Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05-11-2024 10:57
General
-
Target
a1aef7aa55c7a689e3146f9d3808be0b8b8ada004f158fbdc35bd00e13c1b3dc.exe
-
Size
658KB
-
MD5
0f9fa37ac6480d890f23496da7978880
-
SHA1
7725c9e32f36f85a6bdee912bb636c980ee415b4
-
SHA256
a1aef7aa55c7a689e3146f9d3808be0b8b8ada004f158fbdc35bd00e13c1b3dc
-
SHA512
775e2a577d56458271983606deb9dff8f12ab862990006794b9467027f01b83e1dca66b3c2ab9b5fa3ad6bd734bf8ecf6c15022c0a99b6b23d4b40ac2eb900b2
-
SSDEEP
12288:+Mrgy90YFcPRLqa6rWgudw10+N+s3nK5l7MGr+EUZxIQAbcclD:yyjiJormC1gsXIMG+EUzIQd6
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Redline family
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1aef7aa55c7a689e3146f9d3808be0b8b8ada004f158fbdc35bd00e13c1b3dc.exe"C:\Users\Admin\AppData\Local\Temp\a1aef7aa55c7a689e3146f9d3808be0b8b8ada004f158fbdc35bd00e13c1b3dc.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un093159.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un093159.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0668.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0668.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 10724⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9921.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9921.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3912 -ip 39121⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
516KB
MD53febdda0723e0ef3dfbe22ee286071b6
SHA137bf7f375b51c5e9becf96ecbd8e1ab43aa140f2
SHA2565d9a8279cdcb82d4c650f2b13035e0f93edfd807ae51fed8dc46b17bf6cc1084
SHA512babe404c204dd8aa21267c8754258256ef7efb67327251fc983decfc667a6da123a87608bad32c60c9d5f52d5ee63f092697c65261a794c6c451aec96b4307a4
-
Filesize
295KB
MD5978746afbabcbaf482c15937b88d91c3
SHA194cb8cf03f66f58c97ab55b2a01f7ee70b03fa44
SHA256d4185ce7a9c1b44de0b25eb11a842a6bd05e250af3dba5b639a4728f0c65dd87
SHA5126f5d62fd98b7a4727c139e0843a3edb336ba58b2a38b3ab6009ee3f02c830a836f9fedd67d1559eaf916efa1e7e06befa7d191db153fb25395d9f29df9775538
-
Filesize
354KB
MD55e72b7e607afddcea6a6fa3feebb1ca9
SHA19fa7ca4f7635171a50a18cc1812f380b665364db
SHA256e261fd5a73550b69e93a913891f95145d85c49350ce5963c2ff0529ab2494559
SHA5124af5f39da5c8f2fb4118624361082018f05bc7daff3082002290e6420e6a46a895c88872e2896647699c5a75adb3d7a8a39a3948bf2e89c5631680dd6cd950d3
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
252KB
-
Filesize
72KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
272KB
-
Filesize
280KB
-
Filesize
72KB
-
Filesize
39.5MB
-
Filesize
192KB
-
Filesize
39.5MB
-
Filesize
192KB
-
Filesize
180KB
-
Filesize
1024KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
5.6MB
-
Filesize
104KB
-
Filesize
192KB
-
Filesize
180KB
-
Filesize
1024KB