Overview
overview
10Static
static
30a7a53ccfc...4d.exe
windows10-2004-x64
1015fd14ba21...b7.exe
windows10-2004-x64
101ded3ef8a6...eb.exe
windows10-2004-x64
10211c4e6a11...13.exe
windows10-2004-x64
102143b79ffb...90.exe
windows10-2004-x64
10262bcbb295...79.exe
windows10-2004-x64
102db3eb661b...10.exe
windows10-2004-x64
1038f672e7cb...04.exe
windows10-2004-x64
103a8f22ea92...1f.exe
windows10-2004-x64
104ad2507250...50.exe
windows10-2004-x64
104d264f872f...4d.exe
windows10-2004-x64
105dcad04e9c...98.exe
windows10-2004-x64
10838e53197e...9e.exe
windows10-2004-x64
109fb3613b82...eb.exe
windows10-2004-x64
10ada5308889...6d.exe
windows10-2004-x64
10b7edb218fe...67.exe
windows10-2004-x64
10c7a8b128f1...e0.exe
windows7-x64
10c7a8b128f1...e0.exe
windows10-2004-x64
10d0c2f16d85...04.exe
windows10-2004-x64
10d686e13696...c7.exe
windows10-2004-x64
10f2cce909ec...10.exe
windows10-2004-x64
10Analysis
-
max time kernel
135s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 17:10
Static task
static1
Behavioral task
behavioral1
Sample
0a7a53ccfce8285cb27448942f3d9d7ebbb0f13842117794de0c0f0400ce0e4d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
15fd14ba215a3a52dd8119cc0a0383f0cac34dab2c608f1481d6dac8a34084b7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
1ded3ef8a66199255bccbc48246fb511b05dd362acee6fc379d36afee68aa1eb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
211c4e6a11f15bd767da6f104c223571e677d598cba947fc6ecc736fb041af13.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
2143b79ffb1f51097ecfe2735d76fc401ff83d0bcaf0fd826616f6d9d198fb90.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
262bcbb295c2330c7e75858027b884202657e03c12f0537ccae57764c7e90779.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
2db3eb661bd1960f4f027053512a24f0c61f26c7314d49ff0114cec48de8d110.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
38f672e7cba986b4d9af3c51220a9df7a2a858c8744e2594475ff11d2cd80504.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
3a8f22ea9247ba12276740888c7a9a8788ce979e8b28264aa64fb310a6e2d31f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
4ad2507250fbdef342d1a5b86c7770a3cffa183db840e5cfa7a9d117b2dc0a50.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
4d264f872fb903372cc6951f97478ade2ed4cea3c43c1ac9c7b62d645b0d804d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
838e53197e2b7417e755d1062885d43a64760f6d02f778afd7cca835a5a99d9e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
9fb3613b8287cadb1f1a45c550f5b98f012dcc95bb947f3b8b3d68303b6bc3eb.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
ada5308889c1e0686823a15717a0ebb9de3bbf2d5e47447e5a340ce70ef33f6d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
b7edb218fec9ad9d3c425768ecc3c868db6dcd17f414b4c8a5337d3b4c908867.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral20
Sample
d686e13696bd68f852ead6d9f363bc3da451cda82485f639727be0ee38b8dac7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
f2cce909eca03fb472266113aeed9ab44c81218fb6b4de31949151b9543a1f10.exe
Resource
win10v2004-20240508-en
General
-
Target
3a8f22ea9247ba12276740888c7a9a8788ce979e8b28264aa64fb310a6e2d31f.exe
-
Size
768KB
-
MD5
31e9f3737fd3f934ce46d6c2099e5243
-
SHA1
54e992452c1e7e0d068d22090541c8eea71049b3
-
SHA256
3a8f22ea9247ba12276740888c7a9a8788ce979e8b28264aa64fb310a6e2d31f
-
SHA512
634108bfebf5b3c2f868df51d0e13bbf1ae539863e29b410a139dcc12376380d1decdcec21406cc73943a5011ea49544bdeda74665ac557dc59ba4091a4f1991
-
SSDEEP
12288:6MrVy90aRBe0s3hBIVTjySblJVsRTWFEHY8cOWtgC+a:fyNRrqBAT2TWFEHY89FC+a
Malware Config
Extracted
redline
virad
77.91.124.82:19071
-
auth_value
434dd63619ca8bbf10125913fb40ca28
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
Processes:
resource yara_rule behavioral9/memory/1316-21-0x0000000000400000-0x000000000040A000-memory.dmp healer -
Processes:
AppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1044606.exe family_redline behavioral9/memory/704-25-0x00000000000A0000-0x00000000000D0000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
Processes:
x8534019.exex4956900.exeg0072402.exei1044606.exepid process 3280 x8534019.exe 2956 x4956900.exe 3020 g0072402.exe 704 i1044606.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
3a8f22ea9247ba12276740888c7a9a8788ce979e8b28264aa64fb310a6e2d31f.exex8534019.exex4956900.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3a8f22ea9247ba12276740888c7a9a8788ce979e8b28264aa64fb310a6e2d31f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x8534019.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x4956900.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
g0072402.exedescription pid process target process PID 3020 set thread context of 1316 3020 g0072402.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 1316 AppLaunch.exe 1316 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 1316 AppLaunch.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
3a8f22ea9247ba12276740888c7a9a8788ce979e8b28264aa64fb310a6e2d31f.exex8534019.exex4956900.exeg0072402.exedescription pid process target process PID 3264 wrote to memory of 3280 3264 3a8f22ea9247ba12276740888c7a9a8788ce979e8b28264aa64fb310a6e2d31f.exe x8534019.exe PID 3264 wrote to memory of 3280 3264 3a8f22ea9247ba12276740888c7a9a8788ce979e8b28264aa64fb310a6e2d31f.exe x8534019.exe PID 3264 wrote to memory of 3280 3264 3a8f22ea9247ba12276740888c7a9a8788ce979e8b28264aa64fb310a6e2d31f.exe x8534019.exe PID 3280 wrote to memory of 2956 3280 x8534019.exe x4956900.exe PID 3280 wrote to memory of 2956 3280 x8534019.exe x4956900.exe PID 3280 wrote to memory of 2956 3280 x8534019.exe x4956900.exe PID 2956 wrote to memory of 3020 2956 x4956900.exe g0072402.exe PID 2956 wrote to memory of 3020 2956 x4956900.exe g0072402.exe PID 2956 wrote to memory of 3020 2956 x4956900.exe g0072402.exe PID 3020 wrote to memory of 1316 3020 g0072402.exe AppLaunch.exe PID 3020 wrote to memory of 1316 3020 g0072402.exe AppLaunch.exe PID 3020 wrote to memory of 1316 3020 g0072402.exe AppLaunch.exe PID 3020 wrote to memory of 1316 3020 g0072402.exe AppLaunch.exe PID 3020 wrote to memory of 1316 3020 g0072402.exe AppLaunch.exe PID 3020 wrote to memory of 1316 3020 g0072402.exe AppLaunch.exe PID 3020 wrote to memory of 1316 3020 g0072402.exe AppLaunch.exe PID 3020 wrote to memory of 1316 3020 g0072402.exe AppLaunch.exe PID 2956 wrote to memory of 704 2956 x4956900.exe i1044606.exe PID 2956 wrote to memory of 704 2956 x4956900.exe i1044606.exe PID 2956 wrote to memory of 704 2956 x4956900.exe i1044606.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a8f22ea9247ba12276740888c7a9a8788ce979e8b28264aa64fb310a6e2d31f.exe"C:\Users\Admin\AppData\Local\Temp\3a8f22ea9247ba12276740888c7a9a8788ce979e8b28264aa64fb310a6e2d31f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8534019.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8534019.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4956900.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4956900.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0072402.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0072402.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1044606.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1044606.exe4⤵
- Executes dropped EXE
PID:704
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
492KB
MD5e330f2faca30ccb6d43d33f629d16dca
SHA18731f28a8b3534e74ee920509e90322953ec7478
SHA25603ad89c70c9316adf2548070aadd4e037963fe694777ed8485f8ad109f552c73
SHA512af157a242e58d61456cace704d156739d989b4ff2bf4f298236af4dc3112a334824b3e9c2e73bb8f8ccc4be2806dcd579d08bb18b57c02bc5e5e718b0a5ea5fc
-
Filesize
326KB
MD5fe26f52baa53f977be6760aab01b9826
SHA1c98347da04ba1274838c3869157516e54e1ab690
SHA256468e4712d5fea635fcc38970efb731e365cfcafaaf2d8786f0645b7cf384514c
SHA512adb007713e03cbe10bc9f2c6336bcff588b9cd7f8ddcdad7fe2495b488dca54dccc784e1aa0ed2f3759ee9318fa1461f1788ce9e295863beea2055b4aaa675ad
-
Filesize
256KB
MD5bcd8e40adba0f4011b5626858fbbd705
SHA153c583fff5f32156bac125f66379b23ba7d8bd93
SHA25634184e731d362a6c825837a0e4a27073679170f5032d595d3ab40959315450bc
SHA5127e0ecdbf0851b8b6c54396c9e05fff10de35d50227e349022e3383656df0eff36afbd161054919bc3ca581f2f021b66c66df5a84b4fa6414d01c8e3bd836e9da
-
Filesize
175KB
MD5e9705bb9aa5729ef3c986bc7bf43f86b
SHA17d80fd867d45d6f0f56011c40a61633f22e99aff
SHA256285bd9bcc3cdd1307ef78361428d53cceac5c8ad826ff52503f0730330f0757d
SHA512dd41b8711d900e46f327dd487e14abc05ca61d5cfc13cb2f465d0702363a671fb3b713cd1b4b5f37e3434bce7ec85d7b3d440f9a33f0b63cb36328f7c6be0a25