Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10-11-2024 18:56
General
-
Target
1a778b913cc3a85e3b58f77316c38213317291ae002656fedd70edcf8faf7bc8.exe
-
Size
1.0MB
-
MD5
690c15b2896fd3c2b6c653ade62b9532
-
SHA1
e08fa68fc858069a846945122f35985ea339730a
-
SHA256
1a778b913cc3a85e3b58f77316c38213317291ae002656fedd70edcf8faf7bc8
-
SHA512
0e1ac6f1c0f74ff852939ded23b25e845734f60b5abf575975f76f8f3f2ed2ed823dda3d0ebe8b3b7df462d08a7275a38a8570a8b80f7aa0384e4fc4e67fe1dc
-
SSDEEP
24576:KyZRSUI0gEN1blvdnP/XlODDtIuBNirmLVsfSk0N3cNK5o5:RZn1bthXoDGUQrR1A30
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
droz
77.91.124.145:4125
-
auth_value
d099adf6dbf6ccb8e16967104280634a
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a778b913cc3a85e3b58f77316c38213317291ae002656fedd70edcf8faf7bc8.exe"C:\Users\Admin\AppData\Local\Temp\1a778b913cc3a85e3b58f77316c38213317291ae002656fedd70edcf8faf7bc8.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un898363.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un898363.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un525740.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un525740.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr312732.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr312732.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 10965⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu622215.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu622215.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 13845⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk242074.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk242074.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1428 -ip 14281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3560 -ip 35601⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
801KB
MD5e6d2a7e9df7d03ca332b1dcac08b7f4c
SHA15e8d4cba86246e42f6c9ea8402bf028c22564eb8
SHA2567f1b97d0a978ae3290cd32982120c42269133d99cd8c90c6d1c3ce090718f663
SHA51275ddc51c8f80ebe17dc9663557a8c0d97d9ca122a4bb79e2976b86cbf4a3a2c2335ac2f95b891a6f2c9478ea40c67db0e53ff3dc260ce42e95c2a4e54ef7584f
-
Filesize
168KB
MD58bbbe970f50cc1fb35d8808f84b020ec
SHA1a1913f58718e02987c80e62151f3a2a96ac7cd8e
SHA25660c0a1f4f409dd2387ea3eb18dd51a81be191b426629c1899430581811189a76
SHA51258aff6a49398cf6150f6b89eb4a8a2ad554623b816fdc697b3a1dcb80177889e3b111869b4b96860e4162e813d0b91254405005a1f7a85babddaec8bf2b3823a
-
Filesize
647KB
MD5112f7a2942823ad9008089252eccd36c
SHA17fc5be6d69f9dbbefcaa0e870b72a09379ef7378
SHA256bd6a664ac60ab1027ba1c3d2f9016edc2bb34641a22969a331d669f443eb0c2a
SHA512e9a39356edd68611d1e1d411b6e1e6c253c670fdda0c22d3b6cd99d70c21abb1865fcb4331cdba2f7938df285277c94281fc34dbb193aa55bf721f3fd3e01a77
-
Filesize
243KB
MD526f5b21f8d2ab2b9a14b349a777a0772
SHA1c905e7d7f1a6872338f297560a37e32c76594548
SHA256a04a270aa991ccdb118713d8348b1608acd561ad9ab7a2adc41d13712ec121fd
SHA512e638c54ed2217722bdf85335c6263b2bbbf19a7daa5296ba7cd25e62608c1c44195e508217dbfe0e5a1a6fd93401b2ccd70f77679f6ee2ba9dd722c739cec392
-
Filesize
426KB
MD5aea45d96aaf1c9da7a01b0b9941af5fa
SHA17a730f711337d29741676962d252801dd0ae07f9
SHA256e55a1d388b5a61c4b3b3db1199e5097bbcae1c3c7560828b1fdc21a907c25ba3
SHA512afe829304333b5d0e6f4b3b0610d59c25f28c39f5101fbc900d8fb228daddd3931c725788f4f6c7a17e3a64767f556b32a68d0285afc6f7b9baa32949c0b1564
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0
-
Filesize
192KB
-
Filesize
180KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1024KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1024KB
-
Filesize
180KB
-
Filesize
192KB
-
Filesize
680KB
-
Filesize
680KB
-
Filesize
104KB
-
Filesize
192KB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
200KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
192KB
-
Filesize
184KB
-
Filesize
24KB