Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10-11-2024 21:18
General
-
Target
2224aba318609ab328dda1f4296d00e2bec1e70e535e83248250970b7abbf46c.exe
-
Size
924KB
-
MD5
dac65508688d627ef98f1183274b0675
-
SHA1
31c09c2d2db4e148cd89675dd24afec0d4361842
-
SHA256
2224aba318609ab328dda1f4296d00e2bec1e70e535e83248250970b7abbf46c
-
SHA512
e4fb8ac614231a4ae2936cdafa9f7e6a3c765aa6a9d1a55e4297a69124be2bef3f15ecf9cd75306384a6560e1b0be32d5034af5365e84a3d82049d07db7b4a6d
-
SSDEEP
12288:sMrOy90IFtlDbzJg6jK/uVI5YZPdcz9xBud2Alqr/kNhE3jIT8LAFCPbYzxbqN3o:ayPtl9gsVVaohIZ3bYCTRCJalMZ55
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Extracted
redline
droz
77.91.124.145:4125
-
auth_value
d099adf6dbf6ccb8e16967104280634a
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2224aba318609ab328dda1f4296d00e2bec1e70e535e83248250970b7abbf46c.exe"C:\Users\Admin\AppData\Local\Temp\2224aba318609ab328dda1f4296d00e2bec1e70e535e83248250970b7abbf46c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipO5264.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipO5264.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zinb3761.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zinb3761.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it047433.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it047433.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr150151.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr150151.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 15325⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp294590.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp294590.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4588 -ip 45881⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
660KB
MD5ba8ecc2becef4877bf8abcf98a96c570
SHA188a3ceab848152380fcee22648961717ba2a00c9
SHA25674c95812f0733ba30c88c58000a59bcbc8f27d2200b3536ea586ca52d1a23cbf
SHA512b2b1937c1789586453845ee032357e10c5e036e438a251aa149a9333329f0619e5ec2bda3a1a603d004c7ab246387c3de5ba68ab7f379f1f40931a49031f102d
-
Filesize
169KB
MD54dcd5cda15216f2cbeb7d34e4714145a
SHA1376be95b53186349bf870a90bea2fb0f84ab2310
SHA2564851391200a5bf71eb1cbc9d0cf51a90aa3a6fc681894e7fbe96d10d62400de8
SHA512657a5fe15823de92d62a81546480ef666939768a0299de0695ad21295684bb5abf85d38c1e49fea3ae097d46bab61a59c3dd80dd45c798494f8c576720b84bb1
-
Filesize
507KB
MD5554fae1dca86730ec139439aa2527e4a
SHA13482ef4cdd963c4a95d68e3aea92d34811714f1c
SHA256903788516990891d5fe6614066a12046b633acb976b050f288df8b6997c398ef
SHA512a3ed0d5221becf064f99132492ff78832731b84c226da5f3773b49e2510cea50cbbec8f6839b79decfec781a5dd4a74f97b4ca72057893db9a233cf6004c391c
-
Filesize
15KB
MD5d870fe58b56b4c0264f0125e9a5a94ca
SHA19334471e53e903ec9a53727c36ba7fd43b637f00
SHA256701f4a43d54f6a5e66e093d7c9128881d666e00827463bd3e9b12204e3c4189c
SHA5127b2915a9c8ad4a6dd33ddc0a07608980ffd867cdc7172f759baeb0c476183b63504dfbca799c709733e803ccf4df5d9a516a74d92ce1aa0347e186181ae16110
-
Filesize
426KB
MD57224dd28564210ce6346a67364af7c02
SHA17873d2fdf29e5622e6792103374fc949e4fc28cf
SHA256a50d8f695ac8df7a7eb4285f4ebb31e78fc34838a19848dbdda9fa2e4dd5c4a7
SHA512c58080d122f466b6f6bbcd049c8269c1e08371c7d0f035a51048471574457b616f72a049b2d270513195ff6f6744551bdfe477ffe91a0b4f6ccab4d34651bdb3
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
200KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
184KB
-
Filesize
24KB