Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
10-05-2024 14:27
General
-
Target
841ea03e181082fcf7f5533397a6731021c045058047518f2795b78fd69dda82.exe
-
Size
918KB
-
MD5
3d56fe60879ef137225e115ea42923cf
-
SHA1
e13b6d13fe9d23e1e67b2b9136fc8ce25aa8a3ee
-
SHA256
841ea03e181082fcf7f5533397a6731021c045058047518f2795b78fd69dda82
-
SHA512
151dd3af640f2b75af8b5c56c79b7faa72c1b92b334157191afef4747ee6d138ae991f937b752535c932fdeabfef0e6d7cc661107c3207f8138cc5f3393662ef
-
SSDEEP
12288:kMrHy90QFfLsOpAvhgQTDKstwuoHAb8ce092kfJZGwgb3N4R3pQZp86GqWLYWiyk:zyNAZvhPKstwuoHeBXjv16p86GS3
Malware Config
Extracted
redline
lamp
77.91.68.56:19071
-
auth_value
ee1df63bcdbe3de70f52810d94eaff7d
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\841ea03e181082fcf7f5533397a6731021c045058047518f2795b78fd69dda82.exe"C:\Users\Admin\AppData\Local\Temp\841ea03e181082fcf7f5533397a6731021c045058047518f2795b78fd69dda82.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9197754.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9197754.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8899110.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8899110.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8983836.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8983836.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6713466.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6713466.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.logFilesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9197754.exeFilesize
763KB
MD5ede57962f295bf08f53a8ecb2a5ff527
SHA1867a158e8ccc7e1ed3172b9a72376016475fb52a
SHA25684888a9705747c4916947eb0c2a267a0b7f52298ab150fccc5fb14e3610e6fff
SHA5120c368c5f97be6769f4802983c2cf6bd91119eaa53a3ca54c6ebd3b53ca21d3b34ad68341fc8d6b2c2475841487b6ee14a47d7501e82e47134cf857273879f5c6
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8899110.exeFilesize
579KB
MD5850e3bf170ef064bb7e3dc1878dcf38d
SHA15f17fbe509d9f62686fe1ad9e291e1cfd44fea94
SHA25698e3d735da5e971cd256f503e99738c519c7324a63383259db25b493e81f7721
SHA51200e7c117b916047cef13eab346b576cbb2f5da926a1ace8bfb0fc3098e3a42b89d3cb75c246141fccc9e830cc31bfc28461e19f26bca1c5191d73f61a12936f6
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8983836.exeFilesize
291KB
MD571c4479e9cce36f0d305e966896ecc45
SHA14a96d92d6a305841fc6aeaf8c52935137b3e8a02
SHA256b542aa2cd85a09f28526016d538789c2b65e2c428140ed2b8972216f27233480
SHA512b0af086e5cb159dbc52539dc9cf7ec95b86a062ca086c43bba4b65cd1538c5943ba5140145a48e53e55e9be19922cf67fb76dd38af87f2700acac209cff7db36
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6713466.exeFilesize
491KB
MD52bef8c25cdf5d7bc8f17e76423af8637
SHA1bab3f4c91612360b11c61ba7cde47da6c20d0071
SHA256aba3dada1170f6501dd720eb390cd2ac3c88429a60fa570c5b5303615c9fa599
SHA512ff294ffeb4a6a7cd22ceb291faec91e1a176cfe90e5ff9bea95e8ebbd28d143d2f4b9b150d2aef87993f760d7031940a3e16b6da645623f82c77fc85ecf47879
-
memory/2596-45-0x0000000005150000-0x0000000005768000-memory.dmpFilesize
6.1MB
-
memory/2596-35-0x0000000002060000-0x00000000020EC000-memory.dmpFilesize
560KB
-
memory/2596-42-0x0000000002060000-0x00000000020EC000-memory.dmpFilesize
560KB
-
memory/2596-44-0x0000000004440000-0x0000000004446000-memory.dmpFilesize
24KB
-
memory/2596-46-0x0000000004BC0000-0x0000000004CCA000-memory.dmpFilesize
1.0MB
-
memory/2596-47-0x0000000004CF0000-0x0000000004D02000-memory.dmpFilesize
72KB
-
memory/2596-48-0x0000000004D10000-0x0000000004D4C000-memory.dmpFilesize
240KB
-
memory/2596-49-0x0000000004D80000-0x0000000004DCC000-memory.dmpFilesize
304KB
-
memory/3628-29-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/3628-28-0x00000000006B0000-0x00000000006EE000-memory.dmpFilesize
248KB
-
memory/3628-22-0x00000000006B0000-0x00000000006EE000-memory.dmpFilesize
248KB
-
memory/3628-21-0x0000000000401000-0x0000000000404000-memory.dmpFilesize
12KB