Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
23-05-2024 19:03
General
-
Target
5af8e5b632a39ba2220e0edd14997e390e73614f2bbcd55986f62325da0e16c7.exe
-
Size
729KB
-
MD5
82c85db59edaa8dc52bf1c07c43bf40b
-
SHA1
94560464456584401c8bb85a979a43cd91dde5dc
-
SHA256
5af8e5b632a39ba2220e0edd14997e390e73614f2bbcd55986f62325da0e16c7
-
SHA512
4c5e45ccf84d7fae3168c99afacefc436faa185eeb1038b11ffeb3bb120515a4ba61756c84c5fa9c60d81774c8de1841372cffdfb60d7d151fc8923a124e179d
-
SSDEEP
12288:uMrvy90TqAzTul9aPd5v/QYxKNFAdtI2DPCztUKAMhFN+08EvFne99jnEl5m4cdz:xyKX3R5HSIt3u2B8FN709Il5hy/r7zJ
Malware Config
Extracted
redline
ramon
77.91.124.82:19071
-
auth_value
3197576965d9513f115338c233015b40
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5af8e5b632a39ba2220e0edd14997e390e73614f2bbcd55986f62325da0e16c7.exe"C:\Users\Admin\AppData\Local\Temp\5af8e5b632a39ba2220e0edd14997e390e73614f2bbcd55986f62325da0e16c7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9581646.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9581646.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5930192.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5930192.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9341362.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9341362.exe3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
563KB
MD522965f7ec6f49c719bbae6f273909843
SHA1902ad7a28c271298606ead82823c78aa31ea032d
SHA256e5850ab8ff6f6795ef16fc89ad74de650d9c9f9553c6c777f91f78e8924a19c8
SHA512230f15569b329c11a5d587e58e03af97cd8d9356d2c25baaca36d6ba910bedd74f9a2a663ebbf224377e76b4e2afae679965f62e496b20cbff6ad49ceb932e92
-
Filesize
1.6MB
MD5eb3c0509f21f9d835a123677b6bbcb74
SHA186efb4b4e51a5d401a4e1d01e0cd3ba4d698a8fd
SHA25683705d942d7b4383c880655f8fe209940e96a4be2cb7fa06aaccde563433ceff
SHA512593228c929b5301fbd6ecff79dd300664cba57fe7bfa4d94d5d0b0eda27c13e30b7e05015a516138d66b7da4cbff42f9db37e3f673979e705e61f14838f5d2af
-
Filesize
174KB
MD5fe84e130785d60cc5d8850a4894ef7a0
SHA17fcc729ad8bc46daf45957b9578c6cc8ae08c391
SHA25677496efa7a2d722a7841136d62f21e701ce9d4c3c87eb799c0de54e978289313
SHA5125e2cea1922e6a6ad8d45e1767817ed62e554127e279a6cea81030757c43677937e3ad1d956ebed9ef6ce2a62bd6f09af760cd4382b26753269c38c4aaf9ce26c
-
Filesize
40KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB