Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05-11-2024 12:46
General
-
Target
01a8b3411735321192bb5911866d8e3b7bab6fa91bea6e8c4f96fcae46906751.exe
-
Size
665KB
-
MD5
19863ecb232b3715e065ac78b562cd08
-
SHA1
666b8eab387f26ea5988f2c90bb0b795d223154f
-
SHA256
01a8b3411735321192bb5911866d8e3b7bab6fa91bea6e8c4f96fcae46906751
-
SHA512
ebc8d56bb568a558c70b13d7ce47465bff24602360efdee6637b06b528b0d37b03c949f37331612ecbd95e0e13adfdc4cb008547c59a3e2a996db30455bebe90
-
SSDEEP
12288:KMr0y90xYg9WHHIfJraVvO4Z8XNuZ67grosNPp3KcSsrUT7E/w/Oe8G2Jo1uXX:KyyiG9maXNuYgfH6cSsriSw/Ozp21uXX
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Redline family
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\01a8b3411735321192bb5911866d8e3b7bab6fa91bea6e8c4f96fcae46906751.exe"C:\Users\Admin\AppData\Local\Temp\01a8b3411735321192bb5911866d8e3b7bab6fa91bea6e8c4f96fcae46906751.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un944525.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un944525.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8858.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8858.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 10364⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2498.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2498.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1076 -ip 10761⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
524KB
MD508571fce1fa0b00e67a02735059f8a11
SHA1ce1e35dba2bfde2dfc2885def5be67aaddad3dbb
SHA2566f29d979f8f8f6009f54b4d3b7580c60f2ab787514e6892f3df039a154c101f7
SHA512fea7e22d9a0ff0f20b7f92a7a7694046f2dca9914f64dd5be7ec199861bc0778f1c0713a7acef99bc2880be2d978ffa6fdcb8b8bbc2c3ac250318e952e9352ba
-
Filesize
294KB
MD58113d19814223eff2576327d4a26fbda
SHA1224cfb28164f43b232d4d937a302e99222d7ae37
SHA25676c00da1904189b09f5c44238429e816232c1445822b26405dc4a3f6d47c5f0c
SHA512b33fc6c9834df0c29c5d90166c4e41f41f83cfaf38eb66f022265f0c29ab0272124dc0e51a919257ece13795df15405d42783e62461dbb8d5e76255d9e2f9722
-
Filesize
352KB
MD51f1807e74abb3357b26004afd8ed1a60
SHA15cdbc4f5fc10e3d6ece88de86dba99a7510a12f7
SHA256584a3323e20082d83dab4052a0f2e70b0cb56e5f3d6ceaec06d7f5e1a2776b9f
SHA5126a67f32ff0851d2d39371450763f35e971d531ba550bbca59fa262d01e6a2af6ebb70edefe2e67e046c97da095f1e9dcdc02ba6f7be2d9c3e14f987154374b5c
-
Filesize
1024KB
-
Filesize
180KB
-
Filesize
192KB
-
Filesize
4.0MB
-
Filesize
104KB
-
Filesize
5.6MB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1024KB
-
Filesize
192KB
-
Filesize
4.0MB
-
Filesize
192KB
-
Filesize
280KB
-
Filesize
272KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB