Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-03-2024 02:45
General
-
Target
e18706af1ae9a815cf1256a7b000fe00c293b77b4b45655fe81096a6a5121d0f.exe
-
Size
765KB
-
MD5
f199c8c303f55c5d18842e1997e13208
-
SHA1
3dc56a32a2af84cf60c9fb950f2e7d249230c733
-
SHA256
e18706af1ae9a815cf1256a7b000fe00c293b77b4b45655fe81096a6a5121d0f
-
SHA512
44e7557a3e818a2d1cc6a8a0cd627faebbc798bc783c4b4587ce1fd6486b71f6070068b190a64af64cc54f65c5edadd5500480d1f5cb8ebc5c5e05ae39ddfa24
-
SSDEEP
12288:3Mrwy90mS9Dg3lfQBjO5gZ054jnt5XSDpUA3eesuEnWmnWS8dRzAaNUBXXugutsW:DyVLp5gnt5Spn3eeqn9Wt2aOBugutstc
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Signatures
-
Detects Healer an antivirus disabler dropper 20 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 20 IoCs
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e18706af1ae9a815cf1256a7b000fe00c293b77b4b45655fe81096a6a5121d0f.exe"C:\Users\Admin\AppData\Local\Temp\e18706af1ae9a815cf1256a7b000fe00c293b77b4b45655fe81096a6a5121d0f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1116.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1116.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bus2264.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bus2264.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\con5744.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\con5744.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dMM62s56.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dMM62s56.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
MD50c2e81e96daed9fb11c235211c6ef382
SHA15f7653c0dd8ed0f766fae28f371f28ea40930604
SHA2560bd0c51da385286ec3582bfad6f10ed45404f914082586f5a3a3a21de8f6f7c5
SHA51290360a7d7a9458198ac91ed25833b3158c7f62af7c55f5275ede6ab49c8c1db6a25956da28590eb8d03a9e074b1a290f003640d22b3384bbfdbd400d6fad7f8c
-
Filesize
378KB
MD537638fcc272bb63bc2fbaee5eed08bc7
SHA1b02dcc1be58b7edc84c8f56c9574f416ed260e7e
SHA2568a3414fc223a9b9b3ea453a50deaffb004f79916c8445097e93fda052c9b8666
SHA512d222020673aa5a714da3f24808b2636317b324b5ad4e008161e0e2738c97daa3beb9c1338373cfaa5db4b5aa9bfdc98110add9253b90e83f2f48d9d8597877b4
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
398KB
MD5ba6d82ef0b33ee1ab51cfff0ba010577
SHA1a71d760ec6cc90b8e44b373ea4eb89bb35bd9a66
SHA256b28dafcb8dd2c8548db0aecdec318ae1fd5af1568691d12a6c03763a719e9e0e
SHA51288459a0b24af44ee9725360abe4f7ea31f6ba28255f45d8cf903ed8f1fa35801a8e1b6dc8670d59a7f44f65df8ce226c97429e8c80a77e08f29dbb5345e30dd4
-
Filesize
1024KB
-
Filesize
180KB
-
Filesize
3.1MB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
3.1MB
-
Filesize
1024KB
-
Filesize
3.1MB
-
Filesize
7.7MB
-
Filesize
280KB
-
Filesize
1024KB
-
Filesize
272KB
-
Filesize
300KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
3.2MB
-
Filesize
7.7MB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
10.8MB