Analysis
-
max time kernel
126s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
29-10-2024 12:18
General
-
Target
17d901b8553d4be1bb33e850e4deb1a3897fda3d5a85e41a1e0a3074964b3e8a.exe
-
Size
1001KB
-
MD5
39742638fabeb3020be7ec5c9892dd9d
-
SHA1
3fec0db807df472b3e8518464a9aec7e8fa603fb
-
SHA256
17d901b8553d4be1bb33e850e4deb1a3897fda3d5a85e41a1e0a3074964b3e8a
-
SHA512
82f48aa9a7ace708b9d18ede40f36083bc74ab2be70f5bed2770609c62ef34ba5634b043b980c57d95750991be24a10454b99134e9e379307765daffefc7b3f6
-
SSDEEP
24576:OyOTmUxmLGILy6+yhCklNjk+Bn1w8aKWaTRjw:dOTmUx9cy6VkkbjhOvW
Malware Config
Extracted
redline
dubka
193.233.20.13:4136
-
auth_value
e5a9421183a033f283b2f23139b471f0
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Redline family
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 12 IoCs
-
Windows security modification 2 TTPs 4 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\17d901b8553d4be1bb33e850e4deb1a3897fda3d5a85e41a1e0a3074964b3e8a.exe"C:\Users\Admin\AppData\Local\Temp\17d901b8553d4be1bb33e850e4deb1a3897fda3d5a85e41a1e0a3074964b3e8a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\doJ5494.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\doJ5494.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgi6560.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgi6560.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dGf7386.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dGf7386.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSC89Ro.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSC89Ro.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mna46vX.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mna46vX.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nxe83mj.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nxe83mj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
856KB
MD5f9dc829803856d6d7a8474aad32dd9b5
SHA16a390ba1369911cce72e939821289eae5c5c7b01
SHA2569030053d0292a8f235f8b387e0c9ec1ccae5e21492c8c567c4d07888b69a2a9e
SHA51251379874f016d933015bb25f7a28b556a79331e883c37dc37bff39da1b41157aeb598e3d5016327c9c10383cd29139808326be7d852702a032c98f2710913633
-
Filesize
501KB
MD5de872b15338d5fab4fadd1988d99df7c
SHA1e966fae9e7cee76be7161627299882c61c75a3f4
SHA256ecbc5cad08d36f5f07d60cb48663e54a0bea8cb56bc1bc707e5d6e67b0c0915b
SHA512c1aa69752fa7541b48c4eddac2208a7daa5f9aa58a7a957ed28586ca2a95cfcae6e6007c821df50df644f115a26c7279e23c4729c7f9f972b41484e13bcb605a
-
Filesize
356KB
MD56800300a4dc511788b6980b9112c91fc
SHA152e82d6d034c9805d91656a3bc547dd48719f9c2
SHA256a1840f132b113618f8e9e9838b26269a9ebe8ba7e832025a2b72ef68387c605e
SHA5125d87e11b27fafe69b9fea06b7705b7dae8ffe45e3043e2c7dc7509a14ce4c1436c23e660c351fd605b73fe0275f53463989eed54bdc5198601de86d5670f6635
-
Filesize
175KB
MD5dd0c9e110c68ce1fa5308979ef718f7b
SHA1473deb8069f0841d47b74b7f414dacc6f96eca78
SHA256dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3
SHA51229bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
295KB
MD52338c84711b756237e614c3869cf6100
SHA16146eace912945070cb084fe3839c8d2dc27c403
SHA256fbfd8bd7e7ff54ce43c209c34a9959ad1abe7325209756decc04e3d9a44ff87b
SHA51224bd3e70fc0ac61f6fcc432de5e93ac38c66eb3fb0e9b09337acc526873dd42f779f2741761ffb1677936e8f219f3c3b683c9476d8ab604803795fc323c7bae6
-
Filesize
200KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
104KB
-
Filesize
40KB