Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-11-2024 13:37
General
-
Target
2eaa35e109fb24340865d2120b2c785641af4b09512eb72769c463d07728401c.exe
-
Size
652KB
-
MD5
44628e6f70832d41dfef14046732cd93
-
SHA1
43fd32ff96451fcce81b390204daca795bb976cb
-
SHA256
2eaa35e109fb24340865d2120b2c785641af4b09512eb72769c463d07728401c
-
SHA512
b3658913f0bcbab07ba45cb5d96dbdb131dab9a8ad167423af5d3746442b3dc1aadd11f3c0ccbd4adf4d15bae913f1582b09c148ee8165cdf82617ceb31d162c
-
SSDEEP
12288:DMrMy90q8ChnKYGXX65kWjuoBTDBEiTr3yPs9JVo7gzbmjS:/yDnKYGXX6uWj5+POKCae
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
diza
77.91.124.145:4125
-
auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2eaa35e109fb24340865d2120b2c785641af4b09512eb72769c463d07728401c.exe"C:\Users\Admin\AppData\Local\Temp\2eaa35e109fb24340865d2120b2c785641af4b09512eb72769c463d07728401c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziWK1507.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziWK1507.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr048378.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr048378.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku402979.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku402979.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 13764⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr869247.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr869247.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4208 -ip 42081⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD549cb757bd6049b13a038f9515740397d
SHA163080994be10c2c2bedf5af5c1b542e3c5359232
SHA256808251ba56844539e2ec192e22df5844db77ccd436ca25550883912846dbc84a
SHA5125cd8e29071690b859c4188278447c3b72aec270a2f58c938b306d2f10c8838d9ab26f43dafca656b8e6d61edf01c8d6acc08414fa02c811916b785fb008beea1
-
Filesize
498KB
MD58e69b3aa2043167b7dca11b192a28430
SHA130b932febf22b843844df7b42e238b0482546c28
SHA2568f52d891ae5f735eb8dcb638aede69df3f67d3669189421e982cd356190575e0
SHA51265b13ed25a09317b6c255b213e4f253ccffbc768d214428d1812e651cc7abf99ee58e78af15f36dc815431a6b14f08439ef318fb1043df70c4e823264c802dc1
-
Filesize
12KB
MD5d6edf64d84deb2b2d901ac876d685b66
SHA19dbbc638ce066eef886dbe403caf3d18b5c959b7
SHA2569b3b0e97e68e9e705da8dad6cf5589285293cb8a15625a1f20d825ef8c51f2ea
SHA5127de67ca58f967b1c541886460c9ffb41ac55bee6dcf69668aeb48d121ae3833842b128c6d07cb73236ed773dc074056bf38d79a3648fc63ca183e2054a2d28ef
-
Filesize
417KB
MD5277ff08da25d4815c59ccfcd3e6b9e88
SHA17ccf42ba8b34a42a646f085cc53a2bdd4eba032a
SHA25608332fc2e83702a9523ee6d9bb5d258655150fc7fce55debecd9e42854efe172
SHA512f06f42b1e8d94bd12ef2df6a7f6279c10ea92a8ff5730c2ae339392361105d485a411a7c62088383baf2caaabc0165cb4bc8fa222a8da7a6941b4dbda6ccf4f5
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0
-
Filesize
6.1MB
-
Filesize
24KB
-
Filesize
192KB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
200KB
-
Filesize
184KB
-
Filesize
24KB