Overview
overview
10Static
static
30a7a53ccfc...4d.exe
windows10-2004-x64
1015fd14ba21...b7.exe
windows10-2004-x64
101ded3ef8a6...eb.exe
windows10-2004-x64
10211c4e6a11...13.exe
windows10-2004-x64
102143b79ffb...90.exe
windows10-2004-x64
10262bcbb295...79.exe
windows10-2004-x64
102db3eb661b...10.exe
windows10-2004-x64
1038f672e7cb...04.exe
windows10-2004-x64
103a8f22ea92...1f.exe
windows10-2004-x64
104ad2507250...50.exe
windows10-2004-x64
104d264f872f...4d.exe
windows10-2004-x64
105dcad04e9c...98.exe
windows10-2004-x64
10838e53197e...9e.exe
windows10-2004-x64
109fb3613b82...eb.exe
windows10-2004-x64
10ada5308889...6d.exe
windows10-2004-x64
10b7edb218fe...67.exe
windows10-2004-x64
10c7a8b128f1...e0.exe
windows7-x64
10c7a8b128f1...e0.exe
windows10-2004-x64
10d0c2f16d85...04.exe
windows10-2004-x64
10d686e13696...c7.exe
windows10-2004-x64
10f2cce909ec...10.exe
windows10-2004-x64
10Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 17:10
Static task
static1
Behavioral task
behavioral1
Sample
0a7a53ccfce8285cb27448942f3d9d7ebbb0f13842117794de0c0f0400ce0e4d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
15fd14ba215a3a52dd8119cc0a0383f0cac34dab2c608f1481d6dac8a34084b7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
1ded3ef8a66199255bccbc48246fb511b05dd362acee6fc379d36afee68aa1eb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
211c4e6a11f15bd767da6f104c223571e677d598cba947fc6ecc736fb041af13.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
2143b79ffb1f51097ecfe2735d76fc401ff83d0bcaf0fd826616f6d9d198fb90.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
262bcbb295c2330c7e75858027b884202657e03c12f0537ccae57764c7e90779.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
2db3eb661bd1960f4f027053512a24f0c61f26c7314d49ff0114cec48de8d110.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
38f672e7cba986b4d9af3c51220a9df7a2a858c8744e2594475ff11d2cd80504.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
3a8f22ea9247ba12276740888c7a9a8788ce979e8b28264aa64fb310a6e2d31f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
4ad2507250fbdef342d1a5b86c7770a3cffa183db840e5cfa7a9d117b2dc0a50.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
4d264f872fb903372cc6951f97478ade2ed4cea3c43c1ac9c7b62d645b0d804d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
838e53197e2b7417e755d1062885d43a64760f6d02f778afd7cca835a5a99d9e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
9fb3613b8287cadb1f1a45c550f5b98f012dcc95bb947f3b8b3d68303b6bc3eb.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
ada5308889c1e0686823a15717a0ebb9de3bbf2d5e47447e5a340ce70ef33f6d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
b7edb218fec9ad9d3c425768ecc3c868db6dcd17f414b4c8a5337d3b4c908867.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral20
Sample
d686e13696bd68f852ead6d9f363bc3da451cda82485f639727be0ee38b8dac7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
f2cce909eca03fb472266113aeed9ab44c81218fb6b4de31949151b9543a1f10.exe
Resource
win10v2004-20240508-en
General
-
Target
b7edb218fec9ad9d3c425768ecc3c868db6dcd17f414b4c8a5337d3b4c908867.exe
-
Size
769KB
-
MD5
c8963418e0ba703c180db37e66a4babc
-
SHA1
1f0a035883f81dd6dd193e1a631c2ec7531b9c94
-
SHA256
b7edb218fec9ad9d3c425768ecc3c868db6dcd17f414b4c8a5337d3b4c908867
-
SHA512
ac977b73200c79e3e7b1e8778d357b3f191bb0fd38e914a1f196b8ac9efb16abb6a21d1dd3abfa801f36002afcb7e29e8e158352436bbdae56810389347b7788
-
SSDEEP
24576:NyX5m44V68ZM4J/xordNEv6fn4f6EXvC4Iy:oXSnJ/yBNAmnGL/C
Malware Config
Extracted
redline
virad
77.91.124.82:19071
-
auth_value
434dd63619ca8bbf10125913fb40ca28
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral16/memory/4964-21-0x0000000000400000-0x000000000040A000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral16/files/0x00070000000234a1-24.dat family_redline behavioral16/memory/3968-25-0x0000000000A60000-0x0000000000A90000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1732 x6876133.exe 3368 x4490853.exe 1184 g6168470.exe 3968 i4435932.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b7edb218fec9ad9d3c425768ecc3c868db6dcd17f414b4c8a5337d3b4c908867.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x6876133.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x4490853.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1184 set thread context of 4964 1184 g6168470.exe 89 -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1004 sc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4964 AppLaunch.exe 4964 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4964 AppLaunch.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3272 wrote to memory of 1732 3272 b7edb218fec9ad9d3c425768ecc3c868db6dcd17f414b4c8a5337d3b4c908867.exe 83 PID 3272 wrote to memory of 1732 3272 b7edb218fec9ad9d3c425768ecc3c868db6dcd17f414b4c8a5337d3b4c908867.exe 83 PID 3272 wrote to memory of 1732 3272 b7edb218fec9ad9d3c425768ecc3c868db6dcd17f414b4c8a5337d3b4c908867.exe 83 PID 1732 wrote to memory of 3368 1732 x6876133.exe 84 PID 1732 wrote to memory of 3368 1732 x6876133.exe 84 PID 1732 wrote to memory of 3368 1732 x6876133.exe 84 PID 3368 wrote to memory of 1184 3368 x4490853.exe 85 PID 3368 wrote to memory of 1184 3368 x4490853.exe 85 PID 3368 wrote to memory of 1184 3368 x4490853.exe 85 PID 1184 wrote to memory of 4964 1184 g6168470.exe 89 PID 1184 wrote to memory of 4964 1184 g6168470.exe 89 PID 1184 wrote to memory of 4964 1184 g6168470.exe 89 PID 1184 wrote to memory of 4964 1184 g6168470.exe 89 PID 1184 wrote to memory of 4964 1184 g6168470.exe 89 PID 1184 wrote to memory of 4964 1184 g6168470.exe 89 PID 1184 wrote to memory of 4964 1184 g6168470.exe 89 PID 1184 wrote to memory of 4964 1184 g6168470.exe 89 PID 3368 wrote to memory of 3968 3368 x4490853.exe 90 PID 3368 wrote to memory of 3968 3368 x4490853.exe 90 PID 3368 wrote to memory of 3968 3368 x4490853.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7edb218fec9ad9d3c425768ecc3c868db6dcd17f414b4c8a5337d3b4c908867.exe"C:\Users\Admin\AppData\Local\Temp\b7edb218fec9ad9d3c425768ecc3c868db6dcd17f414b4c8a5337d3b4c908867.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6876133.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6876133.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4490853.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4490853.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6168470.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g6168470.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4435932.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4435932.exe4⤵
- Executes dropped EXE
PID:3968
-
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1004
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
492KB
MD501d46bde7fc53994a1b39020c318188b
SHA17ca1e8e2f63e260a7afa9753023742802f5399d5
SHA25662521523d4d4953b009df317dbbab658ca69f7008cb6d115297b89c869b40e4d
SHA512318971c5f0e444fe2a095bf27e4adb93f44ff270f00008346fd26a8da3b6c7239f031e4ee8b91e0f75013d1f59d6a7a87840a998a4f1d4714012dfb4202cf532
-
Filesize
326KB
MD537a9b371365e0a63893c668b0fccf592
SHA1aba5205366f2f31f50c2350cd67eb1f64314a796
SHA256fa26968c3423f164bb6b039c5776a9c9460f3b372caa6d81649255914f4f7597
SHA5120d010732e8ab01f850d53c2a133d1d0be5a59670d9df2dad149662f9eafc652195d02a759fea422680cc03626c730642fde5d2768213a3761e8578ddd4d0d1e0
-
Filesize
256KB
MD5ade42a5ceb7d5b10b259b4e1f2860a43
SHA1818cfafaecdbb3002583ab60e2b56c622c05d708
SHA25650c284acdac45b74f9c4b1014b0f036679496573c973688e3de5b9e7b5b377fe
SHA5123b7b7a270cad3b072e51aeb0281c56b081a8aa203b2ce070f7075e005d344a7fad7fefba5d0acd520d8f07ad1e3362b1f7c04fb91034cf348c899f6da5edaf88
-
Filesize
175KB
MD5acc92df15c13ce7b30b404f7782a274c
SHA129985f1006d5d4f7e9130db589b5cb7af2fed455
SHA2566a1859d4406e577ddafd1fe3e2cd10ec6e2806026b29877b5a5581bd591a367d
SHA5129c70d0e3b182dd98a093d0cc6896a146e2bafc706d60d1fcfc11d84e766d51edc4bfaa86fd4c1acce67c8ab2e5d63a73d9f492634ddfdeedd955ace46eb1348e