Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05-11-2024 10:01
General
-
Target
29e5198b9dad52a30af5f5f92ca24beec47731a3b215c40f29ffc3343e030dc1.exe
-
Size
652KB
-
MD5
fd18a08d5200b508e4c7fa9cbef4517c
-
SHA1
4080a48da78d1e4fb714fbb9d0ade4cce969eb20
-
SHA256
29e5198b9dad52a30af5f5f92ca24beec47731a3b215c40f29ffc3343e030dc1
-
SHA512
d59e61ca343274daf444a89dae0e7d779c3e791a7d401b9d4f817eb8feb97d832c118e703e883856e06be81e2b5682c3e037292301ff49bb69f87e9d70b2350c
-
SSDEEP
12288:SMrLy90gf5hIxLJU5hGoMTbKHiWr12PsdEVlK3ZFb08PE4:Zy0ohCpPOV3ZFbX
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
-
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\29e5198b9dad52a30af5f5f92ca24beec47731a3b215c40f29ffc3343e030dc1.exe"C:\Users\Admin\AppData\Local\Temp\29e5198b9dad52a30af5f5f92ca24beec47731a3b215c40f29ffc3343e030dc1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVg3461.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVg3461.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904170.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904170.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku575342.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku575342.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 13684⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr166712.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr166712.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3600 -ip 36001⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD5583c0b06d507a3f8bae0cb4bb1582367
SHA18ae2a60da0d7550c89d4f11e07f87d05e35c1aad
SHA2567b5bd9ed6c2f867799ceb1e820f59932a67842f540b05071ad8a00e3e3fa8384
SHA512bf5ff548bcc55b9223cc8cad2738a6d09890afe645093c5120fb83f00a7b7285df2acfacbda76820acde9e9dda39cd4cb36bcf28e8fdcfd153cc911cf46ecb66
-
Filesize
498KB
MD5b56a4351e624c1499862bb2f0b74ab6f
SHA15443d2271d64b32c0383a5991f5a06750a995be9
SHA2568cd685867299d41ddffeaacbe008a526e50ce3b72988a13502a20b1999159975
SHA5127a6ad8917b1988a2423b1b3122040f810aea6f9eb7ecf1eab7b60b3692a20ccb206f82e64b4aa22641701fcb693e19172f75beace30c584bd281c5bac437806c
-
Filesize
12KB
MD512062a4266340877d8b94187263814c4
SHA18d3bdebf5d133365b3c290a234219385c1853ab6
SHA25688187dac637c43663fcb06e89552f34546ebbd114d98b35d30bda62cde94b49b
SHA51205f2123228e7f57af5f47d51efcf7fcadbbe6dd3de7e9fc82bf47bf47d63bf105d9b98d1c164b17c1608e5fb3ebc236ef0a44131355adfa2281cca124b41474c
-
Filesize
417KB
MD5cab6a1ce520677cdbb2fc76072b9e597
SHA1341f65d8925f3b283945725d96df7c33d9df1c3f
SHA256aa009bb29869f1e80c47cd8d7e6517440af5dc7519ea38058c3068b7d0c16cbd
SHA512bda41dc502bc831da9a6a1d409c0129177a01f3384f6cbca1c46a94e49d510b0be08d5b12f228c48f5fc66ca971759e4020a83a0dd7d43b6497dd8ea667f67d5
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
200KB