Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
24-05-2024 08:22
General
-
Target
5896992807f979d7483ac37e3ec58f2b7816d71d0c0cc96def5c78ddb0301ded.exe
-
Size
731KB
-
MD5
112db50547c96fbd04324315704f6e9e
-
SHA1
418dd3a11725960471343871707ee5fe19499344
-
SHA256
5896992807f979d7483ac37e3ec58f2b7816d71d0c0cc96def5c78ddb0301ded
-
SHA512
9587f5f04c4f2c2b771669cc5e7b33c961330dfe571eecffc5b68b7de14c269ad970236b139a5ddeea9c54f13086dd53578d657943c601513f383e6215b8af47
-
SSDEEP
12288:yMrhy90NIIWVW8iKoQOYUxgVQbrpqBImN3V9zMniNPmRSIQPgOb5G/iGKzKh:7yWlWzOQOYK3pqBbbqidmgIsgOb4zKzm
Malware Config
Extracted
redline
ramon
77.91.124.82:19071
-
auth_value
3197576965d9513f115338c233015b40
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5896992807f979d7483ac37e3ec58f2b7816d71d0c0cc96def5c78ddb0301ded.exe"C:\Users\Admin\AppData\Local\Temp\5896992807f979d7483ac37e3ec58f2b7816d71d0c0cc96def5c78ddb0301ded.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2952874.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2952874.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5097699.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5097699.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i7554652.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i7554652.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
566KB
MD5054e7213bf2d3a995fefc15c3186b012
SHA18a1de7ed0324a36de175585ba62d3e5c7ad3ef3d
SHA256f6dad52c3f4377d04183dfc4baff82ea3bb21d5cbe14cfd5ee3511405dc2e63a
SHA512378eb4149f992d5dec6d49fb24076c3a9c7e583be3a78e30afec150a18c6e5cc62fd1d9cd6e36344448d6e2518322d111996fad444b70389c0b26d0a6d96ad97
-
Filesize
1.6MB
MD5565e6aa1ec6835147af729da237c11bc
SHA1fa1ec5a6d70ad5a21296353d482bb5a49c3f5b4d
SHA256715b72aea95b100dc88b072df365fab27be3708ca84ed8a6ec966353e5de61f6
SHA5127eecf29c4845a97d5f29b7e005d4d97df96eb7f3c449c55549e71e1549b91c06d31bbe99d37b52be30de23a8158f74660f3bcc25faff22081081b91a35ebb99f
-
Filesize
174KB
MD5e51fb989fbba83f136f1af5cf092dfc3
SHA1a473b0c0cbf97ee54cbbffd5ad228b606043777c
SHA2562453e485fc9226dfcbb130a292097a09325306c30797d82d3f316d25a72a59c7
SHA512bd3abf8e0548bde13605372b1dce8c7c840a832b9018728528a66684313d52ddf46f87367b802aa99bdd11e2e52e1dc29a238caf1eb7a04a4f2d287e3978c149
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
40KB