Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05-11-2024 19:10
General
-
Target
6412e8ff2f662e7cd9e12b55907724a55649a804871932c121e91c6beaf6a0d3.exe
-
Size
656KB
-
MD5
aa1b77582c7930b49069e95687cf3f10
-
SHA1
d83472b2a6e1433892a90a459d2e9a04eec81599
-
SHA256
6412e8ff2f662e7cd9e12b55907724a55649a804871932c121e91c6beaf6a0d3
-
SHA512
4672dc6a682e7aa7792e63ba7ec55e17b031dd9d6f88cf7b64616d5d15acdd62f55a4d8bdda8ea6c8c414daf1ad6285e227fcac06bb072dcea5b8e235e6c94d9
-
SSDEEP
12288:WMrqy90B8Tjo6EhH8SSk9KAIESnX82t44aGmZ5bqlfgr/Nq2AXVDoP7+6JIDf:Ay68v4/nEnXj/aGmZ4lWq2cVsP7+XDf
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6412e8ff2f662e7cd9e12b55907724a55649a804871932c121e91c6beaf6a0d3.exe"C:\Users\Admin\AppData\Local\Temp\6412e8ff2f662e7cd9e12b55907724a55649a804871932c121e91c6beaf6a0d3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMm0344.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMm0344.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr341381.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr341381.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku387477.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku387477.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 13764⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr947583.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr947583.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1992 -ip 19921⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD56cd6e505bc317c7c9bbb65743dfcf4a6
SHA1c1900a7c352dfcdd0f485680c5c06926793a3375
SHA25653693661bb16a1a9aefa5f8941cd8a9b01a029f7df28d3dc094e83b3eeeb143a
SHA512720838028f5603478f5e662dbd25ff3dcaa1795671665d4e3dac4dcf0bb49264931d306afd1656a33dc76d62e4a59b12bf6e4c6bae57619e5895b926796a376a
-
Filesize
502KB
MD52218c15dad60805ee0e8340e45af9e41
SHA174b2a281b1c2d12156a4cb11391708ce9c155e44
SHA256696ca22ff9620d1d2257639c5bebf493e50eaacf7a06a180e919286024985449
SHA512ed30c51e3e0cc1bfa46fe52509010cb2eb91861690f0973a5af330d4f65a4e1c49cb6f54a4a5aa44bdc8d0e3799a8cd47f2695f6a64b07e3deacb3e79c1382e0
-
Filesize
11KB
MD5299231cb5aa7387acba039725b52f6af
SHA14d66492072929aa56df495a928f98ce8225e0901
SHA256300f44a09d74ac717bf5a12e59262a048638dabdf99c86c1c9908bdfa6e4c60b
SHA51271957e882d6f5459c24435341bd5e0247572419bb2c654d0e8fa08a0dfffa4706fd20089c1930ba6d5bf9b903679db443fb40ffc01a2562636d441fb6a3dff84
-
Filesize
424KB
MD5340be4d2dd2ef0ce82e5cd4576cbfe29
SHA1daa60d52f08b5e8627001eae2bf2155a526e9d55
SHA2564326f901a2ae4f9e9b66db50a22a02589175fc8b70c216e5f1ec96dd4b35a042
SHA512c759651b235325ef06764583c1104b8e36d3d79bd8f1473bcfad7035af9247dabb339d819b36d3db3a0e4c06b92bcfeb77ab0c49e149b43908bc0951d68b4fb8
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
5.6MB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
200KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
24KB