Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-11-2024 00:55
General
-
Target
a568bf752b9bca75485881a01d8d0b2194460308514feea2602022e0c25c03fd.exe
-
Size
827KB
-
MD5
857744ddbbc6e6a97e994be398548852
-
SHA1
00a6cfb6251d4b8f1a450d0ed6e8f79d0be207b6
-
SHA256
a568bf752b9bca75485881a01d8d0b2194460308514feea2602022e0c25c03fd
-
SHA512
47a36f9cd277eb7d9a97d3aa786d823537c88f473367a3086e0cc5f7cc9a753afd8dfbdfab58982a7d390aac35cfdf423ed549de77c19384ef894897a2dac163
-
SSDEEP
24576:lyAP2lb0bKRvPkdrzqEPxOXFed33d7qOLFgyNWz:AC2NfgreEJO1e/egNW
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a568bf752b9bca75485881a01d8d0b2194460308514feea2602022e0c25c03fd.exe"C:\Users\Admin\AppData\Local\Temp\a568bf752b9bca75485881a01d8d0b2194460308514feea2602022e0c25c03fd.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNa6174.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNa6174.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziee1443.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziee1443.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it232602.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it232602.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr048177.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr048177.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
568KB
MD5ad95e6e060afda17c16f7476462ff1df
SHA18c1035de63ded6f3c09db317dc308c7d1ef45002
SHA2561b115bd51b113e54b9f211de226e53cd9fb467ffb61f7d5fd8324871fefe5ead
SHA512f9989071fe9be92f3d6a201a3eaf47c084de483ef0c90102c61fdeabc2a24f355c34a56b668f0925ec3c1eea711b8a65203418718da597616c909d68159c499c
-
Filesize
414KB
MD5d51979ff73938a2487240f146ac77d21
SHA1924037d8fc9695993920b1e0a6219624508bd834
SHA256363ae276e9d97878faaf1fff71b6f6f1c44af7648762106470f487077de98ab6
SHA512cb057502cff53a55a46736e97a56e2bc55ab02bd76dace72d060472ffedc9d19363edc7c5ca98e497f86a544721a399fc8c35058c7ef8937863b08683535b1e2
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
362KB
MD5e3d7f0cff9b54a4298ca8993c2b24f95
SHA1aa13e9d4ef8d6a90a31d63b8280f9806aec0b198
SHA2565fd5a8d1934eb201b078d0259a8d2ae17a15f8b2ae155c784db74e20225f8c59
SHA512d84e3c5a6054446ef8fffe921c58f239ef6dc98155393952611defaea09b67c77e968465902e4e45417c0d72376e38b91eed0237906793551911a62ec7a05a68
-
Filesize
212KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
212KB
-
Filesize
5.6MB
-
Filesize
232KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
240KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
1.0MB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
40KB