Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 01:24 UTC

General

  • Target

    e8a10a7c507ee5bcad1209baa92c9334c35ea5bdb16a74a1e763bb939e9ccb2f.exe

  • Size

    1.2MB

  • MD5

    1aa19e1709f5bf79aae55375110077b4

  • SHA1

    51d01e2308e868be50bd3af35bd8262f3636a442

  • SHA256

    e8a10a7c507ee5bcad1209baa92c9334c35ea5bdb16a74a1e763bb939e9ccb2f

  • SHA512

    dc2f69e88cfd42332fa2cd9a8e8d9ce06010d7b9da356b43dbfcb9f616cb23534d6534c7b715c3dab4b0ead4198e987d1cd205de90da7af19ee76ccaa502df51

  • SSDEEP

    24576:+pQsfGjoufGJCgl9KDJU4x3FZHlc0nQAI7Hu7ecHHMnnxPiH7S:+h+0ufGQgl9ybfH2qQ1LqHohiH

Malware Config

Extracted

Family

redline

Botnet

mango

C2

193.233.20.28:4125

Attributes
  • auth_value

    ecf79d7f5227d998a3501c972d915d23

Signatures

  • Detects Healer an antivirus disabler dropper 19 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 19 IoCs
  • Redline family
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8a10a7c507ee5bcad1209baa92c9334c35ea5bdb16a74a1e763bb939e9ccb2f.exe
    "C:\Users\Admin\AppData\Local\Temp\e8a10a7c507ee5bcad1209baa92c9334c35ea5bdb16a74a1e763bb939e9ccb2f.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2271.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2271.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4348
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5947.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5947.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4828
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4046.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4046.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4596
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1204.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1204.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2568
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con9625.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con9625.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1984
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 1052
              6⤵
              • Program crash
              PID:5088
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIP10s14.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIP10s14.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1484
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1984 -ip 1984
    1⤵
      PID:4120
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:1036

    Network

    • flag-us
      DNS
      83.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      83.210.23.2.in-addr.arpa
      IN PTR
      Response
      83.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-83deploystaticakamaitechnologiescom
    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      136.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      136.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • 193.233.20.28:4125
      dIP10s14.exe
      260 B
      5
    • 193.233.20.28:4125
      dIP10s14.exe
      260 B
      5
    • 193.233.20.28:4125
      dIP10s14.exe
      260 B
      5
    • 193.233.20.28:4125
      dIP10s14.exe
      260 B
      5
    • 193.233.20.28:4125
      dIP10s14.exe
      260 B
      5
    • 8.8.8.8:53
      83.210.23.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      83.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
      159 B
      1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      136.32.126.40.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      136.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2271.exe

      Filesize

      844KB

      MD5

      564cc43b86db34b742137662602ab3ab

      SHA1

      577bcbad1511c992a322274291bb1fb7385cd459

      SHA256

      ea98be9679e2163bd02d22bc4f8d7f9ad8f038dd7b18d6cd4b0eccf0e58ab392

      SHA512

      b9448c7668c71490b6fb7afe9c24953a5e3fc7dcd9fbb4b3a67d0227622a18e77edec3b82aad0facbaff868beafcab3d420c8a5b171ab011f3c25fa41d9005c4

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5947.exe

      Filesize

      702KB

      MD5

      c6c7fba7e091b12acd8bd5889e7b87ca

      SHA1

      3308e2cd8e003f4fe878fe776aaf69c8a1bc6cd0

      SHA256

      1cc5332927d935d02c498b5c946c7bbcfc5143df1b1b40d8f71d28905f795ac1

      SHA512

      2133c986c3c6957df75446a91c5c9237936b3c418c4de2a8c4f16dfe900215d01c0a074e095212b86ff3bfcdea5a98b5ad608bb412222941f55edcff47408a17

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIP10s14.exe

      Filesize

      395KB

      MD5

      add94bdb084cb990c783fe9308cf96be

      SHA1

      92ea51381a2708f9622cd3f1b1faa82a04a42ba4

      SHA256

      5d42d00a9a37c12a5bfd971ea2b992d60afe6516db0dbeaf42eebbba2a6dd50a

      SHA512

      fefe9ee7c18cf7f13a5f11458c87728a6ddea2f176429bf3d0777b71f992c31c15822c84216d5bf88f194eedf9026928f0dbf102cf5f56c167ac05c6726aee6d

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4046.exe

      Filesize

      348KB

      MD5

      402ef217873c38e5e38493c29e50e18d

      SHA1

      ab52486519a30e1ef6dab13f17b1dfb32c2086be

      SHA256

      9e894d8e8112da10fc0b5938b160c1d53de15300d6666b5738db5a180f87cd78

      SHA512

      931d7e06aa0080c7ca4546750265b9552857ee69133f2d8ab996cb940b9a5e81f2600f20710721dd6f5d483df3fbeacb4849981a71809c5544e31281f68abf5a

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1204.exe

      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con9625.exe

      Filesize

      337KB

      MD5

      35a176e6918ad78a3991b165e430d3c3

      SHA1

      71478f6ec1baa3d8a29c97520953b2c12c0192ab

      SHA256

      8be527cc2dfd61ba40c49f16054efe1932c6f18cb56a948feb381b963e7401d9

      SHA512

      19bde67ab088d999322ce06c4d3120ed22fbada9a352e988e77e6d98fa9eaafeffa5c65dd149e73e86743bd5a3ac30f9c2fbcac46a9d5c95e88c91e3aeb1ac44

    • memory/956-3-0x0000000000400000-0x0000000000506000-memory.dmp

      Filesize

      1.0MB

    • memory/956-1-0x0000000004A20000-0x0000000004B1C000-memory.dmp

      Filesize

      1008KB

    • memory/956-2-0x0000000004B20000-0x0000000004C22000-memory.dmp

      Filesize

      1.0MB

    • memory/956-33-0x0000000004A20000-0x0000000004B1C000-memory.dmp

      Filesize

      1008KB

    • memory/956-34-0x0000000004B20000-0x0000000004C22000-memory.dmp

      Filesize

      1.0MB

    • memory/956-36-0x0000000000400000-0x0000000000506000-memory.dmp

      Filesize

      1.0MB

    • memory/956-35-0x0000000000400000-0x0000000002BDE000-memory.dmp

      Filesize

      39.9MB

    • memory/1484-83-0x0000000007700000-0x000000000773E000-memory.dmp

      Filesize

      248KB

    • memory/1484-92-0x0000000007700000-0x000000000773E000-memory.dmp

      Filesize

      248KB

    • memory/1484-991-0x0000000007F30000-0x0000000007F42000-memory.dmp

      Filesize

      72KB

    • memory/1484-990-0x0000000007DF0000-0x0000000007EFA000-memory.dmp

      Filesize

      1.0MB

    • memory/1484-989-0x0000000007750000-0x0000000007D68000-memory.dmp

      Filesize

      6.1MB

    • memory/1484-112-0x0000000007700000-0x000000000773E000-memory.dmp

      Filesize

      248KB

    • memory/1484-94-0x0000000007700000-0x000000000773E000-memory.dmp

      Filesize

      248KB

    • memory/1484-84-0x0000000007700000-0x000000000773E000-memory.dmp

      Filesize

      248KB

    • memory/1484-86-0x0000000007700000-0x000000000773E000-memory.dmp

      Filesize

      248KB

    • memory/1484-88-0x0000000007700000-0x000000000773E000-memory.dmp

      Filesize

      248KB

    • memory/1484-90-0x0000000007700000-0x000000000773E000-memory.dmp

      Filesize

      248KB

    • memory/1484-992-0x0000000007F50000-0x0000000007F8C000-memory.dmp

      Filesize

      240KB

    • memory/1484-96-0x0000000007700000-0x000000000773E000-memory.dmp

      Filesize

      248KB

    • memory/1484-98-0x0000000007700000-0x000000000773E000-memory.dmp

      Filesize

      248KB

    • memory/1484-100-0x0000000007700000-0x000000000773E000-memory.dmp

      Filesize

      248KB

    • memory/1484-102-0x0000000007700000-0x000000000773E000-memory.dmp

      Filesize

      248KB

    • memory/1484-104-0x0000000007700000-0x000000000773E000-memory.dmp

      Filesize

      248KB

    • memory/1484-106-0x0000000007700000-0x000000000773E000-memory.dmp

      Filesize

      248KB

    • memory/1484-108-0x0000000007700000-0x000000000773E000-memory.dmp

      Filesize

      248KB

    • memory/1484-993-0x00000000080A0000-0x00000000080EC000-memory.dmp

      Filesize

      304KB

    • memory/1484-110-0x0000000007700000-0x000000000773E000-memory.dmp

      Filesize

      248KB

    • memory/1484-81-0x0000000004A50000-0x0000000004A96000-memory.dmp

      Filesize

      280KB

    • memory/1484-82-0x0000000007700000-0x0000000007744000-memory.dmp

      Filesize

      272KB

    • memory/1484-114-0x0000000007700000-0x000000000773E000-memory.dmp

      Filesize

      248KB

    • memory/1984-43-0x00000000071C0000-0x0000000007764000-memory.dmp

      Filesize

      5.6MB

    • memory/1984-76-0x0000000000400000-0x0000000002B05000-memory.dmp

      Filesize

      39.0MB

    • memory/1984-74-0x0000000000400000-0x0000000002B05000-memory.dmp

      Filesize

      39.0MB

    • memory/1984-46-0x00000000049B0000-0x00000000049C2000-memory.dmp

      Filesize

      72KB

    • memory/1984-48-0x00000000049B0000-0x00000000049C2000-memory.dmp

      Filesize

      72KB

    • memory/1984-50-0x00000000049B0000-0x00000000049C2000-memory.dmp

      Filesize

      72KB

    • memory/1984-54-0x00000000049B0000-0x00000000049C2000-memory.dmp

      Filesize

      72KB

    • memory/1984-72-0x00000000049B0000-0x00000000049C2000-memory.dmp

      Filesize

      72KB

    • memory/1984-56-0x00000000049B0000-0x00000000049C2000-memory.dmp

      Filesize

      72KB

    • memory/1984-58-0x00000000049B0000-0x00000000049C2000-memory.dmp

      Filesize

      72KB

    • memory/1984-61-0x00000000049B0000-0x00000000049C2000-memory.dmp

      Filesize

      72KB

    • memory/1984-62-0x00000000049B0000-0x00000000049C2000-memory.dmp

      Filesize

      72KB

    • memory/1984-64-0x00000000049B0000-0x00000000049C2000-memory.dmp

      Filesize

      72KB

    • memory/1984-66-0x00000000049B0000-0x00000000049C2000-memory.dmp

      Filesize

      72KB

    • memory/1984-68-0x00000000049B0000-0x00000000049C2000-memory.dmp

      Filesize

      72KB

    • memory/1984-70-0x00000000049B0000-0x00000000049C2000-memory.dmp

      Filesize

      72KB

    • memory/1984-52-0x00000000049B0000-0x00000000049C2000-memory.dmp

      Filesize

      72KB

    • memory/1984-45-0x00000000049B0000-0x00000000049C2000-memory.dmp

      Filesize

      72KB

    • memory/1984-44-0x00000000049B0000-0x00000000049C8000-memory.dmp

      Filesize

      96KB

    • memory/1984-42-0x00000000047B0000-0x00000000047CA000-memory.dmp

      Filesize

      104KB

    • memory/2568-32-0x0000000000C10000-0x0000000000C1A000-memory.dmp

      Filesize

      40KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.