Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
10-05-2024 15:11
General
-
Target
23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94.exe
-
Size
307KB
-
MD5
ca2ad17b64a10b961c2b14a7e47a8030
-
SHA1
a339ebb686b832fc87af3c287f67d8ef52e140e8
-
SHA256
23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94
-
SHA512
ad5e5a03336562d58b02f2556eb833fe3c39d2a7c47584379059cc5a584be1efc981cde4c84a350a4bb244502a73fb7bf0bee7b03b4ef002bb6ecc17d3caff04
-
SSDEEP
6144:Kqy+bnr+2p0yN90QEw5F5OYc1u31g4TByUo0b4jut7dJdVRbpDXtOBC:uMrCy90qxc1u31TTEt0cKt/tOA
Malware Config
Extracted
redline
dumud
217.196.96.101:4132
-
auth_value
3e18d4b90418aa3e78d8822e87c62f5c
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94.exe"C:\Users\Admin\AppData\Local\Temp\23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k3719439.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k3719439.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l6925739.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l6925739.exe2⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD50e2a8712db80505e38c2816483598edf
SHA18ff6735fc1c080fb73825928f2bf9aa409b3758c
SHA256a88a17437aa434a4c8df1657b4ac4c72d5d65247c160b7d2351101a2955ecd0c
SHA5121076c1d65c2bd3be562d57ebe5a00af294242456a80a4149e3ae5ed1816a35abdab48cca90617ccb9839a14020391ed425cedba42f63c75b8488f45485108d91
-
Filesize
168KB
MD59eb1e1ed0fb5f198b60699f1d6f2c4d8
SHA10a93100586a585ffaceecff9c67cf28e703b67d2
SHA2560fce1f4c2a87e2bdccfe4c3112f837d1fdeb91edb113f055787e29000a4a348b
SHA512fe9679472176c5d0648355a230eb9b77a19d565b17cb957a14d96d60df338f039ddbbdc97c611776239e8b5b3e842c85e8ac6b50882feb59917a1bb12496140d
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
684KB
-
Filesize
684KB
-
Filesize
304KB
-
Filesize
684KB