Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-11-2024 02:15
General
-
Target
1a075eec18c52161447b292da5596b7cc899ccb82b35932dc1c6cecbec7c3fde.exe
-
Size
936KB
-
MD5
a873a955ae271cc465f8c25b45d8d5f7
-
SHA1
67fa09abae57444e28be4860d28d4493a2126fad
-
SHA256
1a075eec18c52161447b292da5596b7cc899ccb82b35932dc1c6cecbec7c3fde
-
SHA512
847d27ecc6bc5f065197dd06e51ee926e5dd1145e59d0c6d87f5405894401abd07ce11a04e757d6877e39aab5115101e00c4c4806de2124b9bbe2cd25e4bf9ff
-
SSDEEP
24576:Syvddns8HafdsRcKsAGF5QgcY0p0UJfFiByj9px5f2C4t2:5vPsJs2KsAGF+s0TfYgWC4
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a075eec18c52161447b292da5596b7cc899ccb82b35932dc1c6cecbec7c3fde.exe"C:\Users\Admin\AppData\Local\Temp\1a075eec18c52161447b292da5596b7cc899ccb82b35932dc1c6cecbec7c3fde.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirr6721.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirr6721.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziDD0736.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziDD0736.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it973746.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it973746.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr236688.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr236688.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
623KB
MD56f969f58760f88f93546fc0e4b8ea173
SHA1c5263b38c53f9a9aa55afb9b9867287263da9549
SHA256d6fa4e6d4e02302765715a753000459fb353fa31c44a7b9d30c109a18a5d8192
SHA512b9f81fd55331ecdb9c207169939a8ac76b516e4060b11029344ef608bbee8158fd4691b33703fec833da337e4eed1d35cfd19d8dec45c8ad9aea37c20811d1f6
-
Filesize
469KB
MD5ddcb148b13b41345ea737124f2627792
SHA1689186fcf0b0a2d0edbab5f6317487d221ffab05
SHA256ed89c94c4edbd4db6f367b6da5a6a5443a016f6f6d5979e5ac13bc46ea5a6868
SHA512927a0260c9b2c258795a942ba68747d9432a06af63c0bdf14feaac322e1a80e2a6a9c983138569fa1b68d9c707550c6d9b0f1db09f78c3dabd49cdc56357ece4
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
488KB
MD5dde7522af2a3ce333731c23fea81936b
SHA1159bfe97014ba9449e9940002d19a68c8431a919
SHA256b1404b035673f965e75349f331ef45121a36de83f87afeeec0530770e47cb970
SHA512cf1757464ac47ec45a83919a3c9177ebba0d01b4655e484144f3f4c452f65df6e9623e8623415363d9642208eb25d1229db7181b02f07cacfbabecf6c8e83ae4
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
232KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
240KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
5.6MB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
304KB