Analysis

  • max time kernel
    150s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 11:02

General

  • Target

    bc1039ea1a02cf1e898c7cea2600cac8f44dbf43b2b49c31da3024ffd998a7c2.exe

  • Size

    389KB

  • MD5

    8a93f2fead052a76fbae72166ac8fb12

  • SHA1

    d3717ab4c59cc8ede584e2ce79bc768d62a03dc3

  • SHA256

    bc1039ea1a02cf1e898c7cea2600cac8f44dbf43b2b49c31da3024ffd998a7c2

  • SHA512

    cade714bb097b4e24cf985f5156bf55ac4e3390c812055e4e5f10c118e4b2e40d9b449e8b2f236ca9b3095382f884e7f49ce17779362f1cb7a44255c7839711a

  • SSDEEP

    6144:KZy+bnr+wp0yN90QE/Yd+B4GwMEbYWOYNdGGxPYuQX/ceXe:fMrIy90TFIYPixAuocj

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc1039ea1a02cf1e898c7cea2600cac8f44dbf43b2b49c31da3024ffd998a7c2.exe
    "C:\Users\Admin\AppData\Local\Temp\bc1039ea1a02cf1e898c7cea2600cac8f44dbf43b2b49c31da3024ffd998a7c2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4360316.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4360316.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4960
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0739731.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0739731.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2484
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8147143.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8147143.exe
        3⤵
        • Executes dropped EXE
        PID:1296
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1900

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4360316.exe

      Filesize

      206KB

      MD5

      e6b4ba6f5d76a4719f406cd3aca3b9a7

      SHA1

      77a6d0a2e77a71534c848a111573f6af326ce5dc

      SHA256

      96356b86475b7fbf7dce2734b64e0ed95cba6b5a7be0efcb71bf469965457adb

      SHA512

      ae8b1d3801243dc81ad6288cc449d90ced08d8a34039a8fd07b09557a6fd52213cb08b334f63e1dcdd0110de12dfc7d9ff24e2886bec6175927a385baf1d0486

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0739731.exe

      Filesize

      14KB

      MD5

      84983a334ac089ec14cf05f1c0605bef

      SHA1

      6836067a70683845a7e773d1f28f1cb9e4138d15

      SHA256

      e4c23c0d96badfd1ea7612225bd61898a296a585b69230989ee61ecd87fcc57b

      SHA512

      0ea33bab35c21d5612219337945079d3cac74552c776e379bdbeac809538f600b5a2eb17a6877f7fd1956fad3cdea651fd0b9abde76c5be8a2c1fbc686225080

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8147143.exe

      Filesize

      173KB

      MD5

      36fe0ab069c8ee215f9b18e10bb5a184

      SHA1

      42a3650d4fbda059640555bce0be87544556870d

      SHA256

      f492ece3bdadd718f42d07315e318b307757c406025d07bfaf56e619232eb9de

      SHA512

      a201e8d2a5fdd44f2aea01b9ba1ea51ae6c75c40979a912212bea270b223d2f686b271879a5cca2cab01fb3bdbc01d5719bdf4fe7691c878fc3dbd05b79ab06e

    • memory/1296-20-0x0000000000310000-0x0000000000340000-memory.dmp

      Filesize

      192KB

    • memory/1296-21-0x0000000004B30000-0x0000000004B36000-memory.dmp

      Filesize

      24KB

    • memory/1296-22-0x000000000A740000-0x000000000AD58000-memory.dmp

      Filesize

      6.1MB

    • memory/1296-23-0x000000000A2C0000-0x000000000A3CA000-memory.dmp

      Filesize

      1.0MB

    • memory/1296-24-0x0000000004B50000-0x0000000004B62000-memory.dmp

      Filesize

      72KB

    • memory/1296-25-0x0000000004B70000-0x0000000004BAC000-memory.dmp

      Filesize

      240KB

    • memory/1296-26-0x000000000A1E0000-0x000000000A22C000-memory.dmp

      Filesize

      304KB

    • memory/2484-14-0x00007FFC3D7F3000-0x00007FFC3D7F5000-memory.dmp

      Filesize

      8KB

    • memory/2484-15-0x00000000008F0000-0x00000000008FA000-memory.dmp

      Filesize

      40KB