Overview
overview
10Static
static
304a87b8f05...aa.exe
windows10-2004-x64
10114af5c13b...fd.exe
windows10-2004-x64
101e8dd381c7...01.exe
windows10-2004-x64
1022e22c4ac4...b8.exe
windows10-2004-x64
102539ef3c9e...7a.exe
windows10-2004-x64
1028e3223b75...cb.exe
windows10-2004-x64
102a370f0b1b...d2.exe
windows10-2004-x64
10312eee3369...2a.exe
windows10-2004-x64
1049fe85c527...13.exe
windows10-2004-x64
105b3b69df98...46.exe
windows10-2004-x64
1073935ea9dd...cf.exe
windows10-2004-x64
107afbfc55db...35.exe
windows10-2004-x64
107b920ad0a6...fd.exe
windows10-2004-x64
10867a7ac357...10.exe
windows10-2004-x64
10a69474bf18...5d.exe
windows10-2004-x64
10c1509297f2...7d.exe
windows10-2004-x64
10c1821fe13b...86.exe
windows10-2004-x64
10d431e54eb0...f6.exe
windows10-2004-x64
10e0e0fe767a...79.exe
windows10-2004-x64
10f1372b1a09...cc.exe
windows10-2004-x64
10Analysis
-
max time kernel
154s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 17:43
Static task
static1
Behavioral task
behavioral1
Sample
04a87b8f058d7530d2e2d860d9792e27ac4a33a3865644f618340a1614a011aa.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
114af5c13b66325340fcc0e38e22cb3c0a2f713ad1346010b0a9fc80f025e1fd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
22e22c4ac4de60508d13a9152534da8f1fe27d387785252b3e90c5daa1939eb8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
2539ef3c9ef568b60de04a70266f168cf5565fa88027d7d88812aed2417d527a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
28e3223b75032745af45a606afdbd1788365c7af9b20cc01d5892478c17d91cb.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
2a370f0b1b44ffdfd5105d8de5cdb127afee410219b503b0620c23343a163ad2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
312eee33696f223c1d77f63d4f4fa6692b492a19e1815f424ea276db2dfa312a.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
49fe85c527d85f575f10ffaacbea94923608dbe00ee181347f30f31686a10513.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
5b3b69df98aea93f199289802070d29f0815829817936cfd60b3b627e0d20146.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
73935ea9dd223123d7d2e2b97d297ba24e82bd39f8b4e6004027a7cc1b07ffcf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
7afbfc55db219ad6f0335344f7e4d1119a281a9e98656ca51496a2ccedc75d35.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
7b920ad0a6eced7be30fccab39067587eeb4a839174adbe7371d2a0ebb0206fd.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
867a7ac357adfff48d6fc2820efa7db93b3c2303fa2c5f2570c1760004b2a310.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
a69474bf18a7cca7eda490dd3a0e3f56de60989fbd935adbc91521cc640dd35d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
c1509297f254a9c327f8d2f138ec5907931f396cedb4bb4796c5057e78cda87d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
d431e54eb05e1ec91d96e56b56b50a6e510a259b69f7c5c8254a8954192e94f6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
e0e0fe767a4d28c22c9164941b937ca32139dda9a5ac00b380e14f39f0bc2e79.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
f1372b1a0961a0c57fe69d716e6992ea2a6a82ef2944465f88c1a99f117de4cc.exe
Resource
win10v2004-20240426-en
General
-
Target
312eee33696f223c1d77f63d4f4fa6692b492a19e1815f424ea276db2dfa312a.exe
-
Size
1.1MB
-
MD5
c051fa3a44e8e46b51ed93f3be27b4bc
-
SHA1
187538cc7b95ad4c0d28ae9d079031502918b116
-
SHA256
312eee33696f223c1d77f63d4f4fa6692b492a19e1815f424ea276db2dfa312a
-
SHA512
8622434fd5e93a087d2957b071858ff6b34bd24ed251ac23c6fa672d1b7feeeba702eadbeea6b82e0523ad05ab55d4415b147c82099a1ce8edc45b5a94c6ff15
-
SSDEEP
24576:IyZlHWgpvHbRwWq9OIt5LMbILqM5kntjOpHK0q+4pTOM:PnFvHbGWq9OIt5Dhu1KCc
Malware Config
Extracted
redline
buben
77.91.124.82:19071
-
auth_value
c62fa04aa45f5b78f62d2c21fcbefdec
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral8/memory/4432-28-0x0000000000400000-0x000000000040A000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral8/files/0x0007000000023291-30.dat family_redline behavioral8/memory/4164-32-0x0000000000050000-0x0000000000080000-memory.dmp family_redline -
Executes dropped EXE 5 IoCs
pid Process 1812 x6060020.exe 1976 x2531208.exe 2480 x2240546.exe 864 g4396706.exe 4164 h8077140.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 312eee33696f223c1d77f63d4f4fa6692b492a19e1815f424ea276db2dfa312a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x6060020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x2531208.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x2240546.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 864 set thread context of 4432 864 g4396706.exe 96 -
Program crash 1 IoCs
pid pid_target Process procid_target 4860 864 WerFault.exe 94 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4432 AppLaunch.exe 4432 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4432 AppLaunch.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4504 wrote to memory of 1812 4504 312eee33696f223c1d77f63d4f4fa6692b492a19e1815f424ea276db2dfa312a.exe 91 PID 4504 wrote to memory of 1812 4504 312eee33696f223c1d77f63d4f4fa6692b492a19e1815f424ea276db2dfa312a.exe 91 PID 4504 wrote to memory of 1812 4504 312eee33696f223c1d77f63d4f4fa6692b492a19e1815f424ea276db2dfa312a.exe 91 PID 1812 wrote to memory of 1976 1812 x6060020.exe 92 PID 1812 wrote to memory of 1976 1812 x6060020.exe 92 PID 1812 wrote to memory of 1976 1812 x6060020.exe 92 PID 1976 wrote to memory of 2480 1976 x2531208.exe 93 PID 1976 wrote to memory of 2480 1976 x2531208.exe 93 PID 1976 wrote to memory of 2480 1976 x2531208.exe 93 PID 2480 wrote to memory of 864 2480 x2240546.exe 94 PID 2480 wrote to memory of 864 2480 x2240546.exe 94 PID 2480 wrote to memory of 864 2480 x2240546.exe 94 PID 864 wrote to memory of 4432 864 g4396706.exe 96 PID 864 wrote to memory of 4432 864 g4396706.exe 96 PID 864 wrote to memory of 4432 864 g4396706.exe 96 PID 864 wrote to memory of 4432 864 g4396706.exe 96 PID 864 wrote to memory of 4432 864 g4396706.exe 96 PID 864 wrote to memory of 4432 864 g4396706.exe 96 PID 864 wrote to memory of 4432 864 g4396706.exe 96 PID 864 wrote to memory of 4432 864 g4396706.exe 96 PID 2480 wrote to memory of 4164 2480 x2240546.exe 100 PID 2480 wrote to memory of 4164 2480 x2240546.exe 100 PID 2480 wrote to memory of 4164 2480 x2240546.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\312eee33696f223c1d77f63d4f4fa6692b492a19e1815f424ea276db2dfa312a.exe"C:\Users\Admin\AppData\Local\Temp\312eee33696f223c1d77f63d4f4fa6692b492a19e1815f424ea276db2dfa312a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6060020.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6060020.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2531208.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2531208.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2240546.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2240546.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4396706.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4396706.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 5566⤵
- Program crash
PID:4860
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8077140.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8077140.exe5⤵
- Executes dropped EXE
PID:4164
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 864 -ip 8641⤵PID:2756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵PID:2976
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD51389bf10a539a5702c3d245dc7164b58
SHA16412368e086d36d0d81df5d2d481f036b6979811
SHA256ea11e81a9751b856befaa0eead6dc459ddbbf65f42e8b9ae2a6d548b9ca92b1d
SHA512a1ec8f94aea900740f76f440ae0d77ce613a0099ad3e2d7b9527aa11f48ed4aaa83b4b23ceecf99638708144a16a30ab761fd4aaaacd9efb28e33802baec6948
-
Filesize
651KB
MD507e523cebd56b15f3d5c54e5b5de6c7d
SHA1fd85d6786ac763d03267b3fa599cb34da2dcbae5
SHA256c269270e45ea3f2d3ca0bf35fb04efb762418d9e20fbd8aa8d24debe49be7dfb
SHA512a5e3155dfa38d622030d2af35583f7b26c436e54dd507cb04564d9bd5a8b1c14063b8bcdf7456398f40761a057d956d83f45074a8674d72f4b2bbd5a9e67bd8f
-
Filesize
465KB
MD54b2c7019bbd1d2b376ce4de382e2c35d
SHA1f90c28aa2847593047b8c109cb5f6e4d258a2c3d
SHA256e1a38a4f51476d4f26c9a130c8bfe0d82875d9345354d680486e347cfb91b99f
SHA512866bbd8ccc998cf2d653bbc84e5a6e3741659d2fe2ac52f873f9d84100b23aa9994026ce670e9a5f44fb6256efc3aece50df13238c4f57d5af58c62495e0de08
-
Filesize
899KB
MD521f145baf592f3ae5bfc73c91842c8b9
SHA1d75161e7fedf8881e4a775c1329ca9f2e0dc8370
SHA2566e2d3a21290c83a675edc1f005263dcf6f4ee3664744f5dbde16d25e285332d0
SHA51207b7affc8724da2cde01be38910455305665b284d1c4df7681fe4aa7069fc1ec674cabca7e926e70ea054a9d05d9903a5fcb06fdc80ad23267dd952fa75815ad
-
Filesize
174KB
MD556019a085119ae67e250f5fc81f4a8b8
SHA184d7d24264f61f2f485fa5531aff796ea876be49
SHA2567334ad17eecda8cda9cac7f0d54c6accf593383d8eddae978ad0f67a948f3937
SHA512daccdabf4bc3363cab159529eb3bb287179046e90de95342db7166a9c97bb9dcf7b6aebc2596c082ea928a4b182963a4b0fd6fc0064a8cb2ee184b21466dfaca