Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
10-05-2024 14:15
General
-
Target
1d089addfe2c948a1a6c3e3f250f79ed616a211060d99b5efec78c1eb1b2b0b5.exe
-
Size
307KB
-
MD5
406420c14aa174852320d385d123709e
-
SHA1
7d024d2fa2371bafadc17f0f0b6f99e27066f96a
-
SHA256
1d089addfe2c948a1a6c3e3f250f79ed616a211060d99b5efec78c1eb1b2b0b5
-
SHA512
854da09f5d7affd56b0053dee765ae569ddb42cdbb80b5290bf1671630b9e0e938b04e5a26c04ba9cd7f4721918eaa487858497bdd241417d92339b6a938a859
-
SSDEEP
6144:KPy+bnr+rp0yN90QEg5F5OYc1u31g4TByzpGJqadn6ffBCe:BMrDy90Gxc1u31TTEN0Z56f8e
Malware Config
Extracted
redline
dumud
217.196.96.101:4132
-
auth_value
3e18d4b90418aa3e78d8822e87c62f5c
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d089addfe2c948a1a6c3e3f250f79ed616a211060d99b5efec78c1eb1b2b0b5.exe"C:\Users\Admin\AppData\Local\Temp\1d089addfe2c948a1a6c3e3f250f79ed616a211060d99b5efec78c1eb1b2b0b5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k7524738.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k7524738.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l6214693.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l6214693.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD59dc0807b30c631ad82b81ba142523486
SHA11abbe8774d500395400fd74965a6613fb8c160e1
SHA25616e9b0845926d775d75d6f8090b0de172e527cd99fe864ce5f8ed5844b47c0ec
SHA51277f28af63b0eb0fb734972d1dc3ac9490602bbad42f214a42542fcc6fbc93148ff81ea92a2c61d1bbdc099ed12cf5dc287c1b66c7cf575ecbab82b972dc1cb3c
-
Filesize
168KB
MD568d7c4353d6992f4549ec4f6796dea6b
SHA1134bffa471475a5b69a1abf3eea257f4076bd410
SHA25698448fa312818534ead0262898b26bb51e4c6c6331d5a3044cd96142774ae697
SHA512c2bbc566aed57c93a2a7d5edc9bec915225e5bd6695d9d953a66f839d01a1c3a7a0825ea2866157d4ba9b0bb2bae0b86599a5e1d55352efb1b29d6e5092e276f
-
Filesize
684KB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
684KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
192KB
-
Filesize
684KB
-
Filesize
24KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
96KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
4KB