Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-11-2024 16:55
General
-
Target
912796429a29149a2da4e1edf88cacb103aaedb07f454fd2de77d30c885ea013.exe
-
Size
479KB
-
MD5
59599aab5b384289e062e0a0fbbf480c
-
SHA1
9407e9ae58d972c92bd6cb3acb31a817031f0419
-
SHA256
912796429a29149a2da4e1edf88cacb103aaedb07f454fd2de77d30c885ea013
-
SHA512
ee11ff2c36a9fc5620c8c438c94efde064f2efcef342b55b74d46023077eae7221a0138df3086c99240de97cde22c6dd65e3faa04780587d9196510da101fa91
-
SSDEEP
12288:WMrYy90sCkUXa0jL5ROihzzhzjTXT+BXhcu0gqCgjIo8NcW3:KyIkU/5Rj1pCXjcC1
Malware Config
Extracted
redline
dumud
217.196.96.101:4132
-
auth_value
3e18d4b90418aa3e78d8822e87c62f5c
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Redline family
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\912796429a29149a2da4e1edf88cacb103aaedb07f454fd2de77d30c885ea013.exe"C:\Users\Admin\AppData\Local\Temp\912796429a29149a2da4e1edf88cacb103aaedb07f454fd2de77d30c885ea013.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1202791.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1202791.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4965104.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4965104.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1205684.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1205684.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD53d3ff6a2903837e16a5c6bcf92fc87b3
SHA1740a456c251924b1b61f3bf5af2db314d1122a1d
SHA256e64488979d1db437352bf34770f7d9727b5353323e562cc850e2c761bd97ff99
SHA512dd022fe579f921e93d388ef7bf2bc3bc36c23327ba19dfdc220d24e7e88822c6745207f541d3e539e3b6b36892a0354b2544770652021d06260f66d80c5f2987
-
Filesize
180KB
MD5cc987276811e4f066394bc8060b1a380
SHA12c73732c3e9b0e9cdf45cca8e24c316b5d512f05
SHA256558b9551c1b9987b3cf60b558c3229dd1f2d26cd4dcb2e8b88ecad7053593c24
SHA5124dd3d269ac3e77695ce368cde50612c22f292157e7d00cbf937719bef257baf1193d504884c2a57dd6699faf3a1235d0aedb7e0f35035fca9cf3fcc6dd17fd2d
-
Filesize
168KB
MD566007a0567284dece8476c72845c1a7f
SHA1e1a5546f52745b3e124e6768a185c0d599d7a2f1
SHA25647d4960c1c7a44861e4078b5c48441078d7b60c2796539d9741baf555e630570
SHA5121e6cb9802697f2ff4451a3a657ee1802f00b6527a799d687b9b087ac3d41dba13e0efe25e64a4bb281dafd0469783006a70e9719f316df9e888437599c4d2fe4
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
104KB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB