Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-11-2024 01:22
General
-
Target
155bd36c434f7864f86b9b8f9df15508dd0382be38c84b7989a87960fb728b2b.exe
-
Size
658KB
-
MD5
f477ef093f8f0822691564ff70735aef
-
SHA1
c290ba88e8d565db11a9c8d2badf13d1c4587efc
-
SHA256
155bd36c434f7864f86b9b8f9df15508dd0382be38c84b7989a87960fb728b2b
-
SHA512
184f5d4a39fc12a049d313e321861a268798420451fd61b1eac0fef5bff20a14ad24ce4ca3b44c3837d7bec548491c54b3024b352869e1495ba6b4dbbd9d5d45
-
SSDEEP
12288:zMrIy90nvauOsvTOlV/vU7tyS8FrROLfLt8wPjPfV44czWKrO8v26GV+:Pyaau3TOn87tA0Lfh/rfG4VKQ6GV+
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Redline family
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\155bd36c434f7864f86b9b8f9df15508dd0382be38c84b7989a87960fb728b2b.exe"C:\Users\Admin\AppData\Local\Temp\155bd36c434f7864f86b9b8f9df15508dd0382be38c84b7989a87960fb728b2b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un871247.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un871247.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9155.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9155.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 11004⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3101.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3101.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2692 -ip 26921⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
515KB
MD593ba59381cf3e5a1bccbe28953833886
SHA1d6ceb3b090bcf09969625e60c762773771f5b147
SHA256b88e239d203ac10627ccbb31b756b69847c332ac35cfa845cdfbfa8231a54d6a
SHA512aa502c24f1a076f5a03f49c12dc8e4bd9857641103859a643a7d5d810601bd3c4a3cae1d81fd36098cc9ce5b79c9b7a997d49cc24bb3eaa7a21a1158af9f36d2
-
Filesize
235KB
MD576663c8d3c2ead682a2415456c51ab16
SHA1b7b6283dfd9eccc2276a2bbebd2d1ba2f5d6a953
SHA256859cbf8f68d0146c1ade7d32d1cd14aed3fc09146c786e71e7977596e9498105
SHA512ea4cb032499cfc591db61e16f8baeddf164afc890d360a18472b812a6d0c4cad8f2c12ea3c184510248268690a174f1239ef1b2003e0279d34dd56cc12016734
-
Filesize
294KB
MD55f91ce9a4b28b2902c30896f389ca103
SHA15c545e310614a6944b502277a6673b945063c2d2
SHA256d38b47447ebada36d10f51d4b8ba79ea4f504612ef6e904d7bda2de1c4b0ab46
SHA512be857826770a3b506c5c12339342dd94212e7094b4ed7111308f2c36b42d368a5f374ce041b6f336afbdb2e036f2a47e0809865829555d25bafb5abf7ff007e1
-
Filesize
1024KB
-
Filesize
676KB
-
Filesize
192KB
-
Filesize
676KB
-
Filesize
104KB
-
Filesize
5.6MB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1024KB
-
Filesize
192KB
-
Filesize
676KB
-
Filesize
192KB
-
Filesize
280KB
-
Filesize
272KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB