Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
10-05-2024 14:27
General
-
Target
ef11bf7b35a28054917643092a94f68ccdbc57cd68005df66e6d81a0d2d012d4.exe
-
Size
389KB
-
MD5
3acf2e92c0625f14957b8bba85a5a133
-
SHA1
519645e11407ed3991cf6501314ea5d8cd4e7a64
-
SHA256
ef11bf7b35a28054917643092a94f68ccdbc57cd68005df66e6d81a0d2d012d4
-
SHA512
e181da02b0e85eb7362d0528e5f2da52140b607e44c0f01bf5f772e80992c4fe396d1aaab512e1fb57f7cd54258488a8bd00386ab23b57b932c8d1259dc000b9
-
SSDEEP
6144:K+y+bnr+lp0yN90QEUO/bqnT1boVBqmroo3FgmF32GBzHPIRUMjRDDQdf:uMrty907zqT0BtUqoAIRUMjRwdf
Malware Config
Extracted
redline
nasa
77.91.68.68:19071
-
auth_value
6da71218d8a9738ea3a9a78b5677589b
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef11bf7b35a28054917643092a94f68ccdbc57cd68005df66e6d81a0d2d012d4.exe"C:\Users\Admin\AppData\Local\Temp\ef11bf7b35a28054917643092a94f68ccdbc57cd68005df66e6d81a0d2d012d4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8044384.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8044384.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5335402.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5335402.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5275281.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5275281.exe3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5c8b9665121b73a485f79a2de1628661c
SHA1bd0d783f55f37e8737343bb00b49ee8cf2fa0ba4
SHA25640c4c723b4d0c89645ae299cab3530bc2ef9c57d9150449fe0c8c6aead004937
SHA5129b5eed29972830c26142a8bbbe0dd7b850854dfaeb6c1d0b8e2597f874df5cea1737de4b52142527e6da33dc9f10275113c66b694faf153613929f28bd9d2862
-
Filesize
14KB
MD57cd0e92a3344c81e96123ea28d0acb91
SHA171c25bf1f5eb3e3f23ed2bde5ae76c853bcc16c2
SHA256f4c25888b594f3e771c892db06734e7a18adc87a4dc9e2ab0488322307844584
SHA5124965602e6ea39d53b3044432ac9ca2a58b8d556ffa5295bc75b065d8db6df21e6ef6578cc7bc47f2a239b067ae6226fc2fa8dc9315ca5b16cad6e842fd6c9cc2
-
Filesize
174KB
MD588902ec73df2239eb1b5444e9faca32e
SHA1708b48c5f20fb8929510495b969f77cf7f990061
SHA256d68f96f7972e2a8c02ed03bf9cb5bdba900bb7dde262eeddc9a31cd30722f3bf
SHA512b88c8e41ffd91482882d22569af4c86302e483ccc0cc0f1931080c126a1794a6e2183880a153107911c28526782faf1fb5f59efa4cf5d32eb1a9ec9125084fe6
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
8KB
-
Filesize
40KB