Analysis
-
max time kernel
143s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
04/11/2024, 14:22
General
-
Target
8312290b15cd15a035e6ded567daf4c7c99eda2938fbdb03f83033a38a5dd18b.exe
-
Size
696KB
-
MD5
6d65de5263a5230a9f228694231eea60
-
SHA1
f12c169f479b538e3b7072ae49d8230392cf1e3e
-
SHA256
8312290b15cd15a035e6ded567daf4c7c99eda2938fbdb03f83033a38a5dd18b
-
SHA512
1351de48806ac0c1bf298974edbfb11e42e301c618c12e556028c2df082f9b87d6f515032e2dc0ed914963a8336ea45ce25b0a1cad68662564eb94a1ddd1c8ba
-
SSDEEP
12288:QMrty90TJnfCRyIyp0kqzpyGGe9+soOoGpCSe1k5obR8D+Fz:tyuckSpy24iIp5t8D+h
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Redline family
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8312290b15cd15a035e6ded567daf4c7c99eda2938fbdb03f83033a38a5dd18b.exe"C:\Users\Admin\AppData\Local\Temp\8312290b15cd15a035e6ded567daf4c7c99eda2938fbdb03f83033a38a5dd18b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un447496.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un447496.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7097.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7097.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 10804⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1051.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1051.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2824 -ip 28241⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
554KB
MD5e714cd786fbbc22285cde28455133792
SHA124367239c601737d16e5a18b84ef62249e72d315
SHA256be032b6bb1cf33be24c6835d0d80ccec9b99312d0bce11b8212ca281aa020c16
SHA512d61efe6233e9a6e64f1d38a0733c9a13ef5d5c5dfca1239de548a15960bcdbba33e25d3196005316275713379fbab4f250d2222f6a76a7733b7a074de9ed2eb7
-
Filesize
348KB
MD5040873b6ddc2621b748eb4081f91d7dc
SHA1718daa93335afd0870e7ee2b2efe214b1e641b35
SHA256194ba401e0be86a244222479cb499a45ba54ec5b9f143636725c555684eeac39
SHA512d184bcd415ddeea7236ce6318f716434c9663f11e61459eb7ee013ba9b941306e5ca7f5ee991eb12576ad8470e35ee5ddba3cc284fbd648fe3e06dc579fab2ce
-
Filesize
406KB
MD52da5db06965a5fc5b7384ff0cfa49d9a
SHA1f32f08b65f5f44ce0077fa85a54c1df6a4d62e3e
SHA256cc10cb5ffda27457e1c5b868deaf8fa2248aa6bbfa3f0eca43fed78b5954230c
SHA512280ac2f30e2ae35784494cbb81ae11f881dff3da62bf499cb660a31b40f4c11b1a34509ac7d504bb8ca36bf5c744e9a8dc9194412c8fd81f3200f8ecce2b12e9
-
Filesize
1024KB
-
Filesize
180KB
-
Filesize
192KB
-
Filesize
104KB
-
Filesize
5.6MB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1024KB
-
Filesize
180KB
-
Filesize
39.5MB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
39.5MB
-
Filesize
280KB
-
Filesize
272KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB