Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-11-2024 02:01
General
-
Target
f09314c6b5876187aa7e7e27a9a40d1f05d11cd8583c5c2a9a5f25f53a007436.exe
-
Size
828KB
-
MD5
3c217bcc6064b74286646c631d3a3455
-
SHA1
37266f7ffbc08aafc4d28d33f1d2a8df9da8613d
-
SHA256
f09314c6b5876187aa7e7e27a9a40d1f05d11cd8583c5c2a9a5f25f53a007436
-
SHA512
f810a12d9742be0f258c1c344da4995148e08243e374875674a23508ecaa76725f0d2a9ee16844795aa0d3bb2097c96b6bf1c27b070dc9f8c157fb9a0c3bac36
-
SSDEEP
12288:yy90bLaj5vbmUYAxRgPfetP1FObT0ynZCWy8rJpeqBX9M3pEhWM7XiSOkbekjs:yyIaj5jTL6ewb/n498rHDQ+h/XiSOF
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f09314c6b5876187aa7e7e27a9a40d1f05d11cd8583c5c2a9a5f25f53a007436.exe"C:\Users\Admin\AppData\Local\Temp\f09314c6b5876187aa7e7e27a9a40d1f05d11cd8583c5c2a9a5f25f53a007436.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisb7438.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisb7438.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zicm1180.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zicm1180.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it347148.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it347148.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr686262.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr686262.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
569KB
MD532d5f31fbd8282d71f972d28383083a3
SHA1e09739d4d1379c8d6971fc300e5dc40133e03ebd
SHA256bfa2be9655a96d6a898442a3ad2adf83fdac371e5ff4f3c545a70eb98f74b9fe
SHA5121ac5316b3041c6247f39691dfd7a468a81db0dbff44f4a845c1d26cd1faaffc2cd671b2fc645b0f2af9473f184e8b2236df0f26b110c10d55ba9ca6690f43ceb
-
Filesize
414KB
MD5d050464ea8fe884468a56bb81d99c0c7
SHA19c5e2e8ec2fc82125ecbbeb61011eb619efb085f
SHA256dee27910b14f43a503dfd0a6b752f7975517bff9115c89f797c0870c9afd3ef5
SHA51268ffabfe7d9de55bd5bddda1d054774833b73d8f4ef5dfb10d275e99f275ae133eedd13d900f55562f97331365a419c6300969e9a051e5e2c369a5dca34cfb5e
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
360KB
MD583bd9876e615cbe1ccfa29fdd372644f
SHA116a79877ddfb17b65ea96582cfb1bd985726a8db
SHA256af0f1411b1c5693f65582d6b05bf11356808c3b9f7c11e62b7eb059406d6086f
SHA512aa2152da2445c5e84abe5a7e87c214d51090cff83ebd79afb09887e68de66c1b389374c688eda1dd8bd53cc6da37fad66eba6def6592f88a236593acf756ce32
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
232KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
240KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
5.6MB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
304KB