Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
06-11-2024 11:33
General
-
Target
5b796031794cc0471fc2316105b3469408550a14b85c8ce740ee62919917d20b.exe
-
Size
657KB
-
MD5
e3bf750c92b72ee912ab82a178f14bb7
-
SHA1
47d9aa79980cf9c7a00f8fa42ad7f789161e713f
-
SHA256
5b796031794cc0471fc2316105b3469408550a14b85c8ce740ee62919917d20b
-
SHA512
e6e76521796de8824863a7313dfc9ce85853f4a671d7106f067b82ca9da32412215cae0a466097173fc0b0bf4fdf241d49733ed690d0177f6621be6787659eb8
-
SSDEEP
12288:TMrhy90/WgEKV07CgCI3gLhZORibYep9Ye6xLbsjGDVHp4VlP71:eyPKCebxLRDkLbIeVJ4Vlx
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Redline family
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b796031794cc0471fc2316105b3469408550a14b85c8ce740ee62919917d20b.exe"C:\Users\Admin\AppData\Local\Temp\5b796031794cc0471fc2316105b3469408550a14b85c8ce740ee62919917d20b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un082382.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un082382.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0793.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0793.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 10844⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2029.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2029.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2912 -ip 29121⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
515KB
MD5393678a238e2566d4736aea523da6fbf
SHA190b750920728e468ea5e16e54c86cb33451ffd19
SHA256c9fe732bdaa6231ff329353c7bf2a565f9172a940f38053810aedbb69c2e7376
SHA51264eaead19ce2fa5be528a2cceea035d6c558e115fe64a6b1efa432ea3971c74a267892955165ce5c4c7ea078eeb6e6fcecffb25506f65b16d410b43c248cbf23
-
Filesize
284KB
MD5c1c06f59dde4c6bc17bd0b8d4c5216df
SHA1890863afc9c7cb5c4c26a02de1a1ab13d1df246d
SHA2560ff525f75b1e36c4bb24b7446689de6a47a4f60dd761ae63482de9f00506f34d
SHA51211a1ca4bbb5183c503ec8cd3c671d7322cdcf7bb794a82075bf6874d8898271cc78915d6b8785a63f8c174b6b5ca329a0a5ddc68dbd508bab0950da5d42b68f9
-
Filesize
342KB
MD5cfc2894e36aa1e2ba865c7a0ee566518
SHA1cf5998d77bae1523b35052d19580610c889e001c
SHA256042b631fbb415efde286d682be7dc017def67a565ef03e1e3f6e57b7678660e0
SHA5120088f75a2b01d373e2cf38787039d7c23a46711fdc8e6109126fc175c6e2d13c71bc808861de901fa0ff65bb615feb1d994f198c836487b487deeec73052a3b6
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
304KB
-
Filesize
252KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
272KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
280KB
-
Filesize
252KB
-
Filesize
240KB
-
Filesize
252KB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
104KB
-
Filesize
39.5MB
-
Filesize
39.5MB
-
Filesize
72KB
-
Filesize
39.5MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB