d9f4b9031db67a2e5cd1574fceafc35d62734d1079c433dd19867ee9c3eb.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
f02caa18679b8af0e356c5ecf5b840b3c4f001b4c623c0cf33686d9cf4111871.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
f7447a8c0bbf4733ba4bef9129e0bcb98bcfe4fd1b57d2ec4e9349b333329aaf.exe
Resource
win10v2004-20240426-en
General
-
Target
06f1b755da951fcf461e1c619e531208a68c60a692e3a2869f7207254aaea1d3.exe
-
Size
661KB
-
MD5
cdca3895f27cdc05ca4e3805722b13a8
-
SHA1
908e4fd065b858e327ed442c9db06f432c5b7522
-
SHA256
06f1b755da951fcf461e1c619e531208a68c60a692e3a2869f7207254aaea1d3
-
SHA512
b36b19510dae31d34dd68c965c94da203ca1b03234aa01b9975b05f9f987552039ee7d52e867861e5bd9267e0b85442bef26fb8e6a4981e6c903f3ad936a3bbd
-
SSDEEP
12288:eMrCy90WnmXRO3Rrm7fhF/4ZwsSdqSZEiAjyjElCydS4U:Qyfb3ELf4ZStGiAjt7U
Malware Config
Extracted
redline
mrak
77.91.124.82:19071
-
auth_value
7d9a335ab5dfd42d374867c96fe25302
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral1/memory/4540-21-0x0000000000400000-0x000000000040A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/memory/3404-25-0x00000000000B0000-0x00000000000E0000-memory.dmp family_redline behavioral1/files/0x0007000000023439-24.dat family_redline -
Executes dropped EXE 4 IoCs
pid Process 1236 x5175657.exe 4880 x3685577.exe 4304 g4661559.exe 3404 i5252901.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 06f1b755da951fcf461e1c619e531208a68c60a692e3a2869f7207254aaea1d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x5175657.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x3685577.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4304 set thread context of 4540 4304 g4661559.exe 88 -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4136 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3008 4304 WerFault.exe 86 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4540 AppLaunch.exe 4540 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4540 AppLaunch.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2540 wrote to memory of 1236 2540 06f1b755da951fcf461e1c619e531208a68c60a692e3a2869f7207254aaea1d3.exe 83 PID 2540 wrote to memory of 1236 2540 06f1b755da951fcf461e1c619e531208a68c60a692e3a2869f7207254aaea1d3.exe 83 PID 2540 wrote to memory of 1236 2540 06f1b755da951fcf461e1c619e531208a68c60a692e3a2869f7207254aaea1d3.exe 83 PID 1236 wrote to memory of 4880 1236 x5175657.exe 84 PID 1236 wrote to memory of 4880 1236 x5175657.exe 84 PID 1236 wrote to memory of 4880 1236 x5175657.exe 84 PID 4880 wrote to memory of 4304 4880 x3685577.exe 86 PID 4880 wrote to memory of 4304 4880 x3685577.exe 86 PID 4880 wrote to memory of 4304 4880 x3685577.exe 86 PID 4304 wrote to memory of 4540 4304 g4661559.exe 88 PID 4304 wrote to memory of 4540 4304 g4661559.exe 88 PID 4304 wrote to memory of 4540 4304 g4661559.exe 88 PID 4304 wrote to memory of 4540 4304 g4661559.exe 88 PID 4304 wrote to memory of 4540 4304 g4661559.exe 88 PID 4304 wrote to memory of 4540 4304 g4661559.exe 88 PID 4304 wrote to memory of 4540 4304 g4661559.exe 88 PID 4304 wrote to memory of 4540 4304 g4661559.exe 88 PID 4880 wrote to memory of 3404 4880 x3685577.exe 94 PID 4880 wrote to memory of 3404 4880 x3685577.exe 94 PID 4880 wrote to memory of 3404 4880 x3685577.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\06f1b755da951fcf461e1c619e531208a68c60a692e3a2869f7207254aaea1d3.exe"C:\Users\Admin\AppData\Local\Temp\06f1b755da951fcf461e1c619e531208a68c60a692e3a2869f7207254aaea1d3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5175657.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5175657.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3685577.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3685577.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4661559.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4661559.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 5805⤵
- Program crash
PID:3008
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5252901.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5252901.exe4⤵
- Executes dropped EXE
PID:3404
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4304 -ip 43041⤵PID:4640
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4136
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
439KB
MD582c2dcd3e890b891daf81c3600d6da0e
SHA1671d44987089d06443e56b08c54a6c8ca752c3a7
SHA256aba797f86aa10cbe1ea057a0cf68b568968f71b740e5d14bb022807182e8c856
SHA512c40fc5b7dff5ec28f23589e866c2542ad71d5e8e4ac050fbb0c2237b253f6771260cdf2d0d1d9933237dc1cceb0a0349ce36bedf0d7be7e1eed9546bbdf582f5
-
Filesize
274KB
MD5d9a5924fb00359f603b947d166ea8fce
SHA1468c20527a1412fac4730ddbbf248c6f08a6c6c6
SHA2569b52d62baec33690e34eea446c7f7165e72e1ea506e41ff769e343c954b13903
SHA512a395a2cea38a5def99726009dac37ba982bca9f9a5c4c1c7b4143f3cb04f3dd4c2807cb670da42930b8bfd3d76088de1ee009bee73584ecb994827537a8ebe74
-
Filesize
135KB
MD5bcf2bb2e46cd8488a0a38269889f2cd2
SHA15c3c8ae0c0712ffef23712b0946911fbc60078ac
SHA256a097cc474cd30f8aac5902e038ceda538afeec7316c9e1ea90b026922883e076
SHA512d4a92bb730dac146ba9008aaa6d1f96bc820abe78b3b802f6d011015596f8efc8c8aa8400b5413636c1ef3b98ba7fd9f5638ea4ce59357f48ff024262f2cdc47
-
Filesize
176KB
MD53b263541ddf6b8748982234900908d2c
SHA11635c81931db27220acd3daf3c495e85ae2e8557
SHA256285e4ba4ca45f302191b3a69b35bc740db4243acfcfac022b58e9f8b03a094d6
SHA512d7a82beb2ff1607bd3efa69faae45a35a01179b3eb26b9e31ad1cc99e679be284e0a97e127a71f4fe90c764c0fdd3c70bb5c37d221df738f27713ad3846a46ce