Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
09-05-2024 11:12
General
-
Target
21feb39957e192116f1449fe8d8fdf2104aaaef3e4f6a5e516adc72ef63dbd32.exe
-
Size
1.2MB
-
MD5
913372a73a1f952c41762a0ea1f91a37
-
SHA1
d02ec459307a0847637f788a5e2e33c732f42f31
-
SHA256
21feb39957e192116f1449fe8d8fdf2104aaaef3e4f6a5e516adc72ef63dbd32
-
SHA512
733128ca43a63c485b28a8f2215b0b4848acfa0929692b588130adaa5cf2291b30bbb08232b85704ff5739ed87f43cf251a18882343a486e99eb9ab06856ef4b
-
SSDEEP
24576:yy82uVKaX0hGaGcr+Osx1QVB1ZyuItcIZ2v8i09g3K/03u:Z82qKu+9+fQVBOcIHx9F
Malware Config
Extracted
redline
lamp
77.91.68.56:19071
-
auth_value
ee1df63bcdbe3de70f52810d94eaff7d
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 7 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\21feb39957e192116f1449fe8d8fdf2104aaaef3e4f6a5e516adc72ef63dbd32.exe"C:\Users\Admin\AppData\Local\Temp\21feb39957e192116f1449fe8d8fdf2104aaaef3e4f6a5e516adc72ef63dbd32.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1186983.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1186983.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2757613.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2757613.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4922420.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4922420.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5164567.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5164567.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7096172.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7096172.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1349231.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1349231.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9378338.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9378338.exe5⤵
- Executes dropped EXE
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
1.0MB
MD5a958b8f529f8714ab8f649accc09d9f9
SHA18ec0f0c1dddaed3b89fdd493d43949bb35b6d19c
SHA2563bccd82842a40854bdc9bfc3fd8dc5b93707f759c1938f2e0174165af52ba8b1
SHA512b4346955ea9e979e59ca6857df7ccf52e5a60cec74ddeac38dfd2d604e74a7b82f61adee9453693697f5d97e434937f895776b39797c95aa7c47c2eaae8d99ea
-
Filesize
905KB
MD57fcac3187ef0a3ae980b457751d7ed0b
SHA1b1e9d35b1d9164b28ed5f99398308f32a332dcaf
SHA256afd1d16929b077f25b929310df449fd8772f653027596fa55ad4da17983df2ce
SHA51246227177614ab96a48f3cf811d61a15eac2b58b7eade042f0f5e50544e21abfda13af520e3d19ad9b162d0a1e3e918a6240d1f88a657bda7c5b6654864380642
-
Filesize
722KB
MD5e99aa1030c7a763e8bb5ddc13a871fc3
SHA163925d0f25f3dc55a0dad0397741001098712ff8
SHA2567d9e8e6a8fbf325966e5cad26f6bc2daf9fcb9bb3ea399dfb48eaf0c0e5328e2
SHA5121d650cfc66f4e028986dc4b0fc6d1e64ddc923656bb08a701a4cf4c9df994d8380cc57d36b6fda3635b0f9e9de4ff5a7ba9fd3fd7dd41643a0b20d83e5ccd0ff
-
Filesize
492KB
MD5644fd9967279d0b37d985915fe87f280
SHA1fd78c2dd18e32d4f9b35023c4fae6a8e60e2669a
SHA2566b2f8a6639b2f6e13d4bab219c1513284203270411bccfafe0b323031133e3c4
SHA51272cfeb5e13f35f3cbf538cf3b37478275e6aaed9169e8518e6bf68f8b873c1bf096d11a6a06f6c507722db29031a6b0de14bbf9dc705514bc7277f78749f7ef8
-
Filesize
326KB
MD5f001ba8d5cc9b4cdc2c6497b35d24389
SHA1adf5afbe53307a4cbce6f61eb41a5f8b392bd1ba
SHA25676a6001a778dd220a1bac72a373be37cffa37128e87f0ee2191af1ea0edd989b
SHA512fcd79f323497c2ccbc1e25eeab1e739041c2fe0c0303e09cb9f37545db947415bdd3df81a8f249414a5fd6b731f1ce855fc3ee7fd3f4fd96827f698538b1233c
-
Filesize
295KB
MD5fd699b4ed20dc242c93c08fd0e200e56
SHA18744ac80d4cba3be5c2a6df20895af9a7c3f204d
SHA256276677627decf1682d9cb3545327eaaec22fe5e36fff15b57f1614b21022a092
SHA5123b5e4a05286d12e7c9c8bfe587e80deacdd44c2b9832370eb45765623703335ef5cd216aaea0cd61bb5cbb55584dad0793faab3c1aa85cad644358238e28ab19
-
Filesize
11KB
MD5e14ac2d9095b9b27f28389369cc810f3
SHA1d59499d0beae0be39746cc389ee2cd0d7b90672b
SHA256a2f4bacc055531ada6d5fce84091eabde8bc920c5ac8b2f3026cb21948b6c915
SHA5129de2f8665c58eb5c552d5cbce27c5a9748b591954e028d9029742cc68f55379490e0c379ff64508036be481fa45a6c91db20b803c38b0ab3588107b9003da17d
-
Filesize
248KB
-
Filesize
4KB
-
Filesize
248KB
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
40KB