Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 10:53
General
-
Target
7e9155d19244bf4b3b908d8e3f9ee675fe08dd54149e960aadc1447230b8319c.exe
-
Size
492KB
-
MD5
5b0a257bf59bde11e4608365566bbb14
-
SHA1
6ad284fb11504b87efc4b1ea8c72eb851e2be77a
-
SHA256
7e9155d19244bf4b3b908d8e3f9ee675fe08dd54149e960aadc1447230b8319c
-
SHA512
0b94bf361b4f07a6916422abc49b855e018fa42b84776a799088b92675d7a53cf9de89ea5fb015f1299b632e46f0709b841ab92435cb4b62d31f7284b8316c17
-
SSDEEP
12288:1Mrey90jvd26ReJpsOSbey19hEYqyoCsYdf:TyyoXJpsOS9jz3d
Malware Config
Extracted
redline
virad
77.91.124.82:19071
-
auth_value
434dd63619ca8bbf10125913fb40ca28
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e9155d19244bf4b3b908d8e3f9ee675fe08dd54149e960aadc1447230b8319c.exe"C:\Users\Admin\AppData\Local\Temp\7e9155d19244bf4b3b908d8e3f9ee675fe08dd54149e960aadc1447230b8319c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6501903.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6501903.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8615066.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8615066.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i1214333.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i1214333.exe3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
327KB
MD57ea5b4265b407287098d3f4a494f4cb9
SHA14d997c012fbc2d75102cbb6620f912454394cc38
SHA256cdee4309b1e0c9b31a359f43ff9c90fde77a296f226d192cf02ff2521cb23a23
SHA512f2a9acec2b06d597c264c2006542c6b3d5d9343b02ebecaeeb22d290b13c63c00b68f8ca84bd7979a883541681c3b6f6672187a4b8be2855b8d49ff102364722
-
Filesize
256KB
MD57f5b9499c28566e998ebdd143ed9a75f
SHA140253744353abaf5b93d41cc0fc413e84198211d
SHA25692346d7c9a0a998636236ca39e817b2ea243db7238e46460e24874253f38d252
SHA512c09c51c2e92215113457378e425ee33dd55299962518a9048c47ffcf63978b013243057661d8b6dab3c175009e315a39c21856a07c05366e55df59ac1df9f5fa
-
Filesize
175KB
MD57cfc6321b809d8e20cde8da04c874135
SHA147cd1b0ce899950eefef52ec3e4a935524db4bab
SHA256e0d0ec547e74ac2a20a0861b3adfb277514299513119d851e30918718a37aa72
SHA512059c008ffb00320c8b7f6fe71ae06c8c43f40f0d6397891e5bfedf0e96aebfa694745526ee2b6b00c9ec60b2da6991a54164e69311cd48692fcdc9783b81cb12
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
40KB
-
Filesize
4KB