Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:42

General

  • Target

    7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe

  • Size

    1.5MB

  • MD5

    bd260c8c626a99a2c0ab801f91b3662a

  • SHA1

    476f40965d4e97f2b2321c610b0fc640d3bdf720

  • SHA256

    7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93

  • SHA512

    ae88a84ff44ad6d74972d64881d7e08d1541797e342e264f3740407f6b64f92d6cb08f5a93b0ba689ecbc587b2d3d8570671bc2e98252c633bcf5f77cb223460

  • SSDEEP

    24576:Yy7ZiSY12xT7TXKXdYi2ExSSd1RatOeJOeHli4/:fcSY12xT7LVJSdzun7D

Malware Config

Extracted

Family

redline

Botnet

maza

C2

185.161.248.73:4164

Attributes
  • auth_value

    474d54c1c2f5291290c53f8378acd684

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe
    "C:\Users\Admin\AppData\Local\Temp\7f2796548e2fe87fa8eba42cb1ac110e33e5c4344e0504592b0a5227397d4f93.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5112
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4060
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3492
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1428
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1080
                7⤵
                • Program crash
                PID:2412
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39310875.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39310875.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4672
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1428 -ip 1428
    1⤵
      PID:1908

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98174832.exe

      Filesize

      1.3MB

      MD5

      3c98863833f7aff1acd4bff0efb307f1

      SHA1

      656a7cb936d6259d34a213726cdf8b5b523bfe97

      SHA256

      341acf51528ad025d37942ca95d59951251a1a0be2481bc67c77890900489e48

      SHA512

      872ad99d20d10c184f1e1349e573541cb4eb9d8dc4ed06130b068e989806a232be5c64a58acda968ba000bce45b1f6bd5c8de747df95719cf2aa5a5978fdece7

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i87601930.exe

      Filesize

      1.1MB

      MD5

      b402b9b957eedae731e6788176d04a6c

      SHA1

      0d73034cd207695202a31b04ec78a44bac91a564

      SHA256

      a72d9c94332ccb234e04b2709f59c59dcbb5c1010d5fc735318a86ebe2144b3e

      SHA512

      fd65a56c29021dcb67752d4c797b593c94b228d99879738544772a78d24f9ded0480a5ee8271e93fd08ac804c5700f5aa1afb6e4b4c43f6cde07cc4835fb9cae

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35293944.exe

      Filesize

      683KB

      MD5

      72723222ddbf76f6e4bb67b780697991

      SHA1

      223647d8a4af3e509ed6f0868daf728c952abbf8

      SHA256

      f296f95567a42a829b71590870e72de0ce023f4f7b9d7c76a1470345072c3d73

      SHA512

      0694ce1467b1f1f6c974a2d0541096752a62202fe63e30e8799fd048244ec2da24ee8cf1e9ddfb794846b3316a25ddf64cb5b2ed8a4ed8cd435287f75e8647d2

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i78992619.exe

      Filesize

      405KB

      MD5

      4ceaababa053a38b19ad1df4dd401db0

      SHA1

      e4e119fa4cb9d5debd5bb7cc3c00d9daf5bc0897

      SHA256

      855751103c09f7a38813db03fa1ede42a70b864994072f48e07e423ff87263b7

      SHA512

      8b0f0b433fa010feb4ac5b3a8c625801b1055ff9cd8e1c3c3557d71696a2c1178ef8831711548e34d0ca316b4fd5e7a5e6a55871235410ad24bcce349795b60a

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a35099503.exe

      Filesize

      344KB

      MD5

      b497921f7dcb828b7b38daa1eaf7158d

      SHA1

      cce97fdc1d8a77a52ef5cb29597eb83863c2f4a6

      SHA256

      30c09deb736f1c9accdad3875587ab5654850929f90839f84aa47480968f6ecb

      SHA512

      75c6a8fc7f04c161eab6779520a0bfc9fcd789bcc78e6a9d3f6bc991407793bab00964864bfaaa5f31007d0a13fe0dd011339122c7694914cf9b1da5dfdf05a1

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39310875.exe

      Filesize

      168KB

      MD5

      c53ccc3e6ee89031dcb6760cdd081ad4

      SHA1

      c8ea70aa2d2043a2077e4cbaa593581c8b39e9aa

      SHA256

      886adce7dcfc2e7fca15ac78afa9947db515cf7c36c7e997fdefb9d5fb5be1fc

      SHA512

      2f24d77e2fb522e9a8b537d560987140d64460e2eb909ccb18a599076633a7796d8fc195435d9910007a452fb7dcab3f1315d20b11c940363e9891aad3134548

    • memory/1428-53-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

      Filesize

      72KB

    • memory/1428-46-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

      Filesize

      72KB

    • memory/1428-39-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

      Filesize

      72KB

    • memory/1428-66-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

      Filesize

      72KB

    • memory/1428-65-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

      Filesize

      72KB

    • memory/1428-62-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

      Filesize

      72KB

    • memory/1428-60-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

      Filesize

      72KB

    • memory/1428-58-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

      Filesize

      72KB

    • memory/1428-56-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

      Filesize

      72KB

    • memory/1428-55-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

      Filesize

      72KB

    • memory/1428-37-0x00000000052E0000-0x0000000005884000-memory.dmp

      Filesize

      5.6MB

    • memory/1428-50-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

      Filesize

      72KB

    • memory/1428-48-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

      Filesize

      72KB

    • memory/1428-38-0x0000000002CD0000-0x0000000002CE8000-memory.dmp

      Filesize

      96KB

    • memory/1428-44-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

      Filesize

      72KB

    • memory/1428-42-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

      Filesize

      72KB

    • memory/1428-40-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

      Filesize

      72KB

    • memory/1428-67-0x0000000000400000-0x0000000000A67000-memory.dmp

      Filesize

      6.4MB

    • memory/1428-69-0x0000000000400000-0x0000000000A67000-memory.dmp

      Filesize

      6.4MB

    • memory/1428-36-0x0000000002850000-0x000000000286A000-memory.dmp

      Filesize

      104KB

    • memory/4672-73-0x0000000000D60000-0x0000000000D8E000-memory.dmp

      Filesize

      184KB

    • memory/4672-74-0x0000000005580000-0x0000000005586000-memory.dmp

      Filesize

      24KB

    • memory/4672-75-0x000000000B190000-0x000000000B7A8000-memory.dmp

      Filesize

      6.1MB

    • memory/4672-76-0x000000000AD10000-0x000000000AE1A000-memory.dmp

      Filesize

      1.0MB

    • memory/4672-77-0x000000000AC40000-0x000000000AC52000-memory.dmp

      Filesize

      72KB

    • memory/4672-78-0x000000000ACA0000-0x000000000ACDC000-memory.dmp

      Filesize

      240KB

    • memory/4672-79-0x0000000004F70000-0x0000000004FBC000-memory.dmp

      Filesize

      304KB