Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
10-05-2024 14:32
General
-
Target
ff54e8ca62b5d37f515d9883b629f0761bba9e583cfd91abda232bc4e5b5cd50.exe
-
Size
307KB
-
MD5
367ff3cd17fe97143cd8cb5f9e323046
-
SHA1
0a213bcb8d4e658992d1e083b0b206ac3650ba69
-
SHA256
ff54e8ca62b5d37f515d9883b629f0761bba9e583cfd91abda232bc4e5b5cd50
-
SHA512
9c2fd4077ecd277d91e83160a5c2a0a3bcc2c8774dda670dad8566a789fef7be158a87397cf2fa7360fda1916fac8331b61c55add4d4018ae2dfacbba6a32894
-
SSDEEP
6144:KYy+bnr+gp0yN90QE85F5OYc1u31g4TByrF8wtc54DgJ:EMrsy90exc1u31TTETt/EJ
Malware Config
Extracted
redline
dumud
217.196.96.101:4132
-
auth_value
3e18d4b90418aa3e78d8822e87c62f5c
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff54e8ca62b5d37f515d9883b629f0761bba9e583cfd91abda232bc4e5b5cd50.exe"C:\Users\Admin\AppData\Local\Temp\ff54e8ca62b5d37f515d9883b629f0761bba9e583cfd91abda232bc4e5b5cd50.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k1520744.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k1520744.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l4036908.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l4036908.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD57ae5c9c884c8a206085a31b28559a56e
SHA162ee3946087638f78cb879cec7873e931c3ea386
SHA256d78fc25515b72db855c730b5e4a5bd2db040c857f8921ddead622d646bd6c98e
SHA51254270113c6f8671b4ccd236e096f673dd8d0ca10f61bb90b798288c1340812893bb6db49db40d9e204f864c60091446603f1e1e2e6e4eb5233615cee8c0847e9
-
Filesize
168KB
MD5faa7957999bc9ed6a221c8c19b9d09f0
SHA1eef2368343aa03127958ec5a7cc507e469b5a028
SHA2569bf4ace7974b14c0c0d4b9913f95ebcd3a4512c54dd4a04281af685ba1bdd895
SHA512d9e747f865ecd24b5f95369cc5cc824a14cfbd827615331639c0d99ae512a2e18479c10e17f1368f4f96da741f4129e6bfd426f82f44346edd384d2bca5789c8
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
104KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
684KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
684KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
684KB