Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
30-10-2024 21:40
General
-
Target
04580b36fc34683cad05106c0ea5c337d64c9d1b49d77d8f2d4fa5666f9a0224.exe
-
Size
660KB
-
MD5
378d2026f2b0b9832167f2c88828b0d9
-
SHA1
ddb96bb621d87d4ea9b8c866dfd83b4cf64be5fc
-
SHA256
04580b36fc34683cad05106c0ea5c337d64c9d1b49d77d8f2d4fa5666f9a0224
-
SHA512
f4c3103e777038a4ffc10b2c723252486a06717dcda95d54ae7ae60d0f8750cfdd618c2bf427703a953b99e294daa370e310bbc2927a32b9266a4330756f707b
-
SSDEEP
12288:6MrPy90PC14kPf1+CMK7FZsYYmUbFk47oMhzaxs9sej4rDFKh4b:RyIaDtxYmckLWaxsau495b
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
dozt
77.91.124.145:4125
-
auth_value
857bdfe4fa14711025859d89f18b32cb
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\04580b36fc34683cad05106c0ea5c337d64c9d1b49d77d8f2d4fa5666f9a0224.exe"C:\Users\Admin\AppData\Local\Temp\04580b36fc34683cad05106c0ea5c337d64c9d1b49d77d8f2d4fa5666f9a0224.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHy9891.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHy9891.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr028981.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr028981.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku881751.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku881751.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 15084⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr614688.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr614688.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1856 -ip 18561⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD5f21d6663134b5a38377f9f5a20d1c28a
SHA11b69cd0f79fe0b11a4b3c1b8e2b900e8b4d6b9dc
SHA2568a8c2028a1162b48ef779861a755d201fb63cc2c4daf89f3ffc04b72ad4e9ce5
SHA512c32a024b4ca88461fc44ede82e100d7bc57ae2306729b4b6a46b289c8f581d9f6d1b53538b74982ff97ca102e5f3e5dd900827008c7b79fc5f77858e12951073
-
Filesize
506KB
MD59afcd315555af981b5d94c5022c9f0e7
SHA10b43eb191a1510a9c2f55f6a1070b4aef36cbf92
SHA256cf46255ce446bb3a21c8dc547cac51b35ede38d02844cb5a6fe8061443041ed7
SHA512d85fe2f8a8f68a213211808e8d497cd71fbad1db7082927a6a9c186ec3db41018184be29ba8d11d12d05843f9ba65c83f73c4a43f9b11c04b0230578f53847f9
-
Filesize
13KB
MD5582c4c363c7d039a7708443ad94a6dda
SHA1ff3398d82146f8671be007f5c7cbf1830ee46754
SHA25667b494f41908f90aecdf67cb0e8280152173e01b0f22527e8b3ae75b507ecc19
SHA51263d512d48866412bc5a87ba28faa63aaf37c3f4cd78f837f5686174be480702e00773427115ab03c532946bbec82ce21fc1dafe34dcb99dea2384410f030d1d7
-
Filesize
426KB
MD5d5e743d6729af87fbf81830a92def4fe
SHA1e713880ca8485fdf49f1746f384c7e25eed5a37c
SHA2562f837e599a43a8e50bbdc5aa2a5d7fb89a69f147ffae280ebd7a1c2aeecce4c9
SHA51260f2e6672302388505d0f0ed2cf7db189dc70af3e70ce6e5eaa93749b4ba1a50ec57c58ca8a7f6a889af669c134f21182476cda39e4da2366b780357543fb20b
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
5.6MB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
200KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB