Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
09-05-2024 14:29
General
-
Target
f16db96028a7afeb1141a5506032310d36b0354cd63f796d585fdd9cd3b2c8f1.exe
-
Size
920KB
-
MD5
0bba6c5a8b9979a2241f1450ba08acac
-
SHA1
823b3a858ce440a6b30ca707db2a28ef5596fdff
-
SHA256
f16db96028a7afeb1141a5506032310d36b0354cd63f796d585fdd9cd3b2c8f1
-
SHA512
8d23fc817ef2cb576610036221c22b4b7ab5697dad617de7bc6f656619e9764f9f126db0e02a2a79d7a55d2bdcca68477f77660d789d9676d7750aaa0692167c
-
SSDEEP
12288:+Mr9y90+HbQau2ZVqMaLa1SZpRgJf+X+dPWgI8Fitq2UudtD79LEN6nt1S:7ydcoVY8SZp6JfRPHvFujZwN6na
Malware Config
Extracted
redline
lamp
77.91.68.56:19071
-
auth_value
ee1df63bcdbe3de70f52810d94eaff7d
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f16db96028a7afeb1141a5506032310d36b0354cd63f796d585fdd9cd3b2c8f1.exe"C:\Users\Admin\AppData\Local\Temp\f16db96028a7afeb1141a5506032310d36b0354cd63f796d585fdd9cd3b2c8f1.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2293620.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2293620.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1680674.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1680674.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3968565.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3968565.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7023074.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7023074.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.logFilesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2293620.exeFilesize
765KB
MD518e389e79f96cbe2d759c734d3e49e78
SHA150cb298fd91a90ebf2bac3bde37b6d77cca4267d
SHA25648fd34f5c8037fad88d01fc9863612f020fbc15409efca49d40f7e91639d33ff
SHA512ac4e859905944e6b2e868207279aa880aeb6fd0ad2aa962f59f7c89285b7c99be54a35166df5d64174bcea5f718e4e4a277e0d39d568093033d1903dc4610b79
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1680674.exeFilesize
582KB
MD568067bec765ac70f1c242f4c4046c282
SHA1ff713e405ab12cde47cbaf932cf1cb87e557c956
SHA2562bd9ad30ef9ab2fc56a38f9487a2466f5f4d031f2bbb4d3e44668958433bc79a
SHA512d8d04c652650d26d12caeadbbd2dea80ac31c039f79a415035ad40f4fea08fd2ef07ea01a7b3d03ef8518dc8df8b135bd035a144e9b50d391c1da5e755922016
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3968565.exeFilesize
294KB
MD58da17d71715c495fb0be1adf72311636
SHA187f0490b70f70fd36e00bb7d2d7ff279119296fd
SHA2565c02f1c047f26359ace7383a60bec2b7f4cc68c8948007e12f8a7757d6b309d2
SHA5123db56898bdee039a7d1fd374852a564e39ea97469a72203e0d3e0c18862a90475f51390c617f05d0a04f9531e0b785e625549caea0f484063029c25ab2c59b93
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7023074.exeFilesize
491KB
MD501e3487170c4d9d1da491a231157e6fd
SHA112d851baae91313bcae4da1d254cf5a8a8a424a1
SHA256952c7cdd3f35e9c7ff35b78ac3bcf2e3fd6be449a8d017f515b1262c3697fbb6
SHA512f98cd58a23a26f76196bb95849a2d0eb435e10702f5bf1d0d17f8cfbc0eeb94f3be6e1da1780eca081215a87c30f40270ba0ab2b5f9b777910b104e1a29785a9
-
memory/1324-45-0x0000000005010000-0x0000000005628000-memory.dmpFilesize
6.1MB
-
memory/1324-35-0x0000000002010000-0x000000000209C000-memory.dmpFilesize
560KB
-
memory/1324-44-0x0000000002530000-0x0000000002536000-memory.dmpFilesize
24KB
-
memory/1324-42-0x0000000002010000-0x000000000209C000-memory.dmpFilesize
560KB
-
memory/1324-46-0x0000000004A80000-0x0000000004B8A000-memory.dmpFilesize
1.0MB
-
memory/1324-47-0x0000000004BB0000-0x0000000004BC2000-memory.dmpFilesize
72KB
-
memory/1324-48-0x0000000004BD0000-0x0000000004C0C000-memory.dmpFilesize
240KB
-
memory/1324-49-0x0000000004C40000-0x0000000004C8C000-memory.dmpFilesize
304KB
-
memory/4416-29-0x0000000002300000-0x0000000002301000-memory.dmpFilesize
4KB
-
memory/4416-28-0x0000000000680000-0x00000000006BE000-memory.dmpFilesize
248KB
-
memory/4416-22-0x0000000000680000-0x00000000006BE000-memory.dmpFilesize
248KB
-
memory/4416-21-0x0000000000401000-0x0000000000404000-memory.dmpFilesize
12KB