Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
10-05-2024 14:40
General
-
Target
4daea23a41245608877f956cf37370e6533344758835349d21470fee22792f5a.exe
-
Size
307KB
-
MD5
a9938a8bf2e4c5465b0c1f8d94199778
-
SHA1
21a10d69514111047d789e5fabe472a9cb8b190f
-
SHA256
4daea23a41245608877f956cf37370e6533344758835349d21470fee22792f5a
-
SHA512
5404f81f3dae9f4c5192c18448aa15f90ff15e5823d6f971cafb3670d301f620c0928ed02bec680fedb7213b631d7e72e1748e097a0c477fa73df7c430f320f2
-
SSDEEP
6144:KLy+bnr+lp0yN90QEv5F5OYc1u31g4TByxV7KJytDAUYss:dMrZy90Pxc1u31TTExV7KEt0UYss
Malware Config
Extracted
redline
dumud
217.196.96.101:4132
-
auth_value
3e18d4b90418aa3e78d8822e87c62f5c
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4daea23a41245608877f956cf37370e6533344758835349d21470fee22792f5a.exe"C:\Users\Admin\AppData\Local\Temp\4daea23a41245608877f956cf37370e6533344758835349d21470fee22792f5a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k6930139.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k6930139.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l9939101.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l9939101.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD583bf542e1973fa2acad4903024ddccfe
SHA1364e5c9d74370c62541c918d9040f0c607d547b6
SHA256eaafb2e0c7770c617b9349f47f8c7d76e3a523c80096c837ba61a904a6549a02
SHA5120aaa961c9c675b7a6968ec12cb2d3ab1767689ac4631ac9409395ebd5f988b50985e11b1aab340ef09863f6827408de5749cb4461bc34a0be9d8803a6d835ecd
-
Filesize
168KB
MD50b41b1ec0d807f087a7d78136bc00f26
SHA1927204f69df79a69811f68dab540c341d915bc16
SHA256273855da6b0874cc5cbbb1f51ea29f5dbf61d23f6dadd76ad3a0e46113c32d9b
SHA51284f1e11f6db2804290d36cf9c39bac7ab2789812bd9c7a2386579407bafb397dd6d88fb79f8e1dbeafa1d0122e36b62268a2d01d6a2c0db5dbe6b50bf4c80252
-
Filesize
684KB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
684KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
24KB
-
Filesize
684KB
-
Filesize
192KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
4KB