Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
09-05-2024 18:26
General
-
Target
16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86.exe
-
Size
389KB
-
MD5
1e6d0394a9335f03d83a7f498df12ec8
-
SHA1
aa25774159336873d0799b11546d7cec88ebca87
-
SHA256
16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86
-
SHA512
4bb7c4a3706e4056f6cc38e46dafab8e6bd463a148d5bc46197f7957f750d51c6d98903eeebe5b560283d1e15536bebad88c364e3776d5b804d99f36b8a17393
-
SSDEEP
6144:Kqy+bnr+gp0yN90QE+rBmAS9kW2PZNK9zG1evw+IsQnjCgK83sE6ZnRC7D4I/FWB:uMrIy90wsAS/kBQk6o7D4I6d
Malware Config
Extracted
redline
roma
77.91.68.56:19071
-
auth_value
f099c2cf92834dbc554a94e1456cf576
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86.exe"C:\Users\Admin\AppData\Local\Temp\16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1368932.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1368932.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7637580.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7637580.exe3⤵
- Executes dropped EXE
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4208,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5f389811e3e6c0afdba444f02db669093
SHA12f67d8c13e1477415f6ef5408a2940c7739b21dc
SHA25648da474cb540b3f33c0b78853f06ed9249618db3e5c4670d45b18a1a6180e0f2
SHA51249c9acb85f437e75a43cb215e96fe13dc56f05595b27c57ecdb73516a5e53cfb21cb6a0faf38e32af69f72d1a4a358f08ad4e819e8944bf77ae9f46050e7787a
-
Filesize
13KB
MD5d3ed7b336677ab4edb046bcaadbf972f
SHA1d8a6e54a5a4431f985a3157b93aaae0e04bb1325
SHA2561109e4e67a017af633fad9733479bf067a924c950974c946c381958801a6d5bc
SHA5126e2a47a5729043b9708f5a781159853b5b0f4c0a228309a7c427c5f4afcdff4f82f1f56e1f0a1defbcf15f5eb1ae4c8db22f84295c5ed3c8dbe3c82d8331cfc2
-
Filesize
175KB
MD5e4232b49c9b6f09e99407fd03ad1a93d
SHA1c6ed2f7d1587e1970b0f566ad5e5ade07404d9ae
SHA256462107d8de1bad294f86e326dea00e9a1f04b9045f2370e57fe4948ed3688802
SHA512ec8c6cfbe8d15468a5797eb15263d69cd129aae064b44350b0f641906dd745011df5f56831badaa725fc77f37882b5144452f9f811d1fa00594984bbff6f75f6
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
8KB
-
Filesize
40KB