Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10-11-2024 03:00
General
-
Target
6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f.exe
-
Size
1.5MB
-
MD5
c0136c6d16ec065beae0650612a6ebf7
-
SHA1
70d6ed2f524277291def026ed770d87c1c73c6bc
-
SHA256
6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f
-
SHA512
5a1c9f13aa78193a8f0ed9e9d4587fe9ac56346d8de47970bd9e363e2fb751de2da773c6fedc955915ae70033a69064ac9f6021d06c22baa8148dada91aeb05b
-
SSDEEP
24576:+yK+CVKAEto0QRmP54cY8U7hDxOSKYsm2sMju98KKJwf6cfz0wP17rCMQsIi:NptZQRmP54cY8UzLlrKcB6FcPhr9QT
Malware Config
Extracted
redline
mazda
217.196.96.56:4138
-
auth_value
3d2870537d84a4c6d7aeecd002871c51
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Redline family
-
Executes dropped EXE 6 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f.exe"C:\Users\Admin\AppData\Local\Temp\6db60f0f1bb2d6cedd142f5c3defd1c971f1c013178c26d36e2db702e551879f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2911199.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2911199.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4999647.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4999647.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1729603.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1729603.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2499822.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2499822.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4373057.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 10847⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2589349.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2589349.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3096 -ip 30961⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5ba79cbea9effe6dc0ee1f36fd5bec90f
SHA1665bc0d8ff821dd8882af4029f7538eba1608e24
SHA2568a56de00e4523b5ae1f7061c1b46d460d7d086fb8bc5e69e77b975b190350a65
SHA512e839ffb1bf473e0d1d6d17d72e5fdc4f1bfe9d221d505830745b7c006a225860f8bd0b6e8fd83dcf8c1a0477536380ed63066819ad05f568108fa81800537281
-
Filesize
912KB
MD590ceb6739a3159d30167a978b04a9a86
SHA1d5258e4e66ac3987ed911eca9623308f3596f3d1
SHA2566ed3aef7cc439dd9e5459256166a5f09a26482691e432bd0b0331b20e408782b
SHA512994a9053532b85b9805c82aebf1302c5d165affb405947be0697355ac458dab35a3f4e692c0838ec02db8a7c2cbf00e4a79dcc5cc16609f74104a0399d273022
-
Filesize
707KB
MD5d24c8e45e3e1f65a7d074951239966a6
SHA1611e4fd1a9e9a426ed2e1ae5c0eca444d3bc2717
SHA2565f6c12f27cd904d3da2e648f30e42ff49fb9ffcfb70068a7cf6b4a19b9508baf
SHA51261430556a034879f16e245274910b6f53c9c2b03b771ffcf001ce2dc59dfb9b6405a3fefe46d64c7eb99d71649a6722de133f30ed652b2ed971ed531b10711bc
-
Filesize
415KB
MD5a2e62b85ad312ced58cee9477867f307
SHA1f1b3a2c94c0c06ca81bbd91f192dc112a3b16843
SHA25659361d376b15092ef2d367801bd0b918500d9e99aea69038ac8613f92dc9077c
SHA5124b14ffcda58bbd6d9666d3d291ddf3f42e5cf506537a030071846bd4d0c14dcc85af6a3d6ede4c0ebba806c922071fe4a25b07198d28419c64df7939d3ca1778
-
Filesize
361KB
MD55b18e7864656a3f338e822f80f1a22a1
SHA1e291cd21442236df2b1bfa05c8a405f2c2dcd854
SHA25651fe6fc09d8c6995953689fa21307777c17f47cbab07f115ab7d640330d4b875
SHA5129cff407e452efeba01b8fdb573498eec989434df7ea33d3150b6feaee2e2238e335f648013ad1d21db67b3e3ad7aad98d028c34a24aaab61435590e8cb2811e8
-
Filesize
168KB
MD549e7c55d8a831b3e5b44d7415fbc1ae5
SHA1db91597221746d8e2d6331e6b68efacb05589786
SHA2563efacae0672f2d6f33539b3c82bfd8653802bf12f69dcf25a66abda091bb003b
SHA5123d9349978fa9d13bcbe85bbee6e56132280c4b8e71caf9482255d39f8742a6ac4065205be502b26bb22c6993fef69bee2512924e415d7c6673cab85d127d239f
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
104KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB