Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-11-2024 02:00
General
-
Target
0997421043ff2a9d00b6020284898f5106c83e8b8eda2d7b5b5323db2f845cba.exe
-
Size
479KB
-
MD5
04167692eb09c16a10903de7a611589e
-
SHA1
3dc85ade52f588a9f1d3345534a9ff07d42a3813
-
SHA256
0997421043ff2a9d00b6020284898f5106c83e8b8eda2d7b5b5323db2f845cba
-
SHA512
9ce21c67b1c1423095dcdec6812144807a01aa80bcbb2901eccf8e121d5647d388d07ff7c4e745a9483a3db9144d858856443bdec98781d233f6f0be7181b0b7
-
SSDEEP
12288:dMrIy90uTXdaWv7ONx4tLx8J5plMKQMPuSPNEt0QeKi3:9yf4WvC8inHMKQpSaB2
Malware Config
Extracted
redline
divan
217.196.96.102:4132
-
auth_value
b414986bebd7f5a3ec9aee0341b8e769
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Redline family
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0997421043ff2a9d00b6020284898f5106c83e8b8eda2d7b5b5323db2f845cba.exe"C:\Users\Admin\AppData\Local\Temp\0997421043ff2a9d00b6020284898f5106c83e8b8eda2d7b5b5323db2f845cba.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1524305.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1524305.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7347705.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7347705.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3185702.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3185702.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5341152e209e778a9045e8115f2133e31
SHA1db46b8b6a3cbcf3d9663ad91af7b4b0a3c691991
SHA2560b19a5daea3f8b4bf43724750b25b151824e2535b25dc5786cc3ae3bb2f656c6
SHA51223eff5494bd0b5f113406ca3601769d96580d7a2c50dfd0f9829df6c21c982b49fe5572eb669d18c5ef5db7e936d81babaec21b51a99677487f5574b6f6dde6d
-
Filesize
182KB
MD5ad16d0cf4eec397fd85fcfc6a52fef42
SHA1f38889323b3359adb2d03dbbdae0c17f616a39a8
SHA2561e487023710bf2a277650748cce48e86e299fb32cbcf31ae7b276b6fddcb34d2
SHA5129182ebd54f47eab597e0eb5ecc1424b6b713d991a8bdb81fa6481405d614b3407fb26dc400e738f50befcef726dfbfab401470cf2783e5a9bd20b6541bfbc9ce
-
Filesize
168KB
MD5bc08a3a3feb70c2384c0ba1e2b4d50c7
SHA1e7856f103e5f76b07d523985dd3afe9ebdf507c2
SHA25617b65536d9eec8a67d3aca4ef936777e28e422ef524100e49274caa2a1e95c15
SHA512a495f99f29793ff88fe2232b85e608e487dc82403b55089bebc210834df0bd06fe63a49ee301d339c309f9e5e2cc2c38c1adf437e8ea472cc34252520376cb5d
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
96KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
104KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
184KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB