Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
10-05-2024 14:15
General
-
Target
f0fb625894c32db0094ce88fe51ad9ddb2db188124af7a638cf184eccf3d1203.exe
-
Size
389KB
-
MD5
10d90091ef4d583803f960e642111708
-
SHA1
9a36e16049aca4f664c3802003afa15637326ccc
-
SHA256
f0fb625894c32db0094ce88fe51ad9ddb2db188124af7a638cf184eccf3d1203
-
SHA512
01891a9da02ab953a654f96bc927df089e11c28dff9983277621cffe463da5ff3a888992daea3f1f82d68fa1ec21ea6502c6ea4ceeb0495b3a13d813b438bd2c
-
SSDEEP
6144:K/y+bnr+5p0yN90QEwBYGFRxbEZcRaEHIpj1XH8bbvymQmiaKq9REG8dq2:pMrpy90LUIZ1EHEBisG8dF
Malware Config
Extracted
redline
nasa
77.91.68.68:19071
-
auth_value
6da71218d8a9738ea3a9a78b5677589b
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0fb625894c32db0094ce88fe51ad9ddb2db188124af7a638cf184eccf3d1203.exe"C:\Users\Admin\AppData\Local\Temp\f0fb625894c32db0094ce88fe51ad9ddb2db188124af7a638cf184eccf3d1203.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0683912.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0683912.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0494750.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0494750.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0205907.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0205907.exe3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5939d6f1624acdf247b27e417461f6fc2
SHA1ababd4e5b9de14e4db986e9ce35439f8a5b29386
SHA256006b489b6a848040e6f48669e137288e8d58d22f75e6068f32a1b1e7c1c168d8
SHA512b67ae62b285f9e4888ab9081b5a8a1e58d4135bfee3e10782b44ab9250a259078b59b16457cbba3ebd34649b50db6c448c0e1c80a4e0c0358e29568d8735d034
-
Filesize
14KB
MD56bdbfe0e106a0b46337cc348201232fc
SHA19456f1008994ed07207269bf7fba4d7c5b075820
SHA256552c2745a35630d97283d469214d8b3276ad11187106a62bb22a8363246b2c02
SHA5125b1e96a8760b7c45edd7857a12039eeb64f5f25bc1f7d216a63661b0933589c5fe3a2075f666947fb2c3a32f27a4077c99d971f8d5c8373e26baed004af663a5
-
Filesize
173KB
MD50a6b4b6dc4ea62763a5d60c97a069bc0
SHA159c43e0db270ec2bdb287d6fc2f6782df3fb6763
SHA256db4738b7198f819e211e04cd15957e5dc3e8a63d37f9f985f2decb7963d156b3
SHA51285f48a2c1ae7e0b59c821de75ba85086377d72ed7bdd0bcacb9af620a18a02af1e91547b2fbbd8823e3b1dcdb11a907ef1fe187285c8299c1cd54b68f41cd445
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB