Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 19:13

General

  • Target

    0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe

  • Size

    479KB

  • MD5

    f74148aac14e9d00ca9f46e58a9ce263

  • SHA1

    3f389468cb29ff54c4db06566d521660a6c391e5

  • SHA256

    0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e

  • SHA512

    aa75a2476bf5f04bc220c1e3a8be7d2e4c5cf394e1d9bcdb3b56c1aa521870596e2a7f8748f3ce450987f0d7ebb76ee3949a25fa179bb62dffc289166329806b

  • SSDEEP

    12288:YMrLy90vL5eHFaz5c1u31/T23MpraIX+mM9LydYUVBxD:TyoLMadXZTTr55RdnTR

Malware Config

Extracted

Family

redline

Botnet

morty

C2

217.196.96.101:4132

Attributes
  • auth_value

    fe1a24c211cc8e5bf9ff11c737ce0e97

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe
    "C:\Users\Admin\AppData\Local\Temp\0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:60
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4700
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8152210.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8152210.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3892
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:1476

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe

          Filesize

          307KB

          MD5

          e1ea8227deff3d431e9af22c642a6011

          SHA1

          2f4b73de7db5c8c6b8a9047a6f2da48fec68ad16

          SHA256

          8dd76c6b2f719886552f75cd22912274c14b05766bea8b4ee61f8470f1f4cb7b

          SHA512

          61c84424f5a270bc2534f07f06d8089ed58dfce8fd84c549c0e6a19be2253cf60df3d14563f508e0a3063fe7924cac3874ac92901b7bcfc37be4d0ed0d228cbc

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe

          Filesize

          178KB

          MD5

          45cf0dc03b5352571138c8c2698c8cfe

          SHA1

          601d40add54ce3a816e6d1de99b33ff00c723423

          SHA256

          c24b33cd7d5c257b50a4a3ec5e75d18abcc2a2d04c6229b9968b22f9c44b6986

          SHA512

          36b056d0568a96b31b38f45b94447da7ecc7db5efac83ef384e27617ce8fd9a445a4cb26744a1d585aa270bf5612a4a748e7a5748c1094dd84cc9c97d0c2cdf3

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8152210.exe

          Filesize

          168KB

          MD5

          4136481881f343d02ffbef27ca9ec717

          SHA1

          7fad11267c6e3fc8d869df68a396c925f73ad276

          SHA256

          93565fe60bbd30ca86d91be39af3eef493da40d0de5462719c8ff1349d906017

          SHA512

          88a6e3752c1d552c3465a5331a3f98a0dcbd5524004183fcfe85ce8e6b155bd1ac255beca68835ad2b2e09a4087c9bf84c562596c68fe23945a0dcb136d4cde9

        • memory/3892-62-0x0000000004960000-0x00000000049AC000-memory.dmp

          Filesize

          304KB

        • memory/3892-61-0x000000000A650000-0x000000000A68C000-memory.dmp

          Filesize

          240KB

        • memory/3892-60-0x000000000A5F0000-0x000000000A602000-memory.dmp

          Filesize

          72KB

        • memory/3892-59-0x000000000A6C0000-0x000000000A7CA000-memory.dmp

          Filesize

          1.0MB

        • memory/3892-58-0x000000000AB80000-0x000000000B198000-memory.dmp

          Filesize

          6.1MB

        • memory/3892-57-0x0000000000DA0000-0x0000000000DA6000-memory.dmp

          Filesize

          24KB

        • memory/3892-56-0x0000000000710000-0x000000000073E000-memory.dmp

          Filesize

          184KB

        • memory/4700-36-0x0000000002560000-0x0000000002572000-memory.dmp

          Filesize

          72KB

        • memory/4700-30-0x0000000002560000-0x0000000002572000-memory.dmp

          Filesize

          72KB

        • memory/4700-44-0x0000000002560000-0x0000000002572000-memory.dmp

          Filesize

          72KB

        • memory/4700-42-0x0000000002560000-0x0000000002572000-memory.dmp

          Filesize

          72KB

        • memory/4700-40-0x0000000002560000-0x0000000002572000-memory.dmp

          Filesize

          72KB

        • memory/4700-38-0x0000000002560000-0x0000000002572000-memory.dmp

          Filesize

          72KB

        • memory/4700-48-0x0000000002560000-0x0000000002572000-memory.dmp

          Filesize

          72KB

        • memory/4700-34-0x0000000002560000-0x0000000002572000-memory.dmp

          Filesize

          72KB

        • memory/4700-32-0x0000000002560000-0x0000000002572000-memory.dmp

          Filesize

          72KB

        • memory/4700-28-0x0000000002560000-0x0000000002572000-memory.dmp

          Filesize

          72KB

        • memory/4700-26-0x0000000002560000-0x0000000002572000-memory.dmp

          Filesize

          72KB

        • memory/4700-24-0x0000000002560000-0x0000000002572000-memory.dmp

          Filesize

          72KB

        • memory/4700-21-0x0000000002560000-0x0000000002572000-memory.dmp

          Filesize

          72KB

        • memory/4700-46-0x0000000002560000-0x0000000002572000-memory.dmp

          Filesize

          72KB

        • memory/4700-49-0x000000007480E000-0x000000007480F000-memory.dmp

          Filesize

          4KB

        • memory/4700-50-0x0000000074800000-0x0000000074FB0000-memory.dmp

          Filesize

          7.7MB

        • memory/4700-52-0x0000000074800000-0x0000000074FB0000-memory.dmp

          Filesize

          7.7MB

        • memory/4700-22-0x0000000002560000-0x0000000002572000-memory.dmp

          Filesize

          72KB

        • memory/4700-20-0x0000000074800000-0x0000000074FB0000-memory.dmp

          Filesize

          7.7MB

        • memory/4700-19-0x0000000074800000-0x0000000074FB0000-memory.dmp

          Filesize

          7.7MB

        • memory/4700-18-0x0000000002560000-0x0000000002578000-memory.dmp

          Filesize

          96KB

        • memory/4700-16-0x0000000074800000-0x0000000074FB0000-memory.dmp

          Filesize

          7.7MB

        • memory/4700-17-0x0000000004B70000-0x0000000005114000-memory.dmp

          Filesize

          5.6MB

        • memory/4700-15-0x00000000020D0000-0x00000000020EA000-memory.dmp

          Filesize

          104KB

        • memory/4700-14-0x000000007480E000-0x000000007480F000-memory.dmp

          Filesize

          4KB