Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
10-05-2024 14:40
General
-
Target
24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df.exe
-
Size
389KB
-
MD5
ad9be100cf69828b8e7a7a836154d5e4
-
SHA1
dbf0f2accdb22e674419d2c0abda7fbef534c3dd
-
SHA256
24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df
-
SHA512
0e13d0bc6bfffef4ee50fb62eb2168de8426761b4da0091c95eceb7cb1f461bf05f73677bc07ddf504e69e306a3848e148b22c9fc17eeb3a247647a96d7f0446
-
SSDEEP
6144:KKy+bnr+Rp0yN90QEnI11PokWcnZNbQR5nfyQPLaW5F/tyKYuNcUNQfMFkkhgVRn:WMrdy90uTPTcty+dqMS/VRi1nm
Malware Config
Extracted
redline
nasa
77.91.68.68:19071
-
auth_value
6da71218d8a9738ea3a9a78b5677589b
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df.exe"C:\Users\Admin\AppData\Local\Temp\24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6099417.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6099417.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5512939.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5512939.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4877536.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4877536.exe3⤵
- Executes dropped EXE
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3452,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4444 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD53654700f8e740d91fe6e3f398822bf25
SHA19e548f654107e2663e4c7074dd3e6abe9e25354a
SHA256491316f9f88d72115dd9bd41efcbc31f974b030bf5d33e9308a3ce8b8589652a
SHA5122aa4bef6904c28aadd04c4703f307d8e05547457717f826c7a8f201f086375a841530391ae79926c57954b3450a74cdd84e1524531cc48f226c824c8bd9a5387
-
Filesize
14KB
MD5378e73f5cda4a0c8ed0fc6f199af75b2
SHA1875e88e459b5bc5a3e97c1661d17c641a5f34e6d
SHA256e4b65082517250ce8b2813339e2a9853cb389c078b16ffd2ba6cd90c1e15801f
SHA51283efb06439b4bd2504746b6acd9d9c091faacbf4fac92fa677ce91e6c4af59bc50597a37db1c58c1f1fe580ea0a27818bb38a398a1b1f65aca8d3a8f12bae79c
-
Filesize
172KB
MD59346ca64a3826abee40ced926e76f48f
SHA13424ca079ff0f0575890924c48fec09e43488c6a
SHA256ab5038a0ee6206486cb55a4dac5d0a4d209be90bd9395ebb37e31bfb654d3f87
SHA512733f3fadf7cf3deeda90b046cca19ec47e103567628fcfb8c90e927244b5f0870c3b95d2d67e2d0f0825eed3cddafdf788c10c732e7a5fc7e03c25de27d64530
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
40KB
-
Filesize
8KB