Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
06-11-2024 08:55
General
-
Target
9059905fc0b09c4131495cb70cb8298973bfa35084e3c8064adc86d7269fe2b7.exe
-
Size
652KB
-
MD5
e2e085e94072b6c48741c164c32ada69
-
SHA1
f528f7502b343914a4b005eef1272009d8d6008b
-
SHA256
9059905fc0b09c4131495cb70cb8298973bfa35084e3c8064adc86d7269fe2b7
-
SHA512
b97a9ae3031765950fab469356b2b8ed39702fb281564e93c4b30236d7b5caf0a745e8369d09cdb11f2fe2ecb9e776db84c59dfecbd8ff9f072ee03fe854b876
-
SSDEEP
12288:HMr5y90/SoOG12Fwc2jooT0WNGiWriYPSqrV4R2xKBbR:ayNoyFkHaPrER
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9059905fc0b09c4131495cb70cb8298973bfa35084e3c8064adc86d7269fe2b7.exe"C:\Users\Admin\AppData\Local\Temp\9059905fc0b09c4131495cb70cb8298973bfa35084e3c8064adc86d7269fe2b7.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRm1421.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRm1421.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr208662.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr208662.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku647936.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku647936.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 15604⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr510564.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr510564.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4864 -ip 48641⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD59b2e4c2344ba64bffd3d2c6f4707926b
SHA174b15a4d4d0c769b23760f49e8c2047a2a6a7cb0
SHA256374258980efab47f0d5e9f33de98662f3e98cf7271e33c3881a666a66b8fd247
SHA512e37a400702ce3e11b8b5f5d990a9a5800c33f635ee79012329aee0578573f7222b61c80fba5fb4b461f6c383b952e4ca62ef48b08f3c3febac73bcf3914cb2ff
-
Filesize
498KB
MD5706300330f0454c16c33fd716c61e325
SHA1fb0486bba970e836eaa6f4e4025db9469db37b00
SHA256143c7a83150fd69408625e4b8ec253ee9af6783d37b8720ba1f9aadadd846935
SHA512115ae74c10596fd4ad9d6fff9a98ff5ffb18035a5817d1ed5dd45f78a8d6e36a515478a7f4d1f7c7f3f208e3bed2afc38ddbbd0a6d8f7b032c9f75aa23e8ab82
-
Filesize
12KB
MD56662ba1134c72ccf34df866bfd295a59
SHA15ce4955ea528eef7eb3d00676a80f10b04cd2f6b
SHA256f8917938655b1e02eff23007f81c00c18ad0a2802fd1ce537996b9a3bd256dad
SHA512aa2e664773b57996e447c3108ba262f4d871b7ca1ab55b95da08288704b475e61396c4fab59681fc18cca0263697e83bbcdc6e1a5fb39bcb9a835b61acacd906
-
Filesize
417KB
MD5aee26019006ac5fd57656322e4819990
SHA1a33d0a690f8ce1f7fcd7be21eb5cd7c98b67aa77
SHA2567e39b1bd4d08149b9fe2886e0c46f9b0dec6c65fcf2d262d6990007cdbab4dc6
SHA51267454841393cc51f560f13c7c5fcfa638f85a86ef1fde859374427c0d23f9c99a3a8405efcde160dae522f35736badf4d4a00c2b123e8e97b0e75b6467b53a9a
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
24KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
5.6MB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
200KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB