Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
10-05-2024 14:40
General
-
Target
dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff.exe
-
Size
862KB
-
MD5
a85e4b8403f70f8c8c2a4694b484c3a8
-
SHA1
ee614a34528cda5db2c436bbc77247c3fe213f60
-
SHA256
dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff
-
SHA512
457c453516d49626c8f0e5e9a446962314e44c1cfa8ae5b50f0fe344590ceb2a20f53936c3d6a6aff9e0379bbe8e0b9afdb3ec994ce1ad0980620919f29b5157
-
SSDEEP
24576:5yRfeUF4xX+YYKqx+QgmUpqWngJeXUXDH7:ssUF4xXPY5gmRVJeX
Malware Config
Extracted
redline
kira
77.91.68.48:19071
-
auth_value
1677a40fd8997eb89377e1681911e9c6
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff.exe"C:\Users\Admin\AppData\Local\Temp\dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8602197.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8602197.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0819028.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0819028.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0028896.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0028896.exe3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
679KB
MD538dcff455714bdb17ef60c8709fee41a
SHA116eeb79664bf375650e2c86424283481bbd252f1
SHA256008c5bf896cf5af82ff2acf60395ccac2aafbec1cc9d27b23ea76b99e4fdc63b
SHA512039d6ea2ef9666a4249580fc9e7dc632becde7f2459d4b3e8d5e7cc8d50610daeca1c88c9399c918c1cf595fda398989b01e43c75f24a1189afe9f2b9c0a073d
-
Filesize
530KB
MD50b070eaa974b1d0f40b1ff2a74ee5627
SHA16b6d5b58512593ed0e01787c9008e233df1ae0cf
SHA256ac60c61dd7faf3ea6adb47dfacc85552deac06248581476c7f3da4e8e611e1d1
SHA512e4e1fde5b2d7b5d4ffb9d49ae500c5cd57f20dd104c6ef9d093436f948365e9f134034f0d21272e352b0e5c0679f2db4d92d50a929ea9e046bbdccd84e2846a2
-
Filesize
692KB
MD5ca19281e3856a360a4a919d0e18b53c0
SHA1df6ff057de730f59b6edd9d6e79b53487892bb6d
SHA256783219954200e5f28c46058a4c247e5d56102d60fe888cf1248d93650a8b64e5
SHA5126a79e3f5dcb8e2c51ee8bd86ac002d9a59ec06b1f9e212e63f8e91e55db42d686ff3952f0ada7a4fa83c261ad1db295168398393b0dd356ab1d5d9108efb8a55
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB