Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-11-2024 22:13
General
-
Target
6e9eebf8336cb6d607795685ad054e90a492d7f5ef77c469fe4d7c4eb8836e04.exe
-
Size
500KB
-
MD5
d39a9f2eda16903129fa0c258553ad87
-
SHA1
902524360c2c19db5013ea2b71b9501e0cf331f7
-
SHA256
6e9eebf8336cb6d607795685ad054e90a492d7f5ef77c469fe4d7c4eb8836e04
-
SHA512
b4af033e01db1d2f6f3b044886d0e3178d748083c548d0447cb0971ae6288992600ed8692677d03b1c9956508bccdc21775b873a3aaf2c97a8cb5d00d459eb36
-
SSDEEP
6144:Kmy+bnr+Qp0yN90QEtqybGrKyccUkS8S2pIk12u/VtSQsr40IVO6cdleaWRavXcZ:+Mrcy90vqMAy8pUu/VItNIFavrO9Nf
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Redline family
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e9eebf8336cb6d607795685ad054e90a492d7f5ef77c469fe4d7c4eb8836e04.exe"C:\Users\Admin\AppData\Local\Temp\6e9eebf8336cb6d607795685ad054e90a492d7f5ef77c469fe4d7c4eb8836e04.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nVi09iX58.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nVi09iX58.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTO76QM.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTO76QM.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eNb86CC.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eNb86CC.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 10044⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fSY55RP.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fSY55RP.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3044 -ip 30441⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2
-
Filesize
356KB
MD58237dd2b977712104da744b69e4d8c72
SHA18641b14740222d7c931cc58006bd087d12024e0d
SHA256d971031bba2fb45e5056cb4418491479d109e53a2b3ccdcfead6301bd9a2a58c
SHA512b0d826ba11f67ed3024eb9d3f338a317884caff9535bc0a37abc005cf83833f306fcbd8669e52f269a53f91e98349ba34c3b66e4ee9c68196a8a39f4002ff4a0
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
295KB
MD52338c84711b756237e614c3869cf6100
SHA16146eace912945070cb084fe3839c8d2dc27c403
SHA256fbfd8bd7e7ff54ce43c209c34a9959ad1abe7325209756decc04e3d9a44ff87b
SHA51224bd3e70fc0ac61f6fcc432de5e93ac38c66eb3fb0e9b09337acc526873dd42f779f2741761ffb1677936e8f219f3c3b683c9476d8ab604803795fc323c7bae6
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
200KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
5.6MB
-
Filesize
104KB
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB