Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10/11/2024, 22:00
General
-
Target
12fd15641bfeb987b60d252bbb25e8fc7ea2649154ee4ab1283b51993fa327f0.exe
-
Size
562KB
-
MD5
69786bafc55c3199ddea2ebc7070bb6d
-
SHA1
b097b5bed9db649e5136ba7d4285acbcc2b53085
-
SHA256
12fd15641bfeb987b60d252bbb25e8fc7ea2649154ee4ab1283b51993fa327f0
-
SHA512
8790aacdf4fef7d9d81ad5a945e75df830db7ff8100624fc77c1020a028fe11617b0192a070254d8f49707b508d6f736c8d1926065018506383399c9cd8518a6
-
SSDEEP
12288:dMr/y90A0WVPm8529SlLnZuYYyq0JcxvwUOGmyIKCc:CyfVPTM9AnZI0Jcx4UOLyIKCc
Malware Config
Extracted
redline
fabio
193.233.20.27:4123
-
auth_value
56b82736c3f56b13be8e64c87d2cf9e5
Extracted
redline
fud
193.233.20.27:4123
-
auth_value
cddc991efd6918ad5321d80dac884b40
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\12fd15641bfeb987b60d252bbb25e8fc7ea2649154ee4ab1283b51993fa327f0.exe"C:\Users\Admin\AppData\Local\Temp\12fd15641bfeb987b60d252bbb25e8fc7ea2649154ee4ab1283b51993fa327f0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhLO2753XS.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhLO2753XS.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf93Pz41Df20.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf93Pz41Df20.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf35TL09tr75.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf35TL09tr75.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf35TL09tr75.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf35TL09tr75.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhMm44vq61lT.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhMm44vq61lT.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD56c38f9d9b46c3199a90012986f4f2de7
SHA1ac91156ffa0288369bde0dc88403cd34dea6a808
SHA256ba995c6f7813b7a355e482f112ce3ba26fe3fec95d6750235be29683888727d4
SHA5123881d7321524940944323a042b11f80bab723da8b33189f682d51965225d3a9039efb95bca9bec47dfb61f96ef7e5bb3299ddae04bcc96104382c7dab3e161ac
-
Filesize
417KB
MD5e0d64711783717b938a7b6dfe529baf8
SHA143fb4b789fd90038f0938d985ae659d1d212a16f
SHA25624a76821cdca4fcc4ee468b2663ecd075385e111277461fe15a2af145b204ab1
SHA512507f7137e6853d03b1b991214d7bd65f15f060cf40dd1198a9afdb490d1bd7f0ecc54e9f306e9c70d6307a695bd266fe6c78b618b6788fa2c773fb53ad2ee551
-
Filesize
12KB
MD570d8434b45ec16b90bf1b6af61bc769c
SHA160a1139df070b33d8f99dda76b2a647a4cb34700
SHA256ff3984afd8f986582748afc5af2832e06b5d852f1abace15ff208ae4e00584f9
SHA512db1616c4457f8161d93bed169aaa1c2f89ee89c48282cd83e5a40bd268e281c89257fd803b357b09f91380c38981a3d07b319fa9c05268ac08775ce23638b687
-
Filesize
421KB
MD5a1a8c7e021590c6ccb05a2a54e7d6f12
SHA176cabb2806779c8bcaba0f6ca25de05d2a4cda32
SHA256ffa315cca20806209add23fb058b99380ac07212267bf8fceb265976a24207b8
SHA512556cb80ba26000eb1426c652b995add13e2f8eb062820d34549317e82e785805b10d19b72942c505e3e1a0c5d985e9e01fcff7ab41124d903b72ce0570acaac2
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
240KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
5.6MB
-
Filesize
280KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
312KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB