Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
10-05-2024 14:40
General
-
Target
b2402bf5ca4c67871f6519e689231078532c147c35500668d062dec52e27e9fa.exe
-
Size
919KB
-
MD5
aa26cccde046b0e54b832825a5756c35
-
SHA1
f5c538220421870979edb4d93fdf8b02a4d0ecbc
-
SHA256
b2402bf5ca4c67871f6519e689231078532c147c35500668d062dec52e27e9fa
-
SHA512
60ace7d38dccf257e75c6e369355975b84757c127f93afecd6e58f4316bd7f1d13cf55f7d4264d6928e37f62a37d838f9b044567ea49f8bd27eec9511130a290
-
SSDEEP
24576:IyAXaONmQk2uEBNOAaIGqgK1wjH9AxXChzyvp:PAr+RpItggoH9ARC4
Malware Config
Extracted
redline
lamp
77.91.68.56:19071
-
auth_value
ee1df63bcdbe3de70f52810d94eaff7d
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2402bf5ca4c67871f6519e689231078532c147c35500668d062dec52e27e9fa.exe"C:\Users\Admin\AppData\Local\Temp\b2402bf5ca4c67871f6519e689231078532c147c35500668d062dec52e27e9fa.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7125234.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7125234.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4930718.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4930718.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8241084.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8241084.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.logFilesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7125234.exeFilesize
763KB
MD5b48a578588d98c3a62f893c31d186283
SHA16390bae1ea0bcbd3946a6fe02c96648630a7078e
SHA25612eb65af73d57056b331bbffbd992f9f24d1b8e4a511755169da65e77f541084
SHA512d4ba3cfd9be3460f3a7c499636ba52d8314bdbd8361620126446087668145115ebb61a0e19d84fd60af786f0d555617b1ff6ba8ed9bea6c1625fbf347e70bfbc
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4930718.exeFilesize
580KB
MD5f3520c894e9ce7c7dccd10ebcd9396c0
SHA19e34c4b127ad1323d64505336bb4d8910c0e3816
SHA256683e4cf522ce3fcaeebd4c3651b2b1284f39a5d589cd6c5a914012659b04253a
SHA512fe7097e3c7e7dc39ab30ab46acc13fbecb1a1ed74dff67a76d1e1f4d2b54992dccf8627344a418998f3c4370e62ee308fdce7101478de4d6fa4605a46dd2be4c
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exeFilesize
294KB
MD5f0cb39848f81ff9d8596467899faf7b5
SHA1a4cfd01761010269909a9dc449d3e61ebd91ea4c
SHA2565acdb9813683437854c30906c4bf78d941a704f4fb8c9c8e04340302856d553c
SHA5126203c1e764d25df982b5f00e7c9949ad01c0baba66be08028a44986a42fba123bd8b08ec922714a7ad7fc52ba59a02321925ae2d11ba12067d2239383cc38855
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8241084.exeFilesize
491KB
MD5723cd8350a1b5161d46ddaf8ed4014fc
SHA144cd20f39e87ce79c0564844f4fb303c288d67f5
SHA2568d1bd965483537eace2744419a9f76fabed2c980d2ecf59fe4c8c65f25cd04bb
SHA512fe7da90b1c21f067a815fc7d5b2494f2ca0eb81832b525211beea61e813548c9bdfba28b6ae32a474e337f2f3fe83dc956d95423a9e8ba9d0749ea4af028202f
-
memory/1520-21-0x0000000000401000-0x0000000000404000-memory.dmpFilesize
12KB
-
memory/1520-22-0x0000000001F80000-0x0000000001FBE000-memory.dmpFilesize
248KB
-
memory/1520-28-0x0000000001F80000-0x0000000001FBE000-memory.dmpFilesize
248KB
-
memory/1520-29-0x0000000002340000-0x0000000002341000-memory.dmpFilesize
4KB
-
memory/4864-36-0x0000000001F70000-0x0000000001FFC000-memory.dmpFilesize
560KB
-
memory/4864-42-0x0000000001F70000-0x0000000001FFC000-memory.dmpFilesize
560KB
-
memory/4864-44-0x0000000002240000-0x0000000002246000-memory.dmpFilesize
24KB
-
memory/4864-45-0x0000000005000000-0x0000000005618000-memory.dmpFilesize
6.1MB
-
memory/4864-46-0x0000000004A70000-0x0000000004B7A000-memory.dmpFilesize
1.0MB
-
memory/4864-47-0x0000000004BA0000-0x0000000004BB2000-memory.dmpFilesize
72KB
-
memory/4864-48-0x0000000004BC0000-0x0000000004BFC000-memory.dmpFilesize
240KB
-
memory/4864-49-0x0000000004C30000-0x0000000004C7C000-memory.dmpFilesize
304KB