Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05-11-2024 16:16
General
-
Target
61e69360902999326fc2edc9ad98d0083dcc9d3dadf09f869cdef1994fa47b8a.exe
-
Size
665KB
-
MD5
c28755bc09052f8a72497263c5560e91
-
SHA1
711f6027e2186aac1c3b00e446af575546b549fa
-
SHA256
61e69360902999326fc2edc9ad98d0083dcc9d3dadf09f869cdef1994fa47b8a
-
SHA512
4e27558f0f090c2d51bb36461980c44c950228f98adc2a9ffb12334fb8c55cbafac2b292943cc7df85b0bccbe969387c1b2484247c81760a34ac45f6196de458
-
SSDEEP
12288:XMrgy90xi8r7Wb4p6EnpTa+wgAK5LzuUJ66N2bekL4LFK8:jyei8/SGvmkLCP6N2J4BN
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Redline family
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\61e69360902999326fc2edc9ad98d0083dcc9d3dadf09f869cdef1994fa47b8a.exe"C:\Users\Admin\AppData\Local\Temp\61e69360902999326fc2edc9ad98d0083dcc9d3dadf09f869cdef1994fa47b8a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un314883.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un314883.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9761.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9761.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 10804⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5543.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5543.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3972 -ip 39721⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
523KB
MD529fc00e818d3b8aa454ada43131d4249
SHA11ebd658696d55a33dd7418e707ba84bc765ed819
SHA256a6c3e5ab173019f706bcd541e7d90df4b8390cced31edaa516c2eea8d572ddd5
SHA512269f4087e6ca1c89ed28f44ec6bd458e3ff1346c3d6eb5f759b885bc53b56e5c08f18d9eed9a6d1fb3b0f92e50a1a831de212da4d549376028ec8886038647fb
-
Filesize
294KB
MD55f1fe8ca4a19b7addd321828a705ba41
SHA1e26a8b9a3c467aee850badf4baf0a2eb7900aa30
SHA256c47625272ffd209ecb26852eb5068200711911c1b2f7176ffde96c9f3db536a9
SHA5126157830090b8da6d7ea75525aa7043d30887a56abb5265618f73835c232659e2a4e8aa3ec95fee4ef6b2ad3d1d8e63f90083b844f38a3b8e87a8cbe90b2a1fa1
-
Filesize
353KB
MD51877bb0e7d5be6e32283bd84a3278db0
SHA18e45e7c06534e51eb9682b1de6f66e9ece979ce5
SHA25603e581534b1365ebb78384bda7cc1fd36bed8634a62d544b64250f5d114ed067
SHA5120475a19a14046be20aaef3aaf16d3f687c47a1edd0e79e0579184c9f8df46026c3082f3871367de31562c5ceaef78ff2e30b397a570125d1ae4032839c14b01d
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
252KB
-
Filesize
72KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
272KB
-
Filesize
280KB
-
Filesize
72KB
-
Filesize
4.0MB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
180KB
-
Filesize
1024KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
5.6MB
-
Filesize
104KB
-
Filesize
4.0MB
-
Filesize
192KB
-
Filesize
180KB
-
Filesize
1024KB