Analysis
-
max time kernel
147s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-11-2024 00:48
General
-
Target
8b2e58664dbd3084345c5cef328337b37898f764f969d9e4fc0de7f548170433.exe
-
Size
652KB
-
MD5
63db3f6f49c2c4435d0be8cb90a4b2e3
-
SHA1
d7788c76b783357b308f391e94e4d43a172545f6
-
SHA256
8b2e58664dbd3084345c5cef328337b37898f764f969d9e4fc0de7f548170433
-
SHA512
4d7b0eb180a620e597903426f543a73c83013af20f19e9f8aea38c6c3c181263c1dfd4b7aad2e3e69b81df162e7bd7cf2e411d0923a05014250c1e9d5d79200c
-
SSDEEP
12288:rMrDy90mzBQO7oVPVzbQWmoiT/Mnqigri7PsTqVt9z/fbw3:gyJp0t/IcPkY7g
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b2e58664dbd3084345c5cef328337b37898f764f969d9e4fc0de7f548170433.exe"C:\Users\Admin\AppData\Local\Temp\8b2e58664dbd3084345c5cef328337b37898f764f969d9e4fc0de7f548170433.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinK5087.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinK5087.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr643581.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr643581.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku688925.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku688925.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 15044⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr074646.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr074646.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3464 -ip 34641⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD57ec863ace26528405b6bc24a962fae74
SHA103dc284443f4fd7aefa0cb0642f2cabfdbce355b
SHA256e9ceb886889af3ec9bf6ecec6f4931a2c1b3e73c8195da2a8d7b887d787279ff
SHA5127de522f3f6327f4c55421247da1b9efed5d32d02d9be7af5b6b6cd5d2d50adf469a60b002ba328b1bb60a42fe5d6e6f549305d4c549e8fcec5fe0c4ca4eaab06
-
Filesize
498KB
MD5d7c9e87cb4a9bb45539cffa536e2f67b
SHA1ee934103a8664ccea4534bf3dba4ee312c1e1df1
SHA2563f2c7c3f30bc005746408f6e17d73cd4f2477b7e2a2a2f7345bf0fcaacd8d978
SHA512795c68ab510e325d25577cf5b12d4c10d9c789f7d7ff79e4a7cb701e282e24f22461d90547a128ba0895f6b2aae4c88a238348c1aa3f0e38396131e99b394a03
-
Filesize
12KB
MD552e33a4b68758ff0257acb107f478469
SHA1257290d05b385b584991625424e630f45aff9a24
SHA2564ccb6767009255865495316da68e4eec9b67e4fbe301996002274865b4aeb72f
SHA512ddbc2704de587f4ff32edb398506d46f9a02dd9aa94736cd029dc04f0e6a7163129f35063b0a98d38ecd5f6a44d42d8143c2299d1a16a8db5b5e1abf1597e2a8
-
Filesize
417KB
MD5e71caf4d6a005f17f3e5292b35a444f5
SHA1caac26159054aea895d36954a693bac036c08aa2
SHA256c8fe789971cd59c037adabca802c7503e279944740563a50ed964b33e0af0765
SHA51289cbbb01db932dc42aa912dc87c772ef1b5152dbbc507c5f8126b449b6d52be742213ae6e5b9eed93310853a905769a91f962e11ee1b7c257d4078eeb92ff973
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0
-
Filesize
184KB
-
Filesize
24KB
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
5.6MB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
200KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB