Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-11-2024 05:43
General
-
Target
4f50802649e624d7cb34e2f23074f3e096df2ca9518cd4b7203330e94a69e78b.exe
-
Size
814KB
-
MD5
aa05d09c00e06eebbcb9bf76a5b7f10f
-
SHA1
8f9d9036071c33795a1819613be60c38e4d7f89e
-
SHA256
4f50802649e624d7cb34e2f23074f3e096df2ca9518cd4b7203330e94a69e78b
-
SHA512
d5eeed57512d24d1824647b13b39959a7fa8c417f62eb1fbeeecbcee432de51dbfcaa95bfc1785c63729c8d354affea82806d45ce5ac204f38f85bd7384d42c4
-
SSDEEP
12288:MMriy90Rt0jVr13KbVL18aAQkLr+/sBr9EXlVt2MiPSXVHcrSZBHke1fpa1Yrl:OyW6j5RCL17bkGUBr9i12HwawRk2Tl
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f50802649e624d7cb34e2f23074f3e096df2ca9518cd4b7203330e94a69e78b.exe"C:\Users\Admin\AppData\Local\Temp\4f50802649e624d7cb34e2f23074f3e096df2ca9518cd4b7203330e94a69e78b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un463232.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un463232.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3008.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3008.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 10044⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6655.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6655.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 12084⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si655554.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si655554.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4712 -ip 47121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2152 -ip 21521⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD5faa01caf5dd941b4d1b652b5dc86bff4
SHA14f3613db33cec9053b6436b97f113a01a1797e7c
SHA2569c1f815ebdf5e9b5e57f084ca319c2757785b28c22c7d0987a62d5eec6b103e9
SHA512a2ebae394f7a3a4cff1ed378bb1414a90ef4ff60ff7e8fb04fc063ee09f4d82cef52c735149886f44347df6af37faa17bef8655f0ec9ead1db03be4dbca80278
-
Filesize
661KB
MD5534b55ad957bce580b7d7d5b69ddfc87
SHA1e70fcdba894736d982de7537fe62c21455883f5b
SHA256ea311a97c317314f5e5e56d0029e150eab40b977e450bb8dde13449c7bb274ae
SHA512ca1f3f8cd13df60e4068193e315436aee64c06981d055720d2f91aa357473ed592d6e942093bbbe1da62d00debfdc08574376f9d57f54f80357d3efe0af12784
-
Filesize
332KB
MD5d2c6609198f2b144fb9f7ea5e87f999a
SHA14a6bf94bb31537568250ece9834a5360d381993c
SHA256bff732d33438758c3654bc31c22ec1b6271f9a790cc154c96b5248179beecfe2
SHA5122949223c75e93ab867ca7abb8e618945cb42c093b9d378be0c82adce63e70569043d943ce77d2447a8ec03bc59e7d75a5b9cf0ba5547427ac4852d8f253af0fd
-
Filesize
495KB
MD5a3653a907f9e906a2d698d994bbed98b
SHA1115235d7f98ebc33fb42682389153ef4b5f44887
SHA256a045e7bebaad18581be7ff8a0e50f071d8871d47a021e44986269c1fdcc41e35
SHA512c47f5ae5f4dbe39aac4080686eb7f2c1ab306951087ae47b9e5b1cd8ee85cbb13909071732072b3d94aa921979f90d82c984697416147e37b68687b6f0cb716b
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
200KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
192KB
-
Filesize
5.6MB
-
Filesize
4.0MB
-
Filesize
1024KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
104KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
192KB
-
Filesize
72KB
-
Filesize
1024KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
192KB
-
Filesize
96KB
-
Filesize
184KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
192KB
-
Filesize
240KB
-
Filesize
304KB