Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
06-11-2024 23:21
General
-
Target
5a8a9f76c63768bc8e2bb7102a6bc0c736c865286f75eb07445648648b2f63d1.exe
-
Size
684KB
-
MD5
5b0b06f87aad9ca612d988643d8eedba
-
SHA1
52a5b82d41882a66f491243f25bfebbdaa775193
-
SHA256
5a8a9f76c63768bc8e2bb7102a6bc0c736c865286f75eb07445648648b2f63d1
-
SHA512
db37a1fb4e989faa6f9eba60f356be3621e45ce7d8fcbb84820ee1f9f82b97bf898f07f8ba71efa53add29deb0b9decc8128842b12063242a3f3cd517d9e32c4
-
SSDEEP
12288:qMrey90EuvwC4f2CI3jIyno5MiFLn73CMiWkXSLOmV0PfqJIJhUBLa:Iy3u/4fENnCLDCtBrG06J0hUBO
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a8a9f76c63768bc8e2bb7102a6bc0c736c865286f75eb07445648648b2f63d1.exe"C:\Users\Admin\AppData\Local\Temp\5a8a9f76c63768bc8e2bb7102a6bc0c736c865286f75eb07445648648b2f63d1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziWy5360.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziWy5360.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr762133.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr762133.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku643753.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku643753.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 15044⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr296071.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr296071.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2164 -ip 21641⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD502f50661053193e06e30fc1975152046
SHA151e675e8fe985866106b28aea16574a554b4e3dc
SHA25689b5c6bfbb47d91856341f84f68c8035f75eec8cfb28325728deabc5a66ff0c5
SHA512a5f5257c597e47e4d0e2593a609ed7d96030f7401a312287abe50c7b2cad1cae9f0de739578a0d9bb68203fbf5ad41ddc29b8085e67b9fc51cdb0143028ccfb2
-
Filesize
530KB
MD50cbea8a001ed7e2e6d18f93cb5d01daf
SHA1f6e28de5c53136865e8fea5f36380581e223c036
SHA2560657b1982cab49d504143df319ebc66c4df7712259290cac886a99fb1fc6e5ff
SHA5122d33ac9db04830f40bf1acbb11a1c2f5873579873a8918a800f6545c6517d5d341652aec1f03e9248f2983cadef7be755913de757654ef951727a9b1044faf0c
-
Filesize
12KB
MD5ce2374792003f15c1151270d5a993a71
SHA19311341e8c0c9d438accb6125f7cc266cb56cb1f
SHA25631cd0ae0cf5ddcae173e5fb2fdb0cd0660b3d798e0e879c7cde689377f64aa01
SHA512bd6e1b2202fc9389964798c2b13ad90d356198ffd4e2cdcc9892fd03ef94f70e6b1179a429726105f62587c21ec350d18e46d7213cdb8a54e6f19fd79c7746a2
-
Filesize
495KB
MD53650500f99447fa5bbb8eda5e9b0697f
SHA12841fd11c485e7f921a6ce461802bf0f261d762c
SHA2569c14c57ee428847d9423f1b48c97703e14fc9958d3e9bde6d0a0291c6ce6330a
SHA512eca4a60e12a5b7022cf6f6d860e43c6bac04d0a3e2abbc8ba2b5cf6897b3054b404bd908c03eeaade80b6b31d80616c4b7faba5b0a40cf8016fef2c667a7c8d8
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
24KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
5.6MB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
200KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB