Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-11-2024 03:09
General
-
Target
5fe576d842c0e1e9df87a7ae6d0306d9b04b34fb77941592af2fa17220f7b7ddN.exe
-
Size
1.0MB
-
MD5
d407723d85865f2ecaacf5d960deb280
-
SHA1
db1df9a5e3e6ff87045848e404a1afcceb54e6b8
-
SHA256
5fe576d842c0e1e9df87a7ae6d0306d9b04b34fb77941592af2fa17220f7b7dd
-
SHA512
b59c6da3cccdc8d1267fdade110956435ad1d449cbf5a760600f4d8c1ef3ac962988da8f57276b64801095c2143143f98794f27653aea4e5f81c7b699349c8cd
-
SSDEEP
24576:ayZ1XIWfI1bF/E21jDJ1fnaMpMzOv+FecyKheTAgwne7/4EsM:hZC3j1vbPaM+e+LO2nI4E
Malware Config
Extracted
redline
rouch
193.56.146.11:4162
-
auth_value
1b1735bcfc122c708eae27ca352568de
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fe576d842c0e1e9df87a7ae6d0306d9b04b34fb77941592af2fa17220f7b7ddN.exe"C:\Users\Admin\AppData\Local\Temp\5fe576d842c0e1e9df87a7ae6d0306d9b04b34fb77941592af2fa17220f7b7ddN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptBE1705lQ.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptBE1705lQ.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptWI1188zO.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptWI1188zO.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptxw1625lv.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptxw1625lv.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beBq41cn92.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beBq41cn92.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cuVf00PI73.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cuVf00PI73.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
936KB
MD599b4c46ab6c2e74cb4420cf6a37cf7ed
SHA17168715c75c96b94c9f7a2be99b6b80142718561
SHA2564c9aed95952b6446ac8960b6b837bab84ea05ea1bbefde1c3b935766e19dd6a3
SHA512ee7aa53145b1803de8c13a1d99361b9909137666ffed7344745f9b58de67252053bdc770a0fc58ee8c77657faeec07c65e7900de91ff44f0554df48210239fb9
-
Filesize
667KB
MD5441cd6cafea8f5b4b37aaa363e521d43
SHA160bdccdd66251a759d7ee9397e7da87b88444536
SHA2564aec930e016c3b5b557f467e6ad28032e913c129406768c4686655ef86dbc0fc
SHA512747390dc2308bb236ebc2a42ba4ad84e7e44f896a3babb31c5136a3f9d3feaf2575082ac309bfccd2122980e53830ee9406aa3c1ee924a70010762d1cfadebe9
-
Filesize
391KB
MD5c898632e50ae4d02eaa06c07502461ea
SHA1f7ce95b84e29ca5e1883383fd4b5d38d09481b77
SHA256d3b06f368acb8274001cbaef40b3742eb49edc24de2af4c43dabe2301eb49840
SHA512bbc4d72e81476ecffeb4c8ae72c385f40faf08db810ecb2c459131cfd16a65cba01ee9443a36ee70a122561c2a46d8222f78c09b1b31f5a64896cd7de194ba29
-
Filesize
11KB
MD503de47a528e4b7d3f0b33b2b7ddf07eb
SHA19380f4bdd2e3d73b89ae5066f037224b5774f43e
SHA256e1c229ec6ba698c85f32fdd6d765f619d53e469643d0a68242c446779bd0ba46
SHA51247dd68f5eea5a337fdbdfcc2cf6a459339afd193d10f31e9f6e3ec66347cccd554952631d6c7846620836531921bd055333bc3d33b6bc75ffda12f2cfc7e5ffb
-
Filesize
304KB
MD5a562213cf445eaaf665759f35b4e91c2
SHA1c37cb42d6b01cb56f0528499c8cb2d801176bf45
SHA256457e081eb0be34e398946eda58be940aef13cd4390cb727cc848846833d307c3
SHA5126944f4c08e8617f4ff143a96aeb4b4dc8c31562db7f6747bed36abb4116b540c181a5c42384505f1d059c3e3bbdf4f4ca3f74d0480b0e20efa28e1505f3b4fbd
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
5.6MB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
304KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
280KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
40KB