Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
10-05-2024 15:11
General
-
Target
0a65c977910ca28680d005dc6473013f3db66862b80fc54be76caaa774022bd1.exe
-
Size
864KB
-
MD5
c86ea9744ea3cca905b7657585568de6
-
SHA1
ba018b2d08a84d2e411b27e314cb8a23a06865f8
-
SHA256
0a65c977910ca28680d005dc6473013f3db66862b80fc54be76caaa774022bd1
-
SHA512
720bb844157dddb335fd3660b32ee9bec30ae3853fe5b26d3194ea517481a9f6b265b977e5d8bbbc92316f7ed9d173380192d93ab3b4fe2521d26462798c05b8
-
SSDEEP
12288:9MrBy90lDtGyHT69dmXPVxG0IYjxSkZiUnt6YdipFOj47Ec0yWLcp6pSa8YmZ41:kyQtGyHh9xV5QFpQj4T0HLc5NtO
Malware Config
Extracted
redline
kira
77.91.68.48:19071
-
auth_value
1677a40fd8997eb89377e1681911e9c6
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a65c977910ca28680d005dc6473013f3db66862b80fc54be76caaa774022bd1.exe"C:\Users\Admin\AppData\Local\Temp\0a65c977910ca28680d005dc6473013f3db66862b80fc54be76caaa774022bd1.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2246758.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2246758.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8233586.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8233586.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6911492.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6911492.exe3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
681KB
MD5b9279e968f91da41144a000ef5b42321
SHA1e5a9ec6cad2c292cc362faa3e0f0fc41c5d6ef09
SHA256feec5c272e7bff5aded15e4b7ae393595d187d66a0e01dfe96725e6a7728d903
SHA5123c1426808507a715a57506b5efbc23417f06692b184268f9ebe0ad6d3fa5ae6d77cb8d2ec36e94277e42c2d511d84d5b179801504eacb4f51b4c20788948216d
-
Filesize
530KB
MD5b486d0327ac3e8df771fc57d1c8f9eb4
SHA16927a5271caa1f8afbadb32349dcc7cbef0a9e78
SHA2567880cdc9c1da87ac1af30b59f7ca066ed7df4e138dd1925e5324e84f2e643465
SHA5120b47fdc861de16a959392e82bf8e0f9a45b9413a1aea7244a9de0bf37871f03f7483bb0cdc487b2c87fb7059c458ce868196268c48300157d148aaafcfc98351
-
Filesize
691KB
MD5f2f15ebacc353c878213af99699b34dc
SHA1716a391fd178103c1745c6513b79130db386e77f
SHA2562f48dce96a3a36a28a789c89629fc818702a5ba0f3f29e3380a6ff81ddb9d96a
SHA51251632819df0db968445475defdd17e0d5b2226ea7c102edaf17ced6c4f19fd3eaeb748e732a16876cd9ca0500bcadf7d2214be9ece4a903b1f8e2ad78138e9e8
-
Filesize
6.1MB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
40KB