Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
11-10-2023 03:02
General
-
Target
7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb.exe
-
Size
753KB
-
MD5
cd477aac77d7453206b9e984a4444fc3
-
SHA1
c798de0cf5623a3d7b4beb0e8fa98bb6f32e91b9
-
SHA256
7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb
-
SHA512
a9ac3f52f11f0d4c439cbbcf99a864928b5fd4713bc867cc28d33655276e8c853310e7b4d28d99d64bab94377f199b35da24e68d11a0b260a099e1fb583764f8
-
SSDEEP
12288:qMrYy90EqcrEywjFwiKj1PC4/JTc557oUsiB3yPC/oVSnuFlx1GM7Hzj:eyUOiKFC4BTI57oUEkoVcWvnj
Malware Config
Extracted
redline
dusa
83.97.73.127:19045
-
auth_value
ee896466545fedf9de5406175fb82de5
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb.exe"C:\Users\Admin\AppData\Local\Temp\7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9143845.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9143845.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5457738.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5457738.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5231148.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5231148.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3651390.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3651390.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
454KB
MD56a89839bef7babff13f0294d47999d4d
SHA12440d22d80ac9182bf20a23b7c941d26ef230bec
SHA2563736edc6b042256963bec450a629d417abc7420e91c6a92c2798779dc9d709fc
SHA51272228db8e23fb2fde2ab30fb55ade211c702f7ebb94f6f09258a1c8757f356208256340790705b5fe6e9a18cb0465f76d58e0435ef337a28724d409b55b241ec
-
Filesize
454KB
MD56a89839bef7babff13f0294d47999d4d
SHA12440d22d80ac9182bf20a23b7c941d26ef230bec
SHA2563736edc6b042256963bec450a629d417abc7420e91c6a92c2798779dc9d709fc
SHA51272228db8e23fb2fde2ab30fb55ade211c702f7ebb94f6f09258a1c8757f356208256340790705b5fe6e9a18cb0465f76d58e0435ef337a28724d409b55b241ec
-
Filesize
282KB
MD5a037743c2a6055e38a8c91b96a57d545
SHA16257e2ffd34798f5f8d1a3432723dd014d0fe76f
SHA2569c6cbdb70bcb4fea1fad0edf981595ae659bb7b30f185aee6734c2ed1a1e2e27
SHA512b9efdb8164ddd70b941c6b64d280786d27a0be93bb0cea0fc89d40a8393a68352caab34fb735e8b0ff55a522c3a22cfe2a5480463a6cdd2e0fec9a6d22c1e1e4
-
Filesize
282KB
MD5a037743c2a6055e38a8c91b96a57d545
SHA16257e2ffd34798f5f8d1a3432723dd014d0fe76f
SHA2569c6cbdb70bcb4fea1fad0edf981595ae659bb7b30f185aee6734c2ed1a1e2e27
SHA512b9efdb8164ddd70b941c6b64d280786d27a0be93bb0cea0fc89d40a8393a68352caab34fb735e8b0ff55a522c3a22cfe2a5480463a6cdd2e0fec9a6d22c1e1e4
-
Filesize
169KB
MD557c4bc75f678ff9e333d9554e447766b
SHA1567b479ab59a67fff64ea7be793c55ade1b08137
SHA256e3f1b34eb94e0a77996ada95bda0559de49353a6c54694d96958a4643db47705
SHA512005a5481d4d19c7a2a89d34ba3f84cb99622241b8f1860c12df54652a888caeee6e806bb1c928b7217bbd325cb1f96aabcc7191745fa7c833be723a67c809dde
-
Filesize
169KB
MD557c4bc75f678ff9e333d9554e447766b
SHA1567b479ab59a67fff64ea7be793c55ade1b08137
SHA256e3f1b34eb94e0a77996ada95bda0559de49353a6c54694d96958a4643db47705
SHA512005a5481d4d19c7a2a89d34ba3f84cb99622241b8f1860c12df54652a888caeee6e806bb1c928b7217bbd325cb1f96aabcc7191745fa7c833be723a67c809dde
-
Filesize
168KB
MD508ff3d597c112cef0dacdf77e020d580
SHA1693de4609e08f7626d05c78b848abefa2e83a0df
SHA256c61e7f08640e7270f85e6f526f6f4d9ed9218df37c250d9fd59006ac3a895429
SHA512418c4042d92057fbe2e2fb488632d59f64b4d6f3b50f5be89c35d713f9a4d6712094ef944404752df685cd177fe78376c12e8bd0cb00ac4b47d10c77a0cf4415
-
Filesize
168KB
MD508ff3d597c112cef0dacdf77e020d580
SHA1693de4609e08f7626d05c78b848abefa2e83a0df
SHA256c61e7f08640e7270f85e6f526f6f4d9ed9218df37c250d9fd59006ac3a895429
SHA512418c4042d92057fbe2e2fb488632d59f64b4d6f3b50f5be89c35d713f9a4d6712094ef944404752df685cd177fe78376c12e8bd0cb00ac4b47d10c77a0cf4415
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
24KB
-
Filesize
184KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1024KB