Analysis
-
max time kernel
132s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 17:26
General
-
Target
0a827f3afc0645954dd24f12c87e59035cad5723414cfb4b9933e600faf4ae35.exe
-
Size
472KB
-
MD5
6ff1a455bee02fd15858c1e9324655a1
-
SHA1
eabc36878fa2c646c59a88e4184601acfb8ef904
-
SHA256
0a827f3afc0645954dd24f12c87e59035cad5723414cfb4b9933e600faf4ae35
-
SHA512
56cc3ba67e4c84eb4ae885b06f96ea0894d22aa4af2c9cda8debfde8b02a21410da0add2d64bff488616675f55808dca64d683a965c965f712b51032aebc7fad
-
SSDEEP
12288:iMrNy90xixQ21JflwuqdlE5ntM2LcjqeicCWCCVX2:3ylQ2vqcFtM2IqcC2A
Malware Config
Extracted
redline
moner
77.91.124.82:19071
-
auth_value
a94cd9e01643e1945b296c28a2f28707
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a827f3afc0645954dd24f12c87e59035cad5723414cfb4b9933e600faf4ae35.exe"C:\Users\Admin\AppData\Local\Temp\0a827f3afc0645954dd24f12c87e59035cad5723414cfb4b9933e600faf4ae35.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5152075.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5152075.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9981661.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9981661.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i6158615.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i6158615.exe3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
306KB
MD5083698040f3d894284f368b199feb1c5
SHA15ad081ce1bba898ba7debe73dcadc07c29e99ea7
SHA256dc5b96faada8ad9fec9791b37cd1d7524480c0b5b385c7e93d5c1b8a87b6a951
SHA512c59a45526d605743b7c4a57a403255be7e61ef76cb06043e92372cb71be1da6bbdf5a7e9619bac6dcc385724b4944368ca893ab20a427de3b2228177c211e335
-
Filesize
213KB
MD58666460b59bbf9ad837c7ce6e48e44b5
SHA17dcbbe93b3ab2e0733cba10439ebb908b3d4c7e5
SHA256b0e041a212294b2fdc474bc619cd5da217f0b7ac27c30b819f671c311c54b9ed
SHA5129407b97fd1f3d478328ccff7f8ac843fb4d2c5b1d04c2f2abd4b9a8d6d2512bc5ee224d5f9a89d44e03171676f950211ecd3f3508acf46cbf4da4adf05b79a74
-
Filesize
174KB
MD521787d88f38dd7d7c236d4f380f33f95
SHA178e813d4ac7bbc19d2103d7611ff6938ca37a3a4
SHA256422861a2877f1c4b77ff40704728c154dd3bb9681510c618f52160f2f931afdd
SHA512c9b1ec4e94c9187df109493d8e6e69bc8e290f73cfd74cf85e3f25451d62b1539685bb6f3982335b77679ad008b94813ba5b9e0d9d36f41e4e52f13b7aa515b0
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
40KB