Analysis

  • max time kernel
    142s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 05:07

General

  • Target

    5ae2774ab66df706ccbba3ac0576751d4453fc3386795cde8ae058dbeceae112.exe

  • Size

    694KB

  • MD5

    5986aa74cdd3d29d866c40eb0d3d799b

  • SHA1

    ba1cd2d5e0a2c0646150e21a9b250ac324938d54

  • SHA256

    5ae2774ab66df706ccbba3ac0576751d4453fc3386795cde8ae058dbeceae112

  • SHA512

    60b70c664a27ed090b283ef35993173d3b6b4729af6ec8ad1776116a29ff57b1491dda6abc12c07776ee1b79f7391cacf1a536e10194c9517f55dc81478134a5

  • SSDEEP

    12288:/MrRy905soyPcZh0a9usV/cC49/zGgHzRNCHBKSIqkRgBVa8:my1oYcX0a9us9cC4p19P2o8

Malware Config

Extracted

Family

redline

Botnet

mango

C2

193.233.20.28:4125

Attributes
  • auth_value

    ecf79d7f5227d998a3501c972d915d23

Signatures

  • Detects Healer an antivirus disabler dropper 19 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 20 IoCs
  • Redline family
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ae2774ab66df706ccbba3ac0576751d4453fc3386795cde8ae058dbeceae112.exe
    "C:\Users\Admin\AppData\Local\Temp\5ae2774ab66df706ccbba3ac0576751d4453fc3386795cde8ae058dbeceae112.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4756
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice1514.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice1514.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4776
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2544EW.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2544EW.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4288
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c53HS62.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c53HS62.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3244
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1080
          4⤵
          • Program crash
          PID:4616
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\diFqK08.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\diFqK08.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3244 -ip 3244
    1⤵
      PID:1416

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\diFqK08.exe

            Filesize

            343KB

            MD5

            825b787568759d65c73493f2cc955eec

            SHA1

            61467da0595e87a401021e45db644cd718e2447e

            SHA256

            5142942b22146c751a51d23fde62f4a921c4ce7ca594b6e519bf39b51f6dc5fd

            SHA512

            6c09433b7b19d4b22889bfaa3db23ca954a3cf38a8fe76821df8e0d868d243de671af90ba72920dd2a4f24bcfab0bf517a2739299e0969c84816fc7d088cbd5b

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice1514.exe

            Filesize

            347KB

            MD5

            182ba3e78728f65f014930fef9d48495

            SHA1

            1280068077b1eab6eed0d18afb1abff64e3aa887

            SHA256

            028425b0462e30eb54a7c1a21f4af92787a280e7c98bcc99b6245c20f6b05c92

            SHA512

            6e490223d00ccf9ccf5fc373c652f32436de5aeb1c10c064c09a2b33b832626885edc701321bc515812c5d80284101620100ded59d52482fb9240c6898504bf4

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2544EW.exe

            Filesize

            11KB

            MD5

            7e93bacbbc33e6652e147e7fe07572a0

            SHA1

            421a7167da01c8da4dc4d5234ca3dd84e319e762

            SHA256

            850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

            SHA512

            250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c53HS62.exe

            Filesize

            285KB

            MD5

            30868aa9559eccef357d7ffaad74219b

            SHA1

            e51d7ecfef68517073a1fff08fc154693dbc172b

            SHA256

            cab05a4803340a33e6bd85c1890e4d06c7507f47c500e4879df2ce6fc835a2e9

            SHA512

            b115854e56a1d52b41ae9f100722de80272ac53aa7f1775ea9192a6de2668c320e9336a81b49fbb85a04aade2c31d221622fbbf12098e7f98dfece857291b15d

          • memory/2700-79-0x0000000005090000-0x00000000050CE000-memory.dmp

            Filesize

            248KB

          • memory/2700-69-0x0000000005090000-0x00000000050CE000-memory.dmp

            Filesize

            248KB

          • memory/2700-972-0x0000000005A50000-0x0000000005A9C000-memory.dmp

            Filesize

            304KB

          • memory/2700-971-0x0000000005900000-0x000000000593C000-memory.dmp

            Filesize

            240KB

          • memory/2700-970-0x00000000058E0000-0x00000000058F2000-memory.dmp

            Filesize

            72KB

          • memory/2700-969-0x00000000057A0000-0x00000000058AA000-memory.dmp

            Filesize

            1.0MB

          • memory/2700-968-0x0000000005100000-0x0000000005718000-memory.dmp

            Filesize

            6.1MB

          • memory/2700-62-0x0000000005090000-0x00000000050CE000-memory.dmp

            Filesize

            248KB

          • memory/2700-63-0x0000000005090000-0x00000000050CE000-memory.dmp

            Filesize

            248KB

          • memory/2700-61-0x0000000005090000-0x00000000050D4000-memory.dmp

            Filesize

            272KB

          • memory/2700-60-0x00000000023F0000-0x0000000002436000-memory.dmp

            Filesize

            280KB

          • memory/2700-65-0x0000000005090000-0x00000000050CE000-memory.dmp

            Filesize

            248KB

          • memory/2700-67-0x0000000005090000-0x00000000050CE000-memory.dmp

            Filesize

            248KB

          • memory/2700-75-0x0000000005090000-0x00000000050CE000-memory.dmp

            Filesize

            248KB

          • memory/2700-71-0x0000000005090000-0x00000000050CE000-memory.dmp

            Filesize

            248KB

          • memory/2700-73-0x0000000005090000-0x00000000050CE000-memory.dmp

            Filesize

            248KB

          • memory/2700-81-0x0000000005090000-0x00000000050CE000-memory.dmp

            Filesize

            248KB

          • memory/2700-83-0x0000000005090000-0x00000000050CE000-memory.dmp

            Filesize

            248KB

          • memory/2700-85-0x0000000005090000-0x00000000050CE000-memory.dmp

            Filesize

            248KB

          • memory/2700-87-0x0000000005090000-0x00000000050CE000-memory.dmp

            Filesize

            248KB

          • memory/2700-89-0x0000000005090000-0x00000000050CE000-memory.dmp

            Filesize

            248KB

          • memory/2700-91-0x0000000005090000-0x00000000050CE000-memory.dmp

            Filesize

            248KB

          • memory/2700-93-0x0000000005090000-0x00000000050CE000-memory.dmp

            Filesize

            248KB

          • memory/2700-95-0x0000000005090000-0x00000000050CE000-memory.dmp

            Filesize

            248KB

          • memory/2700-77-0x0000000005090000-0x00000000050CE000-memory.dmp

            Filesize

            248KB

          • memory/3244-40-0x00000000025D0000-0x00000000025E2000-memory.dmp

            Filesize

            72KB

          • memory/3244-34-0x00000000025D0000-0x00000000025E2000-memory.dmp

            Filesize

            72KB

          • memory/3244-44-0x00000000025D0000-0x00000000025E2000-memory.dmp

            Filesize

            72KB

          • memory/3244-22-0x0000000002310000-0x000000000232A000-memory.dmp

            Filesize

            104KB

          • memory/3244-55-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

          • memory/3244-53-0x0000000000400000-0x00000000004C6000-memory.dmp

            Filesize

            792KB

          • memory/3244-26-0x00000000025D0000-0x00000000025E2000-memory.dmp

            Filesize

            72KB

          • memory/3244-28-0x00000000025D0000-0x00000000025E2000-memory.dmp

            Filesize

            72KB

          • memory/3244-52-0x00000000025D0000-0x00000000025E2000-memory.dmp

            Filesize

            72KB

          • memory/3244-30-0x00000000025D0000-0x00000000025E2000-memory.dmp

            Filesize

            72KB

          • memory/3244-23-0x0000000004B80000-0x0000000005124000-memory.dmp

            Filesize

            5.6MB

          • memory/3244-47-0x00000000025D0000-0x00000000025E2000-memory.dmp

            Filesize

            72KB

          • memory/3244-36-0x00000000025D0000-0x00000000025E2000-memory.dmp

            Filesize

            72KB

          • memory/3244-38-0x00000000025D0000-0x00000000025E2000-memory.dmp

            Filesize

            72KB

          • memory/3244-24-0x00000000025D0000-0x00000000025E8000-memory.dmp

            Filesize

            96KB

          • memory/3244-43-0x00000000025D0000-0x00000000025E2000-memory.dmp

            Filesize

            72KB

          • memory/3244-48-0x00000000025D0000-0x00000000025E2000-memory.dmp

            Filesize

            72KB

          • memory/3244-50-0x00000000025D0000-0x00000000025E2000-memory.dmp

            Filesize

            72KB

          • memory/3244-32-0x00000000025D0000-0x00000000025E2000-memory.dmp

            Filesize

            72KB

          • memory/3244-25-0x00000000025D0000-0x00000000025E2000-memory.dmp

            Filesize

            72KB

          • memory/4288-15-0x0000000000B30000-0x0000000000B3A000-memory.dmp

            Filesize

            40KB

          • memory/4288-14-0x00007FFBAC0C3000-0x00007FFBAC0C5000-memory.dmp

            Filesize

            8KB

          • memory/4288-16-0x00007FFBAC0C3000-0x00007FFBAC0C5000-memory.dmp

            Filesize

            8KB