Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10/11/2024, 21:17
General
-
Target
1e59df741aa6d1e2269352617331dba654a879bf58214342a485584124439a3d.exe
-
Size
936KB
-
MD5
8488695b5c596c2e23b4d9a0b4e35180
-
SHA1
b6608b3dbf896bc9a41ce48d2b196cbca08b3500
-
SHA256
1e59df741aa6d1e2269352617331dba654a879bf58214342a485584124439a3d
-
SHA512
884665c1dff36f78989c3ab987b02a644ea43d7fbf572dfd426fe51ea40837926b69a661d538b7fd75589fb6dfe900befdb5348618a4bdab9dcf0b5abd49a92d
-
SSDEEP
12288:cMrRy9069SF8Igtz+F9n1arDOVoKwTKM694dcG1du6GlgrdPHiFmWv/m7i7ecoW6:lyP8+tIn4vSPkGqHkmWve9zLf3JvKmu2
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e59df741aa6d1e2269352617331dba654a879bf58214342a485584124439a3d.exe"C:\Users\Admin\AppData\Local\Temp\1e59df741aa6d1e2269352617331dba654a879bf58214342a485584124439a3d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plus85nH45.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plus85nH45.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plmP71ch93.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plmP71ch93.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buhK22xX96.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buhK22xX96.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\caTL09uw82.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\caTL09uw82.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
667KB
MD581ced42b169ff7df4f6b7bdbbaa0aeac
SHA190efab52545dcd52ffca146e556cd82ecd150dda
SHA256d91379fbea6aa619ea381de83affa1a7d6c04132c0a1bfcc2477d0ac789540c1
SHA512841c3273a0675f1e65afca702f08324ae7463a706c745b4cc916843ad0e7dd302706e63da49aa818cdd48ace39678d9f9e3de06237a6949a128905816aebb42e
-
Filesize
391KB
MD5722e681de9c5bb446c8933d3a61c8396
SHA1a2195fa5a4a1772640bb7eb488f34d8088a3e47e
SHA256a2c26a4b38cce7d0c4588eaa11c48f22c8501a5504451c7c0d0a9ccdc781c7aa
SHA51293f4674ecae90deefd58f59b4ce65af67639fd530bec490fe99eb6884f9f451dfbbeb951193d3c8f86ddb977f0214b55a08e6f50abf8a3488c736cdf2ead8967
-
Filesize
16KB
MD559f970bf27aed5ed0e2976827af2e81d
SHA16eab8eafde102edd9a6447873208312f700f79c5
SHA2563ab9894d50354465e5bdda1891d55a9af5d95d85754be6f927124ed6a94b910d
SHA512f2bad5c0ce24ed5ac0a70d54d996089693db1828d38a3d7e2a3654245e6ff07c0d36224a290eab2d245b871fc2a5559ae13db344ffd4fe974459fb1d5d5065af
-
Filesize
302KB
MD51c5a86f75232313703fab93a198cfae7
SHA1ecf2d10a917811db5f5da1e29c929ab6a2866a0e
SHA2566c5ec3126e35491fe8716e34691036a2cd0a24c110ad9080ecc4b1130ba92b71
SHA512fd6d22ad3c16dcfa708a2e04ca73946046867a18c10ddfda030f04bc7f77373284c043d433997c27ba7e186e814573a26e11cd0a939467b7ec7683b919f9eb0f
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
280KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
5.6MB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
240KB
-
Filesize
304KB