Analysis
-
max time kernel
130s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10-11-2024 02:25
General
-
Target
81e02bbc06f3bd176e259639b49089b6da836cffba81af69619bd9321ff8f183.exe
-
Size
482KB
-
MD5
fc17a8b8ca885cee5f5b38a0806a9fdb
-
SHA1
ef9064de5a4f160a054098a3094b6b66ddc53668
-
SHA256
81e02bbc06f3bd176e259639b49089b6da836cffba81af69619bd9321ff8f183
-
SHA512
466ae5343c290b26fa2b21e9c461ecf746e8a00d21149ed08e66ceb9e7c444721442a7bd5d643e5a477191cb3db94ea962af725d6eae48189cbc30816428b8db
-
SSDEEP
12288:AMrjy904VyGVKiEhvr0IkjhQ6ec54vdT5TP:TyjVlEhvQy6ec5ydTlP
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Redline family
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\81e02bbc06f3bd176e259639b49089b6da836cffba81af69619bd9321ff8f183.exe"C:\Users\Admin\AppData\Local\Temp\81e02bbc06f3bd176e259639b49089b6da836cffba81af69619bd9321ff8f183.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nnS32xX31.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nnS32xX31.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dje80Yi.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dje80Yi.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eHg77DI.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eHg77DI.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fuM62RC.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fuM62RC.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2
-
Filesize
337KB
MD5f132f70b329af06c9552b656b9d148ed
SHA1b5d9875e9a3a4b669040e61fea567c3dca63875b
SHA256dfd02604251db7ce0a12d170dc601e3c2ba07750492dc74738170a50b4f7ada4
SHA5122dd9a4a1d106a90408a7056af205cb38655023a733b8ccb63251a0b36faf36555b74c4ba444932121eb5f2b1a8e059baac741309e355c7befb9ead46d628e78c
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
248KB
MD5ee5d95fc580a7da82999ec7f548e65ce
SHA148ea3889f13175ccee6b0117a442b09ed1aa99e3
SHA256419cd55347c4ae44caacaa3c83e6644c4690a30d33ff293f4e1a8a924e6d8b44
SHA5122c0d4cb64f1a352ea20b07faccbece44eacc5edfcd0eb214bef040e9f6ec9c83ec8603a9c57d7a0dec9ef100a1411bbc7b3605db5c61b0921bee2d5568d3fa73
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
104KB
-
Filesize
200KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB