Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-11-2024 12:07
General
-
Target
437e3b6d6efa061ad5105321b8410a6f7a3dbf5ecdffe0e621b4ddba5b2cfea5.exe
-
Size
652KB
-
MD5
4a989fa705deb9ef3da191075817b446
-
SHA1
f5e20651c79024abe28e501c437b031367db101e
-
SHA256
437e3b6d6efa061ad5105321b8410a6f7a3dbf5ecdffe0e621b4ddba5b2cfea5
-
SHA512
5189b8212b71a172a08dc3b49686e96545a2b5fac7012579445e87d86ea34fc36a1aeb9b274146b76aa61b384c53e62a7d4c2bcc2f5ca80f514e2e06046ddd76
-
SSDEEP
12288:NMrRy90bCJYW+ICCqKbLNXs5oITsDA/inrDxPxitVQzDK3RIRppoz:ky9NzqALup4P0IDK36Rppoz
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\437e3b6d6efa061ad5105321b8410a6f7a3dbf5ecdffe0e621b4ddba5b2cfea5.exe"C:\Users\Admin\AppData\Local\Temp\437e3b6d6efa061ad5105321b8410a6f7a3dbf5ecdffe0e621b4ddba5b2cfea5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitI1540.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitI1540.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr856276.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr856276.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku374099.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku374099.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 11884⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr244960.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr244960.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4696 -ip 46961⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD531f70adbdffde72cd3ce94f3048f81d7
SHA17dddc3e4451de653a49416689b9ff7a7620cc253
SHA256a89de009f4d1a6c456ed9b7d1e4950fccea04f6ec59773add42895622ee2c7d1
SHA51207611206e7730919c8c28fdd0130d01b2cfe01e66fd1f4d58900928c401d4848b91f767ba746a52f6e7631a12d2fa69845757b68aab11c4d8b38002cb7426427
-
Filesize
498KB
MD5d0dba9366670fea5b56f8dc07ad97ecd
SHA13a6152d3d9012028036e8e53af9a2ff45fa644c8
SHA2568920c8a43e8908fb3c0d64dfb88a46f0f246087e6b5b3ed067013a1af7f24ccf
SHA5129498529a63fb3ee9b007e9e88656af0ce37c65c9f0e864483ee873a1f4157b61eeadba8512e05c934212d7009358f52f94e1083ca5b49d561071756414d4d8e1
-
Filesize
12KB
MD540b97bea8ea482efe7dcac99ff346975
SHA1edc0d003964280d9c4d474c83c431b2de02ac484
SHA2565972944f9520140b581f507781d18c4748db6a3ead7358e1983979a485cd10cf
SHA512d5bd8f8f05872b7045493276bb4833c332b244a46aeb96209b68bff389aba699be83961a9cb854fb329754d6b462e40cf62a268c763db0bce05c724989e534e5
-
Filesize
417KB
MD58b8d8f5883e7ff86a31b334ea6df1266
SHA17f29e17aa685b6ab5bc823befc5f280faed9a870
SHA2562fe172c2e151e9c5576b05fe835d092c55cf3947d31c44387effea3e69d76e9a
SHA5123ce57ddddf0147f54883e57a9c1df5142c84479c70463ae456d19e0a9c4bd18329969929bbadb2968fc9f6a6b001a2e3b4de1e1b48bdbf0510c31dde1d88819d
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
200KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
184KB
-
Filesize
24KB