Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
10-05-2024 15:13
General
-
Target
5f157bb7f5af6f00c288774953e6950cbcecbf52dfbf7a910b167c511b237980.exe
-
Size
480KB
-
MD5
da1a7836295f867660a4ef08cbd034ad
-
SHA1
ba6d8cc6092de77df9c6dbbd70b3344739d2f7b6
-
SHA256
5f157bb7f5af6f00c288774953e6950cbcecbf52dfbf7a910b167c511b237980
-
SHA512
b992f960dbee603138e2d251048ce9448e2762cb7fae486f6fe3fbe9c739af5094a3d6f7dc6da38172c3b6a23ccc9b02a01edaeb73fee305c2dc0cdbb814973b
-
SSDEEP
12288:aMrYy90jit+Ui52alg5MAxa3xV6x3ANJ0+kwPvIKw8F0:iys1n2AHee0O0+/PvIJ8u
Malware Config
Extracted
redline
mihan
217.196.96.101:4132
-
auth_value
9a6a8fdae02ed7caa0a49a6ddc6d4520
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f157bb7f5af6f00c288774953e6950cbcecbf52dfbf7a910b167c511b237980.exe"C:\Users\Admin\AppData\Local\Temp\5f157bb7f5af6f00c288774953e6950cbcecbf52dfbf7a910b167c511b237980.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3188639.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3188639.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8375659.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8375659.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7173200.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7173200.exe3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
309KB
MD5807e71d7270ae44b1afeecf5a8acef11
SHA1592e794dd1f853fcf84fcfa47240f809654ac553
SHA2562958df126f58bfa9cf8a442bda3aa95a2a4462a00453ce2de5927d4b3db1ce53
SHA512c64ed63457b3d9d25bab614f39e24b8bd1328c2aa234ebead0eaa26e2b29a24dc5575248eeeded3ba30d97e366a40dee59e583a09e145b0fd7347ed70c8deab3
-
Filesize
180KB
MD57a3073915f79b6370ced968bd0641865
SHA14bfeaaacef77c10a76c5107e9079217e22f70ba4
SHA256c09f37dd8bdfc6fad23336a853e7b6a24413627a5196b48ff1a4bfdc2ec5b94b
SHA512cc64029593e582e10e4fdd262add890f878c0ff285390473d24f30e37c74100102f591cf5fc34c3433d66eff3ce30d83377574c0decc63b5014aae3d7b5cc99e
-
Filesize
168KB
MD5bb5a235b78bece4455fdf8b0e1feac99
SHA1d464fc693250f9a1968c91d30fd7cc2ea5966b3a
SHA25673d99cba272ccc89b9068644a65a2c778f754e233fdac271ed3eaa602ff17e66
SHA512b30e111f04ab68349f6811d7d28dc3fc46f8c16c4c1a791d7d2829dfb86bbf8bc2aa5961d7ba3090f20ca4c689ce6f254e72bfca8669ca3fed1a644f02e514b8
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
104KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB