Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-11-2024 02:43
General
-
Target
1cda71a3e37dbacc2187b00ee7cccd6901383ab1e08330cfd6791c2444959b2f.exe
-
Size
850KB
-
MD5
870d4f786a2d4ecb91bb189f85e3b47a
-
SHA1
c4ad44a4d8de842ad08e673a7debeb2c26f88642
-
SHA256
1cda71a3e37dbacc2187b00ee7cccd6901383ab1e08330cfd6791c2444959b2f
-
SHA512
0083aa2d52f05bca67c347f0a0d0c255e1accb0a20c06fa0ba66dfac1dca73fd43161d00c723280a1c686b66e6377e60a67014704423b909723e3014dd3006c8
-
SSDEEP
12288:eMrCy90AhLemA4Tf7lW+khHE2sMdEX5WsBVkdIMYpehXr52ZR7+SUiL1JT0RWUL:4yXrEHE2sMEX0kkdupeDU7aW+
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Redline family
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cda71a3e37dbacc2187b00ee7cccd6901383ab1e08330cfd6791c2444959b2f.exe"C:\Users\Admin\AppData\Local\Temp\1cda71a3e37dbacc2187b00ee7cccd6901383ab1e08330cfd6791c2444959b2f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba9480.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba9480.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba3098.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba3098.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0324uV.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0324uV.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h68MS65.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h68MS65.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iwstf31.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iwstf31.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
708KB
MD5fff96a6ff2a8cecc4635ff1351e7c2d4
SHA14f89a5a84e4fc8cd5a8087420b645516df6df37e
SHA256ab84165a0cd2874642fc1940fe0734a6cd7331e8d94a8d6ecf7611c6335f5c90
SHA512556b72a9d0c29f007404e80e992dae5cd1bb55921b0c5bb072cc34a7e8a06474ee2db1ac23a73b9fb2c404d07b4edf351bd935925935b034ba7aeb6ea98333f2
-
Filesize
391KB
MD5993386ce2cb889f7c4281a9b242dca5e
SHA1cd61db5ef0f858f1f02b5e5780310fc6927754b5
SHA256a5df2311f6aa33993928bc9bfb293f4ea2e516c3ab09833800f5b49b6424104e
SHA512c975c69ccccb7c23b4e220998cef2b8236506d8cc9b284972487127feb69226f361f9ec080eedaf35c219c92dc6c99748d3a547564d8b7b54da7d65ff74ecddf
-
Filesize
358KB
MD58c11a887fc05de4e4edfd3a16aa7d976
SHA19001cb43379f904d1c5ee012c71b742cdfecc69f
SHA256728687b144fb0e29588fbb77abfd9c2546857f0cef254a84125af97a0cfa9e4b
SHA512d8bccb2379fcbd3da1ac6a6695dcd0541b1ece7ae00abd719fcecb2f368e5d9c71ef51ff2f8af87117269c9505d99840ee7afe8a843c6956b28409c9d9da5c0a
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
371KB
MD53903ce0422c7b533a4f3db566e453112
SHA1e1d7e4e3c5d33806b33c348617a53db8a24fa7ff
SHA2560c30727af2f1b1996118e53b1ce09ad3de1ec3f87704a5a5e2af300c9584d667
SHA51224057448f67f5cd9fcc6f428c5d1fb4460fb86c1b0a2c2b1791d6d4f97134f4eeba7206328c88de5a0df745aff83cc940e02a06460973e9cd35ee75b68bc6277
-
Filesize
39.0MB
-
Filesize
72KB
-
Filesize
104KB
-
Filesize
5.6MB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
39.0MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
280KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB