Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
09-05-2024 17:56
General
-
Target
277f52adcffdae3b95ac4c1b928de6c4a507600023471054f5c9d34f3b852f94.exe
-
Size
389KB
-
MD5
be20e8d108cf9e94319678c0f61393d4
-
SHA1
9ca7da9916d071095a2985ecb2408f24f9978453
-
SHA256
277f52adcffdae3b95ac4c1b928de6c4a507600023471054f5c9d34f3b852f94
-
SHA512
4a60a1bb61a320deabeeebb508685a024c2b6c1d065221bc5a2682a90193300899d49e355675b84293875486cd08e94d582c95df886ca3330bef74cb0921afca
-
SSDEEP
6144:KPy+bnr+Lp0yN90QE9dx9l253NzJGHDRezddZ5ULvrGEf51/HmbTME:FMr7y90P25uFEnwrGEr/YT5
Malware Config
Extracted
redline
nasa
77.91.68.68:19071
-
auth_value
6da71218d8a9738ea3a9a78b5677589b
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\277f52adcffdae3b95ac4c1b928de6c4a507600023471054f5c9d34f3b852f94.exe"C:\Users\Admin\AppData\Local\Temp\277f52adcffdae3b95ac4c1b928de6c4a507600023471054f5c9d34f3b852f94.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1369519.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1369519.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3758178.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3758178.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2710542.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2710542.exe3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5f34c885bc0878d18d10ff2a2bcab37bf
SHA1183ec4b6099090f5e12f2977855a5b8a47434b11
SHA256bc0bd82e116a9895ebc746eb946211813684173fb091a3b5beb68d633d8f8ed7
SHA512ac17cb90087c25fec2966c8ef59192b88d9ae2752d235af76a9b7e73900319750aef27becf5877f89560046b0c0cb43d2901cd501a032295f354fb2f7b27495d
-
Filesize
14KB
MD5452bb0fa072d8b5b84e96b8135b88a33
SHA1958d7ebe07651e7de76fa57dad744174a6948840
SHA256e4864ebb7779217e5e02467385f0e1b64b27e1eda7c6ce12c81fa2ba5886d6af
SHA5121f7f6066b5b8c076894aed53d85f46a9c643d41a5faebc84400437bcb797a9b220c70b75be4139c9213121c841e868f2677096bbd167f3f151d7b3152cbdad9b
-
Filesize
174KB
MD529d290bc7cf52245c18068dd18a2b56b
SHA180834b85700772615c39a38757267968e32f3240
SHA256f66d99d19231a0f6abba5374f8916cdcb478e715c50f29d6e436e54ee0e2db44
SHA51286e90ae7c792bbae7bba8f0ee029c71233e540d74f9786aa3c5f381d2394ce7aa72c5cd6045eb9410821e59ba201558da773fc14e267cff0ca09ccc4a5314bed
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB