Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-11-2024 01:06
General
-
Target
6d855887889e35ca86b799ba80988cb84e13876cbf04aad9a7f90d60cb9cd3d5.exe
-
Size
647KB
-
MD5
8ee00d298cfb42f24bb1c5f1356a2407
-
SHA1
51d5d729606371c8373859e354ae6efd6a44afbc
-
SHA256
6d855887889e35ca86b799ba80988cb84e13876cbf04aad9a7f90d60cb9cd3d5
-
SHA512
e881fb58b305d18c90ee2dc724f1e6aa405b8e6345f5daa135a14be342a1b6ca1e40614292806f5cb80f6662db851e18c4e51a3d2acbfbeafcf81905086e087e
-
SSDEEP
12288:hMrQy908MVtGPlLWbEGBOozcnEcL2zSwI++jiOOtwq0mo:Vyxq0gYlqlmPGt1w
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Redline family
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d855887889e35ca86b799ba80988cb84e13876cbf04aad9a7f90d60cb9cd3d5.exe"C:\Users\Admin\AppData\Local\Temp\6d855887889e35ca86b799ba80988cb84e13876cbf04aad9a7f90d60cb9cd3d5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice0927.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice0927.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0383xI.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0383xI.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c70gq54.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c70gq54.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 10884⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dMoYz11.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dMoYz11.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1076 -ip 10761⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
305KB
MD56d8433b885bdccea71f1712c75c0de8c
SHA1957a15fa40c7787fe4829fb12bc3f0793577d4d5
SHA2568a02b9f03d26c260ba97dab334f2ccedd911b0e789b57938c6aa6e7e6d5f21b0
SHA512d0db58aebc89db9169d7529a5f89a2a7c209166bb5f4cfae8ece7cd041653e5272dd852dffa9797dad127829a27db785492e1aa3b87221dea85826f89bc62f36
-
Filesize
324KB
MD53394d076c09359c81b4ce4eb7b9b5357
SHA1852c1488cfb492faddd327c748ccddb3daa2ad44
SHA25637a65701220122327df200040d07a4de4210d6e2288aef68bd863f969bc58caa
SHA5122a27994279b409d6f5e8fa660d0e66cf8fdc57a6fd27f60daa4517bdcd442535ab23ff86e3dd0985594548379c6560bdbf2284f316007ed8d8eac296e3485fb2
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
247KB
MD585842a03077894655565a1fd86d8c7ea
SHA1f2aa1dd755030763129fa71ce8b1e75659cfe801
SHA256d6763faa8824f1108fbd82a7babbe55293d7ae02cd88c1c755ecfe75ae293572
SHA512689de477fafe12d28f58830838d0c26988b666bc5597e97b13fe6bb25b319b7d76d7378239dde899309949772290c36848bd1b97063b53e9a891f5c6e71b02dd
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
280KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
756KB
-
Filesize
5.6MB
-
Filesize
104KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
756KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
40KB