Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05-11-2024 19:49
General
-
Target
3f9842ce4deb52f3428037a151f9624e2c30aa7c0449258bd45fee7b353bbcd3.exe
-
Size
561KB
-
MD5
85a72b8c025b6bef1830e1a959a80005
-
SHA1
ad60e2288a499d698f57707381f90edbde31928e
-
SHA256
3f9842ce4deb52f3428037a151f9624e2c30aa7c0449258bd45fee7b353bbcd3
-
SHA512
9c817e7446d059c5a75a9f643397220b2f8331f4d5966ff711179084508ad176ba2ffa8d5ee217d2e8ff922c56997c5889a48f57868ced6045f8e3f5a522150e
-
SSDEEP
12288:EMrky90SjFJHbBYlA6hTDefhCEBL8R8pZeeUZlJlwxoPCT:wyRjwTqfhCTR8eeFOCT
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f9842ce4deb52f3428037a151f9624e2c30aa7c0449258bd45fee7b353bbcd3.exe"C:\Users\Admin\AppData\Local\Temp\3f9842ce4deb52f3428037a151f9624e2c30aa7c0449258bd45fee7b353bbcd3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHZ3405.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHZ3405.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr229026.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr229026.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku809900.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku809900.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
406KB
MD5958a5c10a113a4deb0ee3976b0196384
SHA10bc6c060efd5de22d090b851cd5b4cb074cf071f
SHA256475544821278d348a97b2e8bca13c6b0a3ab1e32e101894e224bf731bb7b44df
SHA51294a57bd1a7293ea76917dfc271c6cd9439c90521f11b07cd1dffebaaf8c8b192794c1d21d03284b6ec1d96627f019fe83f28372647bc15c925f695c22acfa0ea
-
Filesize
11KB
MD563ad89a9a8af000b4e51d0f893aad085
SHA121f1e059d707e49f48331b13ab8332395d2821a5
SHA256b00ec97cdf7d31f31c4b35bd2ef8cf500373d642e7e3d13a326f26443e0c4808
SHA5120794e9fdc53c0f56af4e2fb4597facf387d302b25fd04d5b11aa687846327cb723007c020bb744102f7211142e8d9a3bd2fe28604d248bd7d15eeb93cde9418c
-
Filesize
372KB
MD5faba61f14d374ae7ff9fe2ad2cc65782
SHA15160e7091fa66c7714bd3c78b9efa9cda9e93793
SHA2568e9aecab9881e0fec7b1b68f0c5cfbea4f1b29ba6b8c2cea1406a5af26597329
SHA512b99f891138a916305482ed3767dd0fe4590c905e66fdb039be111cf7344fdce9efc09ea58c57e0ba9a38d778da214cf6c2e024097eb5a56a6d5034150342aaea
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
272KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
280KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
5.6MB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB