Analysis
-
max time kernel
146s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
04-11-2024 13:44
General
-
Target
b13337f962e439aa83e82d0b7e1310bbe34bdefc372f48b25e23ab8256e16594.exe
-
Size
1.1MB
-
MD5
998eccf26e123335a9d00699aae4c43a
-
SHA1
274edeac2d797412876ad2e9676234bba3853a67
-
SHA256
b13337f962e439aa83e82d0b7e1310bbe34bdefc372f48b25e23ab8256e16594
-
SHA512
cbaab87905881fda6f7dcc408d1be7988f4444117fc8d65b1eef428d4ece64adf3a9c2251da8de0ab59b8b5bb3c85ae440f3bc098ba3edecf82733f8f6b359ef
-
SSDEEP
24576:Cy/CNPxgPMcewjwjJ1lyzNTnqrl7Wl5iJ7KHxjePNEB3En:pyxgRsjJCTnqrl7Wy7KHxOe3E
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Redline family
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b13337f962e439aa83e82d0b7e1310bbe34bdefc372f48b25e23ab8256e16594.exe"C:\Users\Admin\AppData\Local\Temp\b13337f962e439aa83e82d0b7e1310bbe34bdefc372f48b25e23ab8256e16594.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCo94Yc.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCo94Yc.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nzk56an.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nzk56an.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nHc53fQ.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nHc53fQ.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\anF62TZ.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\anF62TZ.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 10806⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bUS32nT.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bUS32nT.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 380 -ip 3801⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
915KB
MD524638df6d2b9b31795a3d3711d75513b
SHA197d46397340cbb1346c3815719cb3c5a8a7b9fdf
SHA2563e6f211608f3491401d8432bb5e3b6ffd5bc3f7ccf18bbd154ada8a01ad7bd47
SHA512597b3fa0fd966ded1b2ce1f62c73853da5999f3056fed8f1bad554d80b86ac6a492a409559c0e5358f5351efdd65a6e439519762937af604123cad5e304eab2b
-
Filesize
690KB
MD5523a6bd1db93bb85ae62a08498f4cd52
SHA1685b7ef95dcc989a98bc394772f327631fb9cbd5
SHA256aa541b897d4bd36622d90df4327ac501c1d5163e98b953a360f22ead011e0958
SHA51259dc46f77dd4fa0c041c439068e66913a4974f3e27ea7cfe7e24f3c67aa27725ee6e15b58a282c1e45cecb2f5da12f6965f23f18a9af0e380b4a0ee908b6cf3a
-
Filesize
545KB
MD52adddcb62f02f5e0b31fa0caeffa2e5a
SHA153014ce6a1ac342dbbaafd6af7aa11df45d9698d
SHA256287ce83e445cca76a5f3fc7efc091462abbb0124414b5d225ec206bddd4f485b
SHA512c044c00b79a2cc88e241f4309a66803f600596713624d817a63772fadef49050c6490c460c229c7ccb37190aaadda9cfa10f52134da8656543c5e3c05ee1b29d
-
Filesize
268KB
MD5e91c24b9a5ee16932fc8e9531db83922
SHA15b5486a401d45f458943a6b205aeb957c6e91899
SHA256a56c5afa0cab7e72d0c2759f388252e442cedac285d53356167e6b85b43f4bdb
SHA512afb49002fe8ee4350c2bda9e3acc12625d96fd47f5874b8c79286543962cdcfaed174ef1356c13ba54f68441a1507c2c8342570a9db883cabd3035828133cb63
-
Filesize
329KB
MD5f8a8a9163c847a2144670680479a771f
SHA1e0f0cde7f67b18eb48bb253171508b1b3e39c172
SHA256def50e848f25c94a89584f91d99c89791531b1371baf1e6c5f74e9c4e81df673
SHA5121ebe59ce59652bc34e25ea90f1fce93a5fda9924c716712873840c5996cc535f6db212606cba74b2dc59c42a8ccfcb47d9d001bbfad4b9213552d8e502dfff35
-
Filesize
1.5MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.5MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
5.6MB
-
Filesize
104KB
-
Filesize
240KB
-
Filesize
248KB
-
Filesize
280KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
248KB
-
Filesize
304KB