Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
29-10-2024 12:12
General
-
Target
158692a7c2bd29a8bda1a166b8a0cf66a0f84d587c696b940de63cb63a848e71.exe
-
Size
666KB
-
MD5
79c42acfef4f418e432e9e9b6a31da51
-
SHA1
bb7537c905b5eedd84951dc2ce2bc11cbe2185ad
-
SHA256
158692a7c2bd29a8bda1a166b8a0cf66a0f84d587c696b940de63cb63a848e71
-
SHA512
d851e28e22a4ab6d4e41c6a404a9e16f4dae6d5f409c16a640c382eeb1c108cef01a052bdd9f844a7d00b5ec367f73204517c4946b55e40e997144cf9e738e70
-
SSDEEP
12288:YMrqy90Jhv0JVYrjHPfQx7mq74n7DdPxCo27rU0/L/wLFk5+IR3SSc:yyANv3QxCW47DdpCZ7rFTwxkwy3nc
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Redline family
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 8 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\158692a7c2bd29a8bda1a166b8a0cf66a0f84d587c696b940de63cb63a848e71.exe"C:\Users\Admin\AppData\Local\Temp\158692a7c2bd29a8bda1a166b8a0cf66a0f84d587c696b940de63cb63a848e71.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un215760.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un215760.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6248.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6248.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7671.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7671.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
524KB
MD56755745bb38839fdf65af281bd969f00
SHA12f30b2583e3d93a8e314fb6b226c5f52b0364908
SHA25609166615f7e43b8a529089d6a4206421a431a7079635574a3aecefc25b316787
SHA5128cf1e61d159c0ddc3621d452275d512d84585115fe15c7d440fefe7980c9b52aadb6a0fd8b106abfb69dac3b4aadb5ea1384c9234f47a80b162f39d3ffa28751
-
Filesize
294KB
MD59f4a43f973f56c272b93f3467e932ed0
SHA1d0e6057849e49e23196cf7f2fa09fb84862e8b8e
SHA2565c0129a963a3b4ff5857aff4ed1b732eb0cab3d9448049cca2bd2afad4ddee1f
SHA512eda601937fc2ff739fbeaa8219c0b9077ec73bdc2ca698116ac5a46e127167aadbd025e9ce8fe83c47078f33caf39774caca91a6669ac1e0750add650531f465
-
Filesize
352KB
MD5618f6727e66ea87de6664ed6a989f81b
SHA1e746378f2de3712225f2845834317d093085708f
SHA2567880157d41d14177ee0e91874d91de189acac98ffbd0c8fb05ca1919ae233247
SHA51293b0ca94f646b0650245e980a46d7b3aff643b4221150ecfdc9ed95471db445a6f0f503f106461b39ef83f607e665833c8ac24cf29063b8f6a0a0e807554b27c
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
272KB
-
Filesize
280KB
-
Filesize
72KB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
1024KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
104KB
-
Filesize
1024KB
-
Filesize
180KB