Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-11-2024 04:13
General
-
Target
2d125c4b3bfa149c43d524e8931140142096fc7a96c119cab15c9b3dc558a8a7.exe
-
Size
1.0MB
-
MD5
f3eeca6aa9f46483ab7d3a024bada72e
-
SHA1
403276188d3dbdb6a87d866c1df8bb3a443e07e7
-
SHA256
2d125c4b3bfa149c43d524e8931140142096fc7a96c119cab15c9b3dc558a8a7
-
SHA512
4bea2d89e8004677b82c806bb96f8ca3e8160a23fdd41d4f7bfce710c3ac004c3cf4a9fd85d4484250426c54114c212ffd32b04aa8daf5a26a887105bd0d39b6
-
SSDEEP
24576:Zy2VVaU5q6XArL4IJaL8XbVaD/gQGJ7jflLcEn8z:M2VVaUpAf4IJdXlLtLrn
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
droz
77.91.124.145:4125
-
auth_value
d099adf6dbf6ccb8e16967104280634a
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d125c4b3bfa149c43d524e8931140142096fc7a96c119cab15c9b3dc558a8a7.exe"C:\Users\Admin\AppData\Local\Temp\2d125c4b3bfa149c43d524e8931140142096fc7a96c119cab15c9b3dc558a8a7.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un281174.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un281174.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un030570.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un030570.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr040170.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr040170.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 10805⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu907708.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu907708.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 2485⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk039631.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk039631.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3212 -ip 32121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1432 -ip 14321⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
798KB
MD5f3ddf8d9356e875fcefab384d5a59fad
SHA149bf6f6b8a843474dc35f68ecbf3030336c450ec
SHA25600c83a5762f6d1ab3c6833fed03774a52e9fa2dc10113b45ed8d0b94b6453295
SHA5122974545e736026af6f3fb49650010e33dbe2080dfe10e1b98db877d4be170178296d10a4098c7df0bcfc9d45a9647e8995ae904f17a9e03bb48da62984a8b617
-
Filesize
169KB
MD597487af3dab8ddcc9cca70f7943bb3e1
SHA103dd433690974d87c5166f2fd0da3239ecd8d702
SHA256e69c52669b250dc781531f1a1d0103a21f7808aa126ac8b25cf8b3f2ca286344
SHA5129e0e3182c7d58e4392c8984ab8fdf2a6c98da8eba9a8cf67f96641b3164ac6a81762471b55e7d3b06ffca68537de3ab1cea6016ab1869d6dd4b61e705e5afe2f
-
Filesize
644KB
MD570a8a59fb21d67c3c8c4264ad04d4006
SHA17141f57c6409c8ed0b84959a43cc97dded9bfcc5
SHA25610d8d9701bc15ade781ef4b9d6ccef78d6b035ad368eaf828e23a00c36e163c5
SHA512083cce6721c74893f4009c59737d143b41282530dd6ca7e4d3342c60accfa4a2a6203906ce66deb3472d393ad7a7cc8c3289619907e2a0bc54a5b1779e2c763e
-
Filesize
243KB
MD543419e116e7ceee647e05fe3a3657581
SHA1e3b1ffb314d74eaf49a580a35451d752eafedfa0
SHA256d89b4fbefff6289b9e85b9ab4b1aeba18e12b57f30fbfd24083df3c945a1c19f
SHA512e3c2664d55007a8897330a900d91ad76ce548daee5650ec4ac9c117548641dee67ffca118f01f98407ba46ec5c1b18252d4bfa60cec9633e3196527497f0e49b
-
Filesize
426KB
MD52043a31b4d6015a018a8251361cfcc41
SHA15dba2bccddfe5b91adf8931721c722c5a2bd67bc
SHA256906ee431c2285499799fdc22572e090dcf41eb20d1dd679603b9862b447c4b9f
SHA5126a87152585670c82a5a454ee16ae2898863a29417b845debc0b126733a1167e63f5350149df287d3e3ea770f2666dd0fd32e1ee821cc94245799509a9cbed5ff
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
200KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
104KB
-
Filesize
680KB
-
Filesize
680KB
-
Filesize
1024KB
-
Filesize
96KB
-
Filesize
192KB
-
Filesize
1024KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
680KB
-
Filesize
72KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
192KB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
184KB
-
Filesize
24KB