Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05-11-2024 12:30
General
-
Target
eabb979eb68f604cebdd113d5990b3d04c89b2479182327a4885186f932e61c6.exe
-
Size
684KB
-
MD5
b108299649c97d6cd8e8c18786454cd2
-
SHA1
2527dd0ad6a46727b74b9966865b614771d102dc
-
SHA256
eabb979eb68f604cebdd113d5990b3d04c89b2479182327a4885186f932e61c6
-
SHA512
3e26e06990e1b38a2274c083cff495f6a93b704f2e76e830a73f49f3b5b6cc0cd84c0726b609fac1422913f847969e4d66341b59ccbb19a7fa2c245ddeb119ee
-
SSDEEP
12288:UMrIy90GyxPyqnA60u1SqGQnnQp2cU/SxMA5rSPRVhXiDv6YjGDV8:kyVATnA6hDGQng2HObOVhSDv7qDy
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\eabb979eb68f604cebdd113d5990b3d04c89b2479182327a4885186f932e61c6.exe"C:\Users\Admin\AppData\Local\Temp\eabb979eb68f604cebdd113d5990b3d04c89b2479182327a4885186f932e61c6.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVc7034.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVc7034.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr946684.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr946684.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku648914.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku648914.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 14404⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr210388.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr210388.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1352 -ip 13521⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD52ca0862e8cd118933b72ae797a900c96
SHA1f719808b560dc387f3de3d15a3c8deab41868a8d
SHA2567c212eec4d5a224a496adddd8ceabe994747ece58a7a5a36df48f5ee6ea5130c
SHA512bc1390a16e23f00c582d83786fff5307ad8ba7142c09a199ea087e51f8c452b06ce91e57a5a6ef0255fcbac8c5ee78de40f44a486ea488e24f52405e9b59d1b4
-
Filesize
531KB
MD50bfc0cae01c9b29b01b0b2f059ea7a67
SHA1c8d613dd7ebeba763478786e53387fba112c394d
SHA2563f39fbfe9e173ebebee41019a76971bd3768b9c696f84f41de2e4c3a5cbca9c7
SHA512abd8f5dbce6cef149ed3fb2adc203eac98ee038d2398a1ec9376022e2a95d6f3fab8dafe09b8c4685da861577f3bdfb8f94108eacaa23f60591d2337b3d315e1
-
Filesize
12KB
MD5ee3cd6f82b4479ebf9322653a5307243
SHA123a2fb6a9a65e1b306c52ed377f037f743453f9d
SHA2569806fa5b6a4a2e57aa9db82eac0d9efdab32fca014c195fd3fd19e06331489bd
SHA512f2f71c505a589801ce8569f904a520be85158ea5505e7640c3f31ebf0b0cd0c5159a51b6169d8b16e68d900eb406ee244be2879ada3783a96dfd4395bc4e122b
-
Filesize
495KB
MD519c7fc8508125eea5d8c426ab932ae06
SHA1f6fcb47fa78115b8b72c985ea9ca68edb5253238
SHA256c3368d8f1a5fbee1935a7ed5894593a39f80f50f9aad0e0709fe309cd6fb6cd9
SHA51279f4742c14cda1b60cc0e5d08861e47668792d46ebc4d00fcf599e2479f51133655d7381912a6e1871ba2bdda055b4cf558c86b0a7cecf0564641ffafbe2d71a
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
5.6MB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
200KB
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
24KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB