Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
10-05-2024 15:13
General
-
Target
db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe
-
Size
481KB
-
MD5
b983bbfa2e93dade84538209720f5e08
-
SHA1
6aa74f2b866844d1b5fe626d72e29ff27ffe095f
-
SHA256
db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3
-
SHA512
11e6207c8144315a15dfd8c7e486a2fff3d0d77a9c860e775ef8f5c50f4f61b12ab57fc5e61a3d821676857e701ff2c221aa11832987fca344a2ed861d58158a
-
SSDEEP
12288:pMrPy90u/cEIpe3ZHY+YtBEn1C3xvimDfHWu2BI95:uyD/mepfK2WvdLH6m5
Malware Config
Extracted
redline
mihan
217.196.96.101:4132
-
auth_value
9a6a8fdae02ed7caa0a49a6ddc6d4520
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe"C:\Users\Admin\AppData\Local\Temp\db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0380562.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0380562.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9410822.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9410822.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0566205.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0566205.exe3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
309KB
MD578289d64bca8cf7001a2833b55f2d498
SHA146803bfbbd092741d0ead6461ad85e4411b8b564
SHA2568e1e0b35af10cacf9588932c603d7913d923bf0337f00201cb01275d6f6bb94a
SHA5122fd00e508126efa27032ad5590bed9f12c113ee0a9fd852fe8b71eab4180022d724233c7936440fa3e3ea25f017ee2d3f6b08b40523b955a6129a07629058b59
-
Filesize
180KB
MD5e20b8db65254032c64dcbba10e2538e3
SHA16b9dce92ff8582993c93807070d22b3e51cedbe5
SHA2566238e60d08e87649202d276796980664795c96d4cdb610debab0c18928323885
SHA512d2e6fe43d7c9bde6bb14556655a9a3cb71343b623209ec5b84d669030f57bc2f40fc929a54add3ce58460350a1dc41da55e98989f2805c241b490346debb8e81
-
Filesize
168KB
MD59ca4be4159a6d2a62bf4c67fdd2f47f7
SHA16a6fd283228d81238b60a4fe86d4ccea44f6dc62
SHA2564f48de5e12e4d0cf4bde18b729a8399f9b81ed39b18276e6ecbaac2da20e8af6
SHA51287866bb49c961b9624d137e8cf6c2308b2c998acb12886ccc63213b8f6f4478bc1f0d234906a1df04ff082d458354c50143c9843bf0535b20d40bee616ba6076
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
104KB
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
24KB
-
Filesize
192KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
6.1MB
-
Filesize
304KB