Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-11-2024 00:32
General
-
Target
b5e8a5f20e77a8bc077e288404f86da8baf19f886d0f1aa4a4dfdd60ebbe1bed.exe
-
Size
923KB
-
MD5
45937a9b8701bdbffecc6b2129056c06
-
SHA1
1c4ccc3b4691c9ba628694411f4f1e9346358125
-
SHA256
b5e8a5f20e77a8bc077e288404f86da8baf19f886d0f1aa4a4dfdd60ebbe1bed
-
SHA512
3041ec34901280604cbc14782aa7561980846bf2a5271aa1fa9f8a879a80706922795cc0a98085bee97d0999fa18c104ed24cfd74d617b8ea6b5ff762e753b88
-
SSDEEP
12288:Ky90r7LWa8tcKfkga4de8ZhlBU0DU9os5HighXdDv6SpjMJWao0BHe4S:KyBuwL00DU95HhXdFMJWaRB+/
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5e8a5f20e77a8bc077e288404f86da8baf19f886d0f1aa4a4dfdd60ebbe1bed.exe"C:\Users\Admin\AppData\Local\Temp\b5e8a5f20e77a8bc077e288404f86da8baf19f886d0f1aa4a4dfdd60ebbe1bed.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqX4721.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqX4721.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziLB4865.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziLB4865.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it220064.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it220064.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr677045.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr677045.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
616KB
MD51e4b142b4c3d32ee0c97095192d0a086
SHA1fc76d3791cf698bef6656913539f994261e5412e
SHA256f4c90775aa02e049d23f363b4a2d739b64d3c0d22866e8d49bd806822c2b9996
SHA512e2c163bf2f0a7dd49a01cc3b5793687d5fa14dfc83245b9cc316f0c54c6d22b3540be8f1cd861faf4f869ca806a6fffb1617c1d1971a61de1b0c325bd7818356
-
Filesize
462KB
MD53068495351ce5a5bd42e9b090e2341f6
SHA14c789f98ecf484c526b559d64a052984b35b78fd
SHA256ed8516ece7a51b77b4268fd8807175266ee82b74429e0119c24a20c61d6ecf9e
SHA51248163cd73e6ce20e42291c1acaf90ee1791846aac959f42b83a5bac620a271c5ebd460aab0d8f8f547fe82818c6bb5c20f240d56613d937a1396711ff4c4be72
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
474KB
MD503250f88acd83864238dd010f32f97a4
SHA1904bc71b2ed87da4d02a0df9082b4efacbff72cf
SHA256c3fa6b87ce29ba2478f421c2608552b1b83e13891e6f2a7c2fa636415bdde0db
SHA512ee02756b16952f8c4b46b97892ebd86c02d210c2cb9b798d61859597da50d630f71f1964bf07266fab6c533270d7e60f8147cb77d7fd43b2bfbd47fcf7e5a2d0
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
232KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
240KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
5.6MB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
304KB