Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
06-11-2024 09:57
General
-
Target
f139735abe22b63eb8818a6da1a81593f2c5cb6f59def6c09c455f51e44b5e93.exe
-
Size
802KB
-
MD5
865e09448e9d938ee3d3e7ac87652085
-
SHA1
28266a25e6b3e6412e270140ac05803cbd723f78
-
SHA256
f139735abe22b63eb8818a6da1a81593f2c5cb6f59def6c09c455f51e44b5e93
-
SHA512
d456a6c2c02c3817b3a471de7da8645c71764e37d407ff1c76157734cd2d257bbccb6337039b393d40d1da7689f16f5d4d452944c349d8d4237493ff3b97cc59
-
SSDEEP
24576:pyI9uGFD5P1EUWrchUZijBHsf2lZ+fq79Kh:cNCtP1ujAjBWly
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f139735abe22b63eb8818a6da1a81593f2c5cb6f59def6c09c455f51e44b5e93.exe"C:\Users\Admin\AppData\Local\Temp\f139735abe22b63eb8818a6da1a81593f2c5cb6f59def6c09c455f51e44b5e93.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un089830.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un089830.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4582.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4582.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 10804⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8469.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8469.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 11924⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si111770.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si111770.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5040 -ip 50401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2616 -ip 26161⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD574fedc488b4d2b1ccae2e1f97aa909c2
SHA13f6e9823206d6d8a9eb3157c67183d2bf43a4a21
SHA2569ab8a5da15e78bf4c463ded3ae9ad505a9bc32b69cdbeb696e836ca70ce2d114
SHA5121d0a0a2e64e912478910f17278b4431e24021aec86176a6faf2622376e72c79016d9fdc4d28daf1ba4c08149ca6f2afd1d210986df0ab3f42dcd77cfc9648136
-
Filesize
648KB
MD582bb1f2689a5ba71260b86daffe7b931
SHA1f937d3472493601914d0e5c0da422277ca33832d
SHA256da7bbb0a4ec46c83d961dee43335b960709a20437d242764866b962c0644c102
SHA51226251637e07b93e8f1dcc1050668a3017f5065c7c15e07c294ad7f142daeb7591a7ab27f6992aca90e2789522c466e4b7f38bb209ba7a28ea9d7da07bc7ae74b
-
Filesize
252KB
MD538f3ef6ce5689a5a3054f116a4849f76
SHA145eec3d3efab0557a674e41d8726ff887020c265
SHA256603150531030b79a197aaeebf82ad50555822f11f61752baaa1b514a42b3b84b
SHA512fa31d57233bc3fee2180743be1bdc566999e30a47e077de1e52f296a323020714d9f8cfef012730a919c44df7166ee01ece80b4729032c42f38eb91b5ce20f94
-
Filesize
435KB
MD575c1e00b498a900a6f5b81a4c0061bdc
SHA1c82aca4bdc29452000f01672d97bf9ae622f5407
SHA256dd04e4e358f7c9f61f727a5a7dfdd986fa8fa62f6d4baac94eee2a64f2e2a10c
SHA51204e466486d23f68038975821bb88d437139e95172071743aac39da81aee1a18f7cf8945667482cfde4089072c56e98db4d35962753b6fc8587c10f53ad286921
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
200KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
240KB
-
Filesize
192KB
-
Filesize
304KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
24KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
192KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
192KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
692KB
-
Filesize
1024KB
-
Filesize
104KB
-
Filesize
1024KB
-
Filesize
192KB
-
Filesize
692KB
-
Filesize
96KB
-
Filesize
692KB
-
Filesize
5.6MB
-
Filesize
184KB
-
Filesize
24KB