Overview
overview
10Static
static
301567b40cb...54.exe
windows10-2004-x64
101e3157fc3d...98.exe
windows10-2004-x64
101f3e03ca7b...0b.exe
windows10-2004-x64
102754139a84...f3.exe
windows10-2004-x64
1027bb9fb2c4...23.exe
windows10-2004-x64
103303790f7c...90.exe
windows10-2004-x64
103a221e425a...c4.exe
windows10-2004-x64
103d524b1122...ac.exe
windows10-2004-x64
105d2993b3c1...f9.exe
windows10-2004-x64
106fd17debf9...60.exe
windows10-2004-x64
1075392ef3c6...af.exe
windows10-2004-x64
1079920d9e9c...88.exe
windows10-2004-x64
10a7a12f0dc9...84.exe
windows10-2004-x64
10b0d808b1dd...eb.exe
windows10-2004-x64
10b12350798c...bd.exe
windows10-2004-x64
10e267ce7005...a3.exe
windows10-2004-x64
10ec317a24ef...a3.exe
windows10-2004-x64
10f0dcb286ed...32.exe
windows10-2004-x64
10fb618de176...19.exe
windows10-2004-x64
10fe8bcd4eb9...20.exe
windows10-2004-x64
10Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 17:01
Static task
static1
Behavioral task
behavioral1
Sample
01567b40cb3e924a51cbabc35a519f509543064c72cf4079446d7ffeeac19c54.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
1e3157fc3db10cb11bb1542831b9f07071a4baad8bb0d42282a3bd9141423798.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
27bb9fb2c486b6d1b245b9d1a80523ce3a661b3d9eb71a8772747a0cc4a12223.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
3303790f7ca29df0e39764e876baec5513b2ca1cc3ffeed56f9fc006a9eaec90.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
3a221e425a7f8509a077d01514feaf49038631122b838d94a6d08c5d6d8812c4.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
3d524b1122044bd6d028d191fe5fdb789d1a25e2c110fa4da0fc49ae0f970cac.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
5d2993b3c14eb3f833d52e4874f37ee17b3eeb5d75594bb31700eeb723ec95f9.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
6fd17debf93c6b9c9099ea8145bbb5ed0620fd59fc7ef7a3fe60decb9a2f2260.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
75392ef3c6b89b32827d4060efcb3c6f7495a869fddbe8fa01cc45a2e79a06af.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
79920d9e9cb9d0d34dea9a437201a5436392c8af727314332ebf8e3e0f45a588.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
a7a12f0dc9dc407d29a66722468c4b9454da42b9263e9602b9919c5ae6104684.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
b0d808b1dd08c984f7606f4b339e130b91813e728fdf49bb361e421666de7feb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
b12350798c654ae949a005844c65ef16d136ad08598227c8041fe8bb48e6dcbd.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
e267ce7005abcc25524e9395554aeb50630246fae2d26c6832285538cac766a3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
ec317a24ef2ba5bee688aaad8667b8e438ce19cc1b84eb2972099c8e95eebba3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
f0dcb286edd11d6940d1a6019389bb64a1dd0d5f45b9d086f976170c1c151532.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
fb618de176f20e02e8f9667fd9ce9737e7d541243fbb879127b2f1728ea15019.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
fe8bcd4eb9f9d50df43b88607e258c6ee1911bf0d1e6c2d4c67dd6a260684820.exe
Resource
win10v2004-20240226-en
General
-
Target
2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3.exe
-
Size
488KB
-
MD5
b4456f54d46a916c787fee11c2735e5e
-
SHA1
3386c3cc568dd8a18630c83d0290a291ba4d4768
-
SHA256
2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3
-
SHA512
d89d7cc89c1cdc5c3c57cc88ed1703debdd71c8dbfe54f88969e7c9d779e4b63b69dbf920da74d6ea25026a26eacd5366898a14a9a68f0b82aaf68cd89450d89
-
SSDEEP
12288:6MrMy90Ra4LuBX9x408STlV23wI0wosCZa:Sy1hX9eSL2AI0hsCZa
Malware Config
Extracted
redline
virad
77.91.124.82:19071
-
auth_value
434dd63619ca8bbf10125913fb40ca28
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral4/memory/2140-14-0x0000000000400000-0x000000000040A000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral4/files/0x0007000000023276-17.dat family_redline behavioral4/memory/3956-19-0x00000000002D0000-0x0000000000300000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
pid Process 3804 x6894777.exe 3516 g7366959.exe 3956 i8891989.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x6894777.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3516 set thread context of 2140 3516 g7366959.exe 94 -
Program crash 1 IoCs
pid pid_target Process procid_target 3256 3516 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2140 AppLaunch.exe 2140 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2140 AppLaunch.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1648 wrote to memory of 3804 1648 2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3.exe 91 PID 1648 wrote to memory of 3804 1648 2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3.exe 91 PID 1648 wrote to memory of 3804 1648 2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3.exe 91 PID 3804 wrote to memory of 3516 3804 x6894777.exe 92 PID 3804 wrote to memory of 3516 3804 x6894777.exe 92 PID 3804 wrote to memory of 3516 3804 x6894777.exe 92 PID 3516 wrote to memory of 2140 3516 g7366959.exe 94 PID 3516 wrote to memory of 2140 3516 g7366959.exe 94 PID 3516 wrote to memory of 2140 3516 g7366959.exe 94 PID 3516 wrote to memory of 2140 3516 g7366959.exe 94 PID 3516 wrote to memory of 2140 3516 g7366959.exe 94 PID 3516 wrote to memory of 2140 3516 g7366959.exe 94 PID 3516 wrote to memory of 2140 3516 g7366959.exe 94 PID 3516 wrote to memory of 2140 3516 g7366959.exe 94 PID 3804 wrote to memory of 3956 3804 x6894777.exe 98 PID 3804 wrote to memory of 3956 3804 x6894777.exe 98 PID 3804 wrote to memory of 3956 3804 x6894777.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3.exe"C:\Users\Admin\AppData\Local\Temp\2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6894777.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6894777.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7366959.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7366959.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 1484⤵
- Program crash
PID:3256
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i8891989.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i8891989.exe3⤵
- Executes dropped EXE
PID:3956
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3516 -ip 35161⤵PID:228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵PID:680
Network
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request152.107.17.2.in-addr.arpaIN PTRResponse152.107.17.2.in-addr.arpaIN PTRa2-17-107-152deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request138.107.17.2.in-addr.arpaIN PTRResponse138.107.17.2.in-addr.arpaIN PTRa2-17-107-138deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request11.173.189.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
46 B 40 B 1 1
-
260 B 5
-
46 B 40 B 1 1
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
152.107.17.2.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
138.107.17.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.173.189.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
322KB
MD5357c9d1b11bb54f0ceee235e799a57f0
SHA1768fdee562dcfc3d75b5776a20fae7ef21de5365
SHA256b586c245950108152ecaa3de4d096bce7c135b1728e239f41d77addae714d719
SHA512c276bc9647542e9e1547306e93130f6e2c01e0e16f28589b48fe9cb6d03e4da6fe0a32eb7b3d026e9b9e757139297fdfaad5e8f302d07993e8eeff2dbb127188
-
Filesize
228KB
MD59bfd0a60c784aa4c49a35bfe5d05e239
SHA19fab6ca87c5fe550fca76942b029f858dc694fb7
SHA256e8b0c37aa06e643d671d14772d1e0171e483a50effebb40e4bb4a4ffdcd91ab8
SHA51206e7bdb928632f5448b2df78188aa7cf4a9a1d1843d7930f0a2226becf56c1f8925f7294d297e9e9aa914aed96325adb504d23a4e8f885fbcac4040d1a2c46c6
-
Filesize
175KB
MD55dc41ff83ff2780d1205fb71ac826c24
SHA12285a27913b0fa18f5d3642a73de9e8a6a54eb52
SHA256b7c282b7d35a72e352057fb6972e1f085c12528660cbdb4938a4df85723793fc
SHA51269dc5891313039573e938baf311a7ae25bdd15671f1ac9f7e2ddd04145e06fb886206b072f611782d6ab13175414653c1306cab2f7fce03a12c88a9255e7f794