Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
10-05-2024 15:13
General
-
Target
8355a17b5fec607c779bf1f01bc6596fc82dd876042977ec7aba895db3f1faac.exe
-
Size
309KB
-
MD5
b9b102e068106e1bb5ee1ec690f7e363
-
SHA1
0f162bff994a065fb08f224be4b5dc4eca2b73f9
-
SHA256
8355a17b5fec607c779bf1f01bc6596fc82dd876042977ec7aba895db3f1faac
-
SHA512
88aa7fb366e047aa081f60e457f39233e805459025119bc3e9826449fd7db155bba0db3c560272104342cd52ed8d5b8a79de589b4acbe9e99727df23a54c1870
-
SSDEEP
6144:KDy+bnr+tp0yN90QE75F5OYc1u31g4TByMPCKIRuOJIk/:xMrZy90jxc1u31TTEPKqDb
Malware Config
Extracted
redline
mihan
217.196.96.101:4132
-
auth_value
9a6a8fdae02ed7caa0a49a6ddc6d4520
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8355a17b5fec607c779bf1f01bc6596fc82dd876042977ec7aba895db3f1faac.exe"C:\Users\Admin\AppData\Local\Temp\8355a17b5fec607c779bf1f01bc6596fc82dd876042977ec7aba895db3f1faac.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a0632699.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a0632699.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b0788774.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b0788774.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD52dfddd73d31864692324ceea8a7a4cb8
SHA1c19a892523114d379f85e3286b0b69f97edc751e
SHA2568fc6e05b5c0d6aa8430fc649542758d970226d8ff2b7ea0a67f9a00887321c77
SHA512620e03d5824a660d2cbf72faab3f726cea4018dea1e45ce6d8e5fe0026d17f32fa87c52c012634ef37ea011af03089d3e0aa895c7aafa03465dabf614ff9f6d9
-
Filesize
168KB
MD5616457cb4f295e389a163df89bf8e73a
SHA13e08ef30cea049082d2d6d5ec3b1998aa8226fcf
SHA256d75800d25073b6f917a3cdf5da958d90c5661346cb69208e62077313a766b871
SHA5120325df9d40ecd2fc85daac95dd7bf443f3744119257ada5628107b4d74cc6a816e7a759c8f2813c78278f4ffdcf363f91b69feba02e99ab616e071751ba8e9b9
-
Filesize
684KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
304KB
-
Filesize
684KB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
24KB
-
Filesize
684KB
-
Filesize
192KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
96KB
-
Filesize
5.6MB
-
Filesize
104KB
-
Filesize
4KB