Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10/11/2024, 23:53
General
-
Target
2171c83a47511681c9074ceed5dd1794db372549a5ee0138fd59e84179fcdeed.exe
-
Size
1.0MB
-
MD5
53cfa62e677e878a5adfe9aefb6c9544
-
SHA1
5dc3646277c581182790c8b806a2a44630c82827
-
SHA256
2171c83a47511681c9074ceed5dd1794db372549a5ee0138fd59e84179fcdeed
-
SHA512
84ade5513979a4cf5e5225d99cc8394d5c2e4432fb7fe59dff2693099fc66a7fd6bc3e0cdaa8f4933adbb1089fa6a8b810effaef615dec236bc15a95d353c6ad
-
SSDEEP
24576:nyL4ubwS0TPxPmDaXebCzVDFikEail3PnRbPVSBS8Li4p8QR6X:ysFS0TPxuDseb0VDkNaO3vRbPRxA8Q
Malware Config
Extracted
redline
ramon
193.233.20.23:4123
-
auth_value
3197576965d9513f115338c233015b40
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2171c83a47511681c9074ceed5dd1794db372549a5ee0138fd59e84179fcdeed.exe"C:\Users\Admin\AppData\Local\Temp\2171c83a47511681c9074ceed5dd1794db372549a5ee0138fd59e84179fcdeed.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pIo52Tt.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pIo52Tt.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pwc69dN.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pwc69dN.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pDw80SS.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pDw80SS.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\baM23Os.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\baM23Os.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cfc48rs28.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cfc48rs28.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
884KB
MD5ca788ed02dfb0ad5db462a63af78078d
SHA176f27053a2142ad7c6de1b3083c6f0328b9fed91
SHA256b2c33c8c7311b30958b555dd11091536ae9258fa69e48d4ee95aa90e1952e94b
SHA51240fc28220cca42d6a3ccee1a6d80a17a793694b56f467ab5e43ef70953e6cb61df972c2f98e60934cebc07a8f2355abe05f0f027cc8ca720f638456f2ffc9fd7
-
Filesize
661KB
MD5b7fdb43c417df684f4c313c15bba62f9
SHA19db1accf4edbbed8ebd830a0d7566be0629e7e57
SHA2566efa54bbb4d7c61724c91b5fa437a2df8bec60ab696714392435868657086f43
SHA51216e072dad4a8176fa3a11ac41155eac04551bca15977641dff0bcaf31921411d0aecc265c9aa7f08d7327b5f1a1e3216b4b91ad0d550a8e5e1b543ba66ddc0e5
-
Filesize
388KB
MD5e39c5e251a608d301ce0c2bc7e796d86
SHA18e0e2e051337b0e90830615941ac0ea005d64506
SHA2561164f029f4e4a01ab8dd47c9067102bd073f0d9cff8e888ffc02f3d183a4def0
SHA512e368fd6fe01344b29ab3bef7c3a342a420fd5513abd9965cd843140a1bd5a8ca605942f4e5c414e43ecb58484700395f9a9079984add8cd59b631e53f799fe3a
-
Filesize
11KB
MD5daa8dbddbca6d077a7fc234496923cf1
SHA14df2b6327e8e75ed71c0e3055c9d17a043ff6b65
SHA25617528baacf916fa9379bb2df7a9cb98e87f6759a74a3dccd565a04c671d67b56
SHA512b8c878f507ad26dfee4caa5f37ad8f6e909ce5354f9aa4df8535fcdeb75e654afbd179ca2c16eedfc4c2ba9d4de13b58e1fdb23424a72c9da893f6b1f5f4890a
-
Filesize
306KB
MD539e68ec5c671803bea570c9c8149ecf5
SHA193cb8d7be2e1aa555e5541d1d946271d32cf20ba
SHA2567359387553ff87aa91886a0e850132f5024f913e22cc8eb764d401fcdb0d58f5
SHA5125ce2317044a61712de25b803c7bb51a6a6aba6c9606cbaa2b5b340960a59baf98b5041ddc417924fec3f03a9543a8442eeb465a28c1986458e80e292568d9ada
-
Filesize
40KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
280KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
5.6MB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB