Analysis
-
max time kernel
154s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
23-05-2024 17:43
General
-
Target
312eee33696f223c1d77f63d4f4fa6692b492a19e1815f424ea276db2dfa312a.exe
-
Size
1.1MB
-
MD5
c051fa3a44e8e46b51ed93f3be27b4bc
-
SHA1
187538cc7b95ad4c0d28ae9d079031502918b116
-
SHA256
312eee33696f223c1d77f63d4f4fa6692b492a19e1815f424ea276db2dfa312a
-
SHA512
8622434fd5e93a087d2957b071858ff6b34bd24ed251ac23c6fa672d1b7feeeba702eadbeea6b82e0523ad05ab55d4415b147c82099a1ce8edc45b5a94c6ff15
-
SSDEEP
24576:IyZlHWgpvHbRwWq9OIt5LMbILqM5kntjOpHK0q+4pTOM:PnFvHbGWq9OIt5Dhu1KCc
Malware Config
Extracted
redline
buben
77.91.124.82:19071
-
auth_value
c62fa04aa45f5b78f62d2c21fcbefdec
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 5 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\312eee33696f223c1d77f63d4f4fa6692b492a19e1815f424ea276db2dfa312a.exe"C:\Users\Admin\AppData\Local\Temp\312eee33696f223c1d77f63d4f4fa6692b492a19e1815f424ea276db2dfa312a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6060020.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6060020.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2531208.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2531208.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2240546.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2240546.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4396706.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4396706.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 5566⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8077140.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8077140.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 864 -ip 8641⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD51389bf10a539a5702c3d245dc7164b58
SHA16412368e086d36d0d81df5d2d481f036b6979811
SHA256ea11e81a9751b856befaa0eead6dc459ddbbf65f42e8b9ae2a6d548b9ca92b1d
SHA512a1ec8f94aea900740f76f440ae0d77ce613a0099ad3e2d7b9527aa11f48ed4aaa83b4b23ceecf99638708144a16a30ab761fd4aaaacd9efb28e33802baec6948
-
Filesize
651KB
MD507e523cebd56b15f3d5c54e5b5de6c7d
SHA1fd85d6786ac763d03267b3fa599cb34da2dcbae5
SHA256c269270e45ea3f2d3ca0bf35fb04efb762418d9e20fbd8aa8d24debe49be7dfb
SHA512a5e3155dfa38d622030d2af35583f7b26c436e54dd507cb04564d9bd5a8b1c14063b8bcdf7456398f40761a057d956d83f45074a8674d72f4b2bbd5a9e67bd8f
-
Filesize
465KB
MD54b2c7019bbd1d2b376ce4de382e2c35d
SHA1f90c28aa2847593047b8c109cb5f6e4d258a2c3d
SHA256e1a38a4f51476d4f26c9a130c8bfe0d82875d9345354d680486e347cfb91b99f
SHA512866bbd8ccc998cf2d653bbc84e5a6e3741659d2fe2ac52f873f9d84100b23aa9994026ce670e9a5f44fb6256efc3aece50df13238c4f57d5af58c62495e0de08
-
Filesize
899KB
MD521f145baf592f3ae5bfc73c91842c8b9
SHA1d75161e7fedf8881e4a775c1329ca9f2e0dc8370
SHA2566e2d3a21290c83a675edc1f005263dcf6f4ee3664744f5dbde16d25e285332d0
SHA51207b7affc8724da2cde01be38910455305665b284d1c4df7681fe4aa7069fc1ec674cabca7e926e70ea054a9d05d9903a5fcb06fdc80ad23267dd952fa75815ad
-
Filesize
174KB
MD556019a085119ae67e250f5fc81f4a8b8
SHA184d7d24264f61f2f485fa5531aff796ea876be49
SHA2567334ad17eecda8cda9cac7f0d54c6accf593383d8eddae978ad0f67a948f3937
SHA512daccdabf4bc3363cab159529eb3bb287179046e90de95342db7166a9c97bb9dcf7b6aebc2596c082ea928a4b182963a4b0fd6fc0064a8cb2ee184b21466dfaca
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
40KB