Resubmissions

29-10-2024 12:47

241029-p1gjlstrht 10

29-10-2024 12:36

241029-psz1zsvhlc 10

28-02-2023 01:57

230228-cdbzdsgh2x 10

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29-10-2024 12:47

General

  • Target

    f5e2158cc1f0c9e6c4593a670e9456a493090f0138c489875d7e009e4dc86141.exe

  • Size

    538KB

  • MD5

    4f56c63ba63fb9ad1995e8bb303df2e8

  • SHA1

    aaafd4c2503cb02a8df1daad6ffe83e3df30ca89

  • SHA256

    f5e2158cc1f0c9e6c4593a670e9456a493090f0138c489875d7e009e4dc86141

  • SHA512

    35524760a439e503ebea3b8bf7b3352bf95a700a25305db60aee69b74d75a4c473c283e4d63a6ff0765a193fc5b84ba9bde9f937e4be20845bc0cdc3e3f2b3e5

  • SSDEEP

    12288:1MrOy90ottZJhXzvPa77A7VtOLvPDo+JFtwUptgFWP:byfDZJJw7AQvPU+bpyoP

Malware Config

Extracted

Family

redline

Botnet

rumfa

C2

193.233.20.24:4123

Attributes
  • auth_value

    749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 35 IoCs
  • Redline family
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5e2158cc1f0c9e6c4593a670e9456a493090f0138c489875d7e009e4dc86141.exe
    "C:\Users\Admin\AppData\Local\Temp\f5e2158cc1f0c9e6c4593a670e9456a493090f0138c489875d7e009e4dc86141.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vwE4610Ek.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vwE4610Ek.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4884
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw30Ih24Xz13.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw30Ih24Xz13.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2756
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tUN22wQ98.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tUN22wQ98.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3040

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
    Response
    nexusrules.officeapps.live.com
    IN CNAME
    prod.nexusrules.live.com.akadns.net
    prod.nexusrules.live.com.akadns.net
    IN A
    52.111.229.43
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 193.233.20.24:4123
    tUN22wQ98.exe
    260 B
    5
  • 193.233.20.24:4123
    tUN22wQ98.exe
    260 B
    5
  • 193.233.20.24:4123
    tUN22wQ98.exe
    260 B
    5
  • 193.233.20.24:4123
    tUN22wQ98.exe
    260 B
    5
  • 193.233.20.24:4123
    tUN22wQ98.exe
    260 B
    5
  • 193.233.20.24:4123
    tUN22wQ98.exe
    208 B
    4
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    214 B
    389 B
    3
    3

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    nexusrules.officeapps.live.com

    DNS Response

    52.111.229.43

    DNS Request

    43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vwE4610Ek.exe

    Filesize

    393KB

    MD5

    8b9a95149e0de458c4ecb957e85a34b9

    SHA1

    afa468785c2187db640515df82a26ecb3a8d0572

    SHA256

    67582a83d09954c0ea2f7673e0671522fe3c5b17823031abd26aac232d824b76

    SHA512

    dc9c8c103fd3e468ccdf6027ed350503af9df962182abacfcb853f88d1aaa08cf7f7dc12890b792b134fecaca6f3e555c612bfb2ff2cbdba31f38c16c25b00e4

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw30Ih24Xz13.exe

    Filesize

    12KB

    MD5

    51d6944d6a28dbb5b7588e07861bdaa6

    SHA1

    745e26564dea253f4b72ccb2aceb6331713dc7ec

    SHA256

    b778eb3950d8b1499b1caebd8b1b2be4491df65e1a777045ef448cd345e4bc62

    SHA512

    7ba3e2c3eae2f510cda5ffea69cc92195c9b9e8b5cb93a24e0bdff55a4c0208ce9fa471b84ef0129b1d27d3746623891efe879fa65a1ec10b020174a7da11261

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tUN22wQ98.exe

    Filesize

    304KB

    MD5

    e8a74f8947be8861da483f9a1b725bea

    SHA1

    c9485cc022bb2ee5eb15bc98e1aa5330b1b5c09a

    SHA256

    b27c4b8cc67abed8e257f5b43a656dbfafea50833d2aae5b7fe545ac82d74727

    SHA512

    4ac48c039d81d9b6f5dd9cd4700855bc27efec45bb167fbf0268ec56c238138865a9d9b9575b2e71f2ab204f29da0daff1e78f5ac12cb54d0383766b7c82e2e8

  • memory/2756-14-0x00007FFC84BB3000-0x00007FFC84BB5000-memory.dmp

    Filesize

    8KB

  • memory/2756-15-0x0000000000EE0000-0x0000000000EEA000-memory.dmp

    Filesize

    40KB

  • memory/2756-16-0x00007FFC84BB3000-0x00007FFC84BB5000-memory.dmp

    Filesize

    8KB

  • memory/3040-23-0x0000000000910000-0x000000000095B000-memory.dmp

    Filesize

    300KB

  • memory/3040-22-0x00000000007D0000-0x00000000008D0000-memory.dmp

    Filesize

    1024KB

  • memory/3040-24-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

  • memory/3040-25-0x0000000002660000-0x00000000026A6000-memory.dmp

    Filesize

    280KB

  • memory/3040-26-0x0000000004BF0000-0x0000000005196000-memory.dmp

    Filesize

    5.6MB

  • memory/3040-27-0x00000000051E0000-0x0000000005224000-memory.dmp

    Filesize

    272KB

  • memory/3040-41-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-89-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-87-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-85-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-83-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-81-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-79-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-75-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-73-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-71-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-69-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-65-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-63-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-61-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-59-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-57-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-55-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-53-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-51-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-49-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-47-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-45-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-43-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-39-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-37-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-35-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-33-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-91-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-77-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-67-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-31-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-29-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-28-0x00000000051E0000-0x000000000521E000-memory.dmp

    Filesize

    248KB

  • memory/3040-934-0x0000000005280000-0x0000000005898000-memory.dmp

    Filesize

    6.1MB

  • memory/3040-935-0x0000000005920000-0x0000000005A2A000-memory.dmp

    Filesize

    1.0MB

  • memory/3040-936-0x0000000005A60000-0x0000000005A72000-memory.dmp

    Filesize

    72KB

  • memory/3040-937-0x0000000005A80000-0x0000000005ABC000-memory.dmp

    Filesize

    240KB

  • memory/3040-938-0x0000000005BD0000-0x0000000005C1C000-memory.dmp

    Filesize

    304KB

  • memory/3040-939-0x00000000007D0000-0x00000000008D0000-memory.dmp

    Filesize

    1024KB

  • memory/3040-940-0x0000000000910000-0x000000000095B000-memory.dmp

    Filesize

    300KB

  • memory/3040-942-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.