Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05-11-2024 04:07
General
-
Target
f6b6bb9ad7c4087b8b4685413ca55ea427b0875d4ebf1e4c8aa1bbfdb4af756d.exe
-
Size
787KB
-
MD5
dd4e856497b06f37c7fff9c0440a0417
-
SHA1
a357f703117c72a18c8389f9e4f21762235b4905
-
SHA256
f6b6bb9ad7c4087b8b4685413ca55ea427b0875d4ebf1e4c8aa1bbfdb4af756d
-
SHA512
23c7b5fc20b3e5d45fb728fafc6ee9174d4005d80327c87ed6fc797d05c7bfc49b44d5be9a006dbd7cbb2eafb85bd225cd22afa40cafdb4779f02b5d6cabcd16
-
SSDEEP
24576:LyIqcA4RQqubrrhjQoiGml5mtqJUsCxF:+DHqubrFjQ66mtql
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6b6bb9ad7c4087b8b4685413ca55ea427b0875d4ebf1e4c8aa1bbfdb4af756d.exe"C:\Users\Admin\AppData\Local\Temp\f6b6bb9ad7c4087b8b4685413ca55ea427b0875d4ebf1e4c8aa1bbfdb4af756d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260286.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un260286.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2166.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2166.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 10804⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0460.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0460.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 13804⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si930610.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si930610.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2672 -ip 26721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3428 -ip 34281⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5eba91197f81397b8538189369c5c8c13
SHA17a625529cea34e2ccb4c45f216e5a4e465877be4
SHA256341de150191592a47bbdd88da695fce9dfbda8f11b6f688cab352f7035af23a7
SHA5126123d4cff0f33d9758eaef175009e0931f9db64e7e749fdba23661a0b4c3ce18e5f82050a8fdf125e0412d27ccf6e6287bd76a7112079b576befc8e2ceb799d3
-
Filesize
633KB
MD556f46941684bc906905a3897db46b2b5
SHA10d7ee7f97e0973cb9f3519f6e444d250b23fb34b
SHA2566b8455e899acabc0885f6a7d1c7fd8a1ed976d52fec60ade95367219c6c8eea6
SHA5120c782a96b7264b89179dfcab805bc02e8b3545e434ae0e81c216cb7e173bda2db65e4e7d5c30c16dd6841e801f063284b91f5c2225c9a1f60616d59d833d1aec
-
Filesize
231KB
MD5fbc57695624da06412dbab6820d9c775
SHA198bcdd3d9a5bd5f408ae0a3b694fbb0beba3c82e
SHA256962fc04ae29a7443371b051ba999c08212fc7d279025701cb12663a5d043b1c2
SHA5126f4feb8dee6b4d44e8d5e5d3c5d36594f328b8cb20b7ed999b65569e0e19c475109e0406e84d8617e49ba56eefcaa392fdd79089fa01b8e3e3affd1a4d9aed71
-
Filesize
414KB
MD571324b863a9bf0754d87db9a663543d4
SHA17108b099e19f0f42fd6ff3b03e235cad85bd0fdf
SHA256465bd59ff7cc9a56fc5e09954326ade5bfa3935927f679b224db2079fba62b43
SHA512a651b442b2c1a6d3e82a916c5de58a104df4b2bdf54e18c3439915410fc108f8225a003f985a654a2d7602f601712d3da5c6be8814b72d644b3c6eb47c0b00ac
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0
-
Filesize
672KB
-
Filesize
72KB
-
Filesize
192KB
-
Filesize
672KB
-
Filesize
104KB
-
Filesize
5.6MB
-
Filesize
1024KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1024KB
-
Filesize
180KB
-
Filesize
192KB
-
Filesize
180KB
-
Filesize
192KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
200KB
-
Filesize
184KB
-
Filesize
24KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB