Analysis

  • max time kernel
    135s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:10

General

  • Target

    3a8f22ea9247ba12276740888c7a9a8788ce979e8b28264aa64fb310a6e2d31f.exe

  • Size

    768KB

  • MD5

    31e9f3737fd3f934ce46d6c2099e5243

  • SHA1

    54e992452c1e7e0d068d22090541c8eea71049b3

  • SHA256

    3a8f22ea9247ba12276740888c7a9a8788ce979e8b28264aa64fb310a6e2d31f

  • SHA512

    634108bfebf5b3c2f868df51d0e13bbf1ae539863e29b410a139dcc12376380d1decdcec21406cc73943a5011ea49544bdeda74665ac557dc59ba4091a4f1991

  • SSDEEP

    12288:6MrVy90aRBe0s3hBIVTjySblJVsRTWFEHY8cOWtgC+a:fyNRrqBAT2TWFEHY89FC+a

Malware Config

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes
  • auth_value

    434dd63619ca8bbf10125913fb40ca28

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a8f22ea9247ba12276740888c7a9a8788ce979e8b28264aa64fb310a6e2d31f.exe
    "C:\Users\Admin\AppData\Local\Temp\3a8f22ea9247ba12276740888c7a9a8788ce979e8b28264aa64fb310a6e2d31f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3264
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8534019.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8534019.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3280
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4956900.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4956900.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0072402.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0072402.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3020
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1316
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1044606.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1044606.exe
          4⤵
          • Executes dropped EXE
          PID:704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8534019.exe

    Filesize

    492KB

    MD5

    e330f2faca30ccb6d43d33f629d16dca

    SHA1

    8731f28a8b3534e74ee920509e90322953ec7478

    SHA256

    03ad89c70c9316adf2548070aadd4e037963fe694777ed8485f8ad109f552c73

    SHA512

    af157a242e58d61456cace704d156739d989b4ff2bf4f298236af4dc3112a334824b3e9c2e73bb8f8ccc4be2806dcd579d08bb18b57c02bc5e5e718b0a5ea5fc

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4956900.exe

    Filesize

    326KB

    MD5

    fe26f52baa53f977be6760aab01b9826

    SHA1

    c98347da04ba1274838c3869157516e54e1ab690

    SHA256

    468e4712d5fea635fcc38970efb731e365cfcafaaf2d8786f0645b7cf384514c

    SHA512

    adb007713e03cbe10bc9f2c6336bcff588b9cd7f8ddcdad7fe2495b488dca54dccc784e1aa0ed2f3759ee9318fa1461f1788ce9e295863beea2055b4aaa675ad

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0072402.exe

    Filesize

    256KB

    MD5

    bcd8e40adba0f4011b5626858fbbd705

    SHA1

    53c583fff5f32156bac125f66379b23ba7d8bd93

    SHA256

    34184e731d362a6c825837a0e4a27073679170f5032d595d3ab40959315450bc

    SHA512

    7e0ecdbf0851b8b6c54396c9e05fff10de35d50227e349022e3383656df0eff36afbd161054919bc3ca581f2f021b66c66df5a84b4fa6414d01c8e3bd836e9da

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1044606.exe

    Filesize

    175KB

    MD5

    e9705bb9aa5729ef3c986bc7bf43f86b

    SHA1

    7d80fd867d45d6f0f56011c40a61633f22e99aff

    SHA256

    285bd9bcc3cdd1307ef78361428d53cceac5c8ad826ff52503f0730330f0757d

    SHA512

    dd41b8711d900e46f327dd487e14abc05ca61d5cfc13cb2f465d0702363a671fb3b713cd1b4b5f37e3434bce7ec85d7b3d440f9a33f0b63cb36328f7c6be0a25

  • memory/704-25-0x00000000000A0000-0x00000000000D0000-memory.dmp

    Filesize

    192KB

  • memory/704-26-0x0000000004880000-0x0000000004886000-memory.dmp

    Filesize

    24KB

  • memory/704-27-0x0000000005060000-0x0000000005678000-memory.dmp

    Filesize

    6.1MB

  • memory/704-28-0x0000000004B50000-0x0000000004C5A000-memory.dmp

    Filesize

    1.0MB

  • memory/704-29-0x0000000004A40000-0x0000000004A52000-memory.dmp

    Filesize

    72KB

  • memory/704-30-0x0000000004AA0000-0x0000000004ADC000-memory.dmp

    Filesize

    240KB

  • memory/704-31-0x0000000004AE0000-0x0000000004B2C000-memory.dmp

    Filesize

    304KB

  • memory/1316-21-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB