Analysis
-
max time kernel
129s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-11-2024 01:26
General
-
Target
796da2d87359bb80fd6c6959739ead17618846231719d8c6f91c7915c522a245.exe
-
Size
688KB
-
MD5
ac6bd097404320142421f54d772797e9
-
SHA1
848fe3f09c8042070db590c7061532a2ea80cf44
-
SHA256
796da2d87359bb80fd6c6959739ead17618846231719d8c6f91c7915c522a245
-
SHA512
d4b35c4f6645305ce8c3f36f5acf598c392a3e75eaf394afdc8c3ae788927df02c29c70b49ad4f3a05dc3da81202adf875c237cfb39c4788d616db0aae0d7ea0
-
SSDEEP
12288:UMrFy90i9/GIIJGjs6BALlGpkHDzPujL9kgQ0KXUR04s:5yLZGdIZyH/PujRkgbKE04s
Malware Config
Extracted
redline
lint
193.233.20.28:4125
-
auth_value
0e95262fb78243c67430f3148303e5b7
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Redline family
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\796da2d87359bb80fd6c6959739ead17618846231719d8c6f91c7915c522a245.exe"C:\Users\Admin\AppData\Local\Temp\796da2d87359bb80fd6c6959739ead17618846231719d8c6f91c7915c522a245.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9333.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will9333.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6447.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will6447.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns0889VZ.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns0889VZ.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py29dN96.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py29dN96.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 10965⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs9700ke.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs9700ke.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 816 -ip 8161⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
502KB
MD5799c4b1e41904c8ef48544adf50e7f7b
SHA13e2d9d86d2db7ea2d4b01b4b5561d5958042ca3b
SHA256806079dbcc3a77b0e3b6efb047763cd1a8c8ba0421cc248224a7bbe5443c73dd
SHA5124126974da7beee5511958f1b1b594c501fda1112fb2915e2b4515f832e45a135f61b61107c631623e8c07c24d8bfd6d2797103d321efd60a2050f2c69d2187d6
-
Filesize
175KB
MD50ecc8ab62b7278cc6650517251f1543c
SHA1b4273cda193a20d48e83241275ffc34ddad412f2
SHA256b0f1238e54ac8e3534af7ecb4f834bea3223120fedb1eab80f7a1bf00fb5b97a
SHA512c79d266c82b766ca39377fd02b3bc307fce4b59f53936e97c162200de3f8b3f72f6beda2aef2ab9ecd9be669b625c6ed0aaefa157cca7ac11d78b1939f660092
-
Filesize
357KB
MD506f41b2353be19e40026a5bad7d8cd8c
SHA1914c2c1ddb0109c92a6d159258549e4f3ea2faff
SHA256f33371fa1f12975bf7804494e15be70782237e1ffb10b59a54bb3e3845a871d3
SHA512750715fa88d09b74df48f547f87b6c9c59e03153de5c2de0543560b1b85251293d7c1f47d97227335d955cabc9291cc0dbb040f62a255d947c7dd3b89aaf6a5d
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
337KB
MD54ae415bede1d28792efae3b7d8ed23a5
SHA1f71140831308cd442892eca6c8730ce19c4644ab
SHA25643c1619cb80820a4a3d8bfa1afdd5c7bb5c0c480901b462dd6536b6107373c2e
SHA5129294120dd8a748eb42d91322b7d90168754d12db66ba4f17155c7a4e1db3793ec05d48f2ae83eb81446363058bc9bdd74d8b63286e9c58c1fca244f58f548af0
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
104KB
-
Filesize
5.6MB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
39.0MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
39.0MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
200KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
40KB