Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05-11-2024 03:27
General
-
Target
4c5bda3e7042c0d110c63ebcd3ee85ab79de5d2f0467ab1b779c6421725fbd53.exe
-
Size
810KB
-
MD5
44fc0eedb49ef054bf3fc579bfba43c4
-
SHA1
2fbba06e7522fc21ee7d20f8cdc7bd3e29a3a2f7
-
SHA256
4c5bda3e7042c0d110c63ebcd3ee85ab79de5d2f0467ab1b779c6421725fbd53
-
SHA512
0e66a3c3095a5e97d035f2072b1530b4d9542ec95d48d384ca1f606faf9ec8105c89f15ce9311a9e35e3020809efacf72e9d1c7019bb606cab529eb31b4d47ce
-
SSDEEP
12288:lMrwy90+OOQJ8hvyoX5jfBvmxhCwbcZGjJJfIzFunAJrcLbKWt/3PWyWQl7so3YL:1y6XJ8hvxbvChPckjrQ4KIu8PbQRL
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
redline
diza
185.161.248.90:4125
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c5bda3e7042c0d110c63ebcd3ee85ab79de5d2f0467ab1b779c6421725fbd53.exe"C:\Users\Admin\AppData\Local\Temp\4c5bda3e7042c0d110c63ebcd3ee85ab79de5d2f0467ab1b779c6421725fbd53.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un131142.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un131142.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr866005.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr866005.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 10844⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu160210.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu160210.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 15244⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si540185.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si540185.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4804 -ip 48041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 232 -ip 2321⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5c52ebada00a59ec1f651a0e9fbcef2eb
SHA1e1941278df76616f1ca3202ef2a9f99d2592d52f
SHA25635d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e
SHA5126b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2
-
Filesize
656KB
MD52e37fd12e41389001d8b2ccca6f82f36
SHA19c47550abeb089f341c64158ecf9fac6df69adbb
SHA25669337a8c21dad3120f0c7870a200021e4c0c5c289fbcb57dd5c0e0ded1fe8fc0
SHA5128c4feb0d2eca9201031079fc7421088b15d917e5a106be1122be5c57fa3904e82ab9c659cca22a349e3bb860fbd9269eb9bcaba0b5eaf488a515a54186ba6170
-
Filesize
254KB
MD5a966c15e0894678b20d95d6208c8d478
SHA1f32425f0f464148415de36faff9af3e8390920d4
SHA2564ac7aec026a296370d6122fb8275bf62229c12824b858d8fac133bb256821789
SHA51241c8971b6f8e831e06e94a7f37193492aaa14d376ace8f9a1728c7784831ce18ba6e0df8606b0678113b6338ca455ccb32a0bc76d8fa2771a00b55b3ed2734b4
-
Filesize
438KB
MD5e4c87132418f39ad708f50d70d57b6a9
SHA1f99aa989f9e164fed11b5e8ea2a6e94b4033d241
SHA256247c7ca445ba1a40c6c63482543f6d6b6cbbf56344178dd27e6aea8b871cd4c1
SHA512ff311c868c0614cb82dd85f1c37f249c7dfad7bf492761da2210f66f6745d7fad3231510524c92d6f6cc2653725e3c3833d4372f9d84e0cef3a16342449d1ab1
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
408KB
-
Filesize
384KB
-
Filesize
416KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
200KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
184KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
72KB
-
Filesize
1024KB
-
Filesize
72KB
-
Filesize
700KB
-
Filesize
192KB
-
Filesize
700KB
-
Filesize
192KB
-
Filesize
180KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
192KB
-
Filesize
72KB
-
Filesize
104KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
180KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1024KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
5.6MB